• Active Directory users attempting to sign into the NSX Manager may experience intermittent login failures.
  
  
• Services that use accounts that authenticate through Active Directory may report failures or services being down which may later recover on their own.
  
  
• The Identity Source is configured using a Load Balancer VIP backed by multiple Domain Controllers/AD Servers after machine SSL certificates have recently been updated on one or more of them.
  
  
• The connection status for the LDAP(s) Identity Source in the NSX UI under System> User Management may fluctuate between Success and Failed.
  

• In the NSX Manager syslog or auth.log (in /var/log), the following error message may be observed during failed authentication attempts: "No issuer certificate for certificate in certification path found"
  *Note that (KB 415306) Active Directory users login to NSX Manager fails with an error "Unable to get local issuer certificate and Unable to verify the first certificate" describes a similar issue but without multiple AD servers behind a load balancer.

When a Load Balancer distributes requests across multiple LDAP servers, each server presents its own unique machine certificate.

• If NSX has only been configured to trust one specific server's certificate, the SSL handshake will fail whenever the Load Balancer directs traffic to a different server in the pool.
  
  
• Following certificate updates on the Domain Controllers, the certificate in NSX' Identity Source configuration may no longer match the certificates presented by the backend servers.

To resolve this issue, NSX must be configured to trust the Certificate Authority (CA) Chain rather than an individual machine certificate unless all of the individual AD servers will be configured with the same leaf certificate. This allows NSX to validate the connection to any backend server, provided its certificate was issued by the trusted CA.

Step 1: Import the Root and any Intermediate CA Certificates as trusted entities in NSX.

1. Log in to the NSX Manager UI.

2. Navigate to System > Certificates.
   
   
3. Click Import and select Import CA Certificate.

4. Enter a descriptive Name (e.g., Internal-Root-CA).

5. Ensure the Service Certificate slider is set to No.

6. Paste the certificate contents (including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
   ***Ensure there are no leading or trailing spaces/lines.

7. Click Save.
   
   
8. Repeat steps 1 through 7 above for any applicable Intermediate CA certificates.
   
   

Step 2: Configure the Identity Provider to use the CA Chain without a leaf certificate:

1. Navigate to System > User Management > LDAP.

2. Edit the affected LDAP Server configuration.

3. In the Certificate field, remove any existing individual machine certificate.

4. Paste the CA Chain, not including any leaf (specific to a given AD server), into the box in the following order:

   • Top: Intermediate CA Certificate

   • Bottom: Root CA Certificate

5. Enter the password to re-authenticate and click Save.

This process is similar to the method described in Techdocs: Configure Identity Firewall Domain when LDAPS Servers are behind Load Balancer when setting up vDefend Firewall so that the Identity Firewall Domain can use LDAP servers behind a load balancer. As stated in that documentation:

"When NSX connects to LDAPS servers through a load balancer, each connection may be on a different server. Each AD server presents its own certificate. Because these certificates are unique to each server, direct certificate pinning is not feasible. Instead, a certificate chain of trust should be used. If all AD server certificates are issued by the same Certificate Authority (CA), NSX can validate the connection using the shared CA certificate. This allows NSX to trust all AD servers behind the load balancer."