“Your login attempt was not successful. The username/password combination is incorrect or the account specified has been locked." when logging into NSX UI as LDAP user
search cancel

“Your login attempt was not successful. The username/password combination is incorrect or the account specified has been locked." when logging into NSX UI as LDAP user

book

Article ID: 425262

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • LDAP has been configured on NSX for role based access under System > User Management > Authentication Providers > LDAP
    Domain name is example<1>.com 
  • LDAP user is synched from the AD as user@example<2>.com and is mapped to an NSX role

  • Login to NSX UI as user user@example<2>.com fails with the following error:
    Your login attempt was not successful. The username/password combination is incorrect or the account specified has been locked

  • In the NSX Manager log, /var/log/proxy/reverse-proxy.log, a warning similar to this example is observed:
    <DATE>T14:08:37.773Z  WARN Processing request <ID> DelegatingLdapAuthProvider 74600 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] Could not find a matching LDAP authentication provider for user UsernamePasswordAuthenticationToken [Principal=user@example<2>.com, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=<IP address>, SessionId=null], Granted Authorities=[]]. No LDAP identity sources with a domain_name or alternative_domain_name matching example<2>.com were found.
    java.lang.NullPointerException: Cannot invoke "com.vmware.nsx.management.rp.security.ldap.LdapResourceConfig.getDomainName()" because the return value of "java.util.Map.get(Object)" is null

  • In the NSX Manager log, /var/log/proxy/reverse-proxy.log or syslog, a warning similar to this example might be observed:
    <DATE>t11:21:28.782Z <NSX MANAGER FQDN> NSX 79574 - [nsx@4413 comp="nsx-manager" level="WARNING" subcomp="http"] The user <LDAP USER ID>@EXAMPLE<1>.com has a userPrincipalName <LDAP USER ID>@EXAMPLE<2>.com, but the domain EXAMPLE<2>.com is not associated  with the LDAP identity source for EXAMPLE<1>.com. Consider adding EXAMPLE<2>.com as an alternative_domain_name.
    <DATE>T11:21:28.783Z <NSX MANAGER FQDN> NSX 79574 SYSTEM [nsx@4413 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName=<LDAP USER ID>@EXAMPLE<1>.com, ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="failure"

Environment

VMware NSX

Cause

  • When connecting to an AD forest comprised of multiple subdomains, NSX must have each subdomain configured to allow a user from that subdomain to login.

Resolution

  • Edit the example<1>.com LDAP Identity source and add an alternative domain name
  1. On NSX UI, System > User Management > Authentication Providers > LDAP, edit LDAP Identity Source
  2. In the "Alternative Domain Names" field add the second domain e.g. example<2>.com and click Save
  3. Login to the NSX UI

Additional Information

  • If no error is seen in the reverse-proxy logs around the time of login, consider changing the debugging level using this command on NSX manager in admin mode:
    1. Check current logging level:
      get service auth
    2. Set logging level to debug:
      set service auth logging-level debug
    3. Reproduce the issue.
    4. Reset logging-level to level found in step 1.
Powered by Wolken Software