In an NSX Federation environment, a local user account created on the Active Global Manager (GM) fails to authenticate when the same user attempts to log into the Standby Global Manager (GM). The user may receive an "Invalid Credentials" error despite using the correct username and password.

VMware NSX

The behavior is by design and stems from how NSX distinguishes between Management Plane (Policy) Objects and Appliance-Specific Configurations.

1. Database Separation: NSX Federation synchronizes the Policy Database (Networking, Security, and Grouping objects) from the Active GM to the Standby GM. However, local user accounts are stored in the Appliance Management Database (Linux-level/Local Node database).

2. Node-Specific Scope: Local users created via the System > User Management tab or via the CLI are tied to the specific appliance or local cluster where they were defined.

3. Authentication vs. Authorization: While Role Bindings (the mapping of a user to a role like Enterprise Admin) are part of the Policy and do synchronize to the Standby GM, the Identity (the actual username/password record) does not exist on the Standby GM to fulfill the login request.

To ensure a local user can access both the Active and Standby Global Managers, the account must be created manually on each cluster.

Option 1: Manual Creation of local user using CLI as the standby GM will be on read-only mode.

- Log in to the Standby Global Manager CLI.
- Use the below command in admin mode to create a new local user
add user <username> password <Password>

- The above command will add the user with "Auditor" role.

Option 2: External Identity Sources (Recommended for Production)

- For a seamless experience across all sites in a Federation, utilize an external Identity Provider (IDP).
- Active Directory/LDAP: Configure the LDAP server at the Global Manager level.
- VMware Identity Manager (vIDM): Integrate both Global Managers with vIDM.

When using an external IDP, the authentication is handled centrally. Because the Role Mapping is a synchronized policy object, the user will have consistent access to both the Active and Standby GM without manual intervention at each site.