• NSX is configured to use AD (Active Directory).
• Other components such as vROPs and/or vRNI are configured to use AD service account.
• Monitoring tools configured on NSX, show login failures for the service accounts:

NSX UserName="<service account username>@<AD domain>@<IP address>", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="failure"

• In the NSX manager log /var/log/proxy/reverse-proxy.log we can see the following:

ERROR Processing request ########-4d04-4e4b-956f-############ NsxRestAuthenticationEntryPoint 2795 - [nsx@6876 comp="nsx-manager" errorCode="MP403" level="ERROR" subcomp="http"]The credentials were incorrect or the account specified has been locked.

• In the NSX manager log /var/log/proxy/envoy_access_log.txt we can see the API calls with HTTP response code 503 and UAEX:

"/policy/api/v1/infra/segments/######/ports/default:########-1581-4f37-abcd-############/statistics?enforcement_point_path=<path>" "HTTP/1.1" 503 UAEX 0 0 59998 - "<IP address>" "Apache-HttpClient/4.5.9 (Java/17.0.10)" "########-4ad3-4f47-b085-############" "<IP address>:443" "-"

VMware NSX

As per the NSX log, the account credentials are wrong or the account is locked, review the account on the AD server.

Review the account on the AD and check the password and if the account is enabled.

Intermittent HTTP 503 error response when authenticating NSX-T manager via LDAPS