Loading...
Loading...
With NSX-T it is possible to use vIDM for authentication the NSX-T manager.When you try to use a vIDM user with the correct permissions to run REST API calls these may fail.You are able to successfully log into the NSX-T manager with the same user you are using for REST API calls and make changes.The NSX-T manager is configured to use vIDM, the vIDM setup is configured with a connector and a vIDM server. Below is a sample REST API query and the results you may see: # curl --header "Authorization: Remote bnN4YWRtaW5AY29ycC5sb2NhbDpWTXdhcmUxIQ==" --insecure -s --request GET https://<nsx-mgr>/api/v1/logical-ports { "module_name" : "common-services", "error_message" : "The credentials were incorrect or the account specified has been locked.", "error_code" : "403" }
This happens when there is a separate connector server and a vIDM server configured.The vIDM server does not trust the CA certificate of the connector server.
To work around this issue you will need to make the vIDM server trust the CA from the connector server.
Enable Outbound Mode for the Connector, this means the you will not need to trust the connector certificate.Details on how to achieve this can be found in the following documentation:https://docs.vmware.com/en/VMware-Identity-Manager/3.3/com.vmware.vidm-dmz-deployment/GUID-C97A4D37-8F1F-4B24-9A97-1A25A0033999.htmlhttps://docs.vmware.com/en/VMware-Identity-Manager/3.3/com.vmware.vidm-dmz-deployment/GUID-FE124219-1322-43B2-9F41-9DE941FCD012.htmlIf this still having issues after setting Enable Outbound Mode for the Connector, you may need to manually trust the connector certificate in vIDM:Run the following commands from a Linux shell: openssl s_client -connect your-connector-ip:443 Where your-connector-ip is either your connector IP address or resolvable hostname. This should return a long output which includes the certificate. Select everything between the below lines, include the BEGIN and END lines of the certificate and copy to your clipboard: -----BEGIN CERTIFICATE----- MIIG....XdvA0 -----END CERTIFICATE----- To install this certificate on vIDM: In the vIDM server, login to the Admin PortalThen go to Appliance SettingsClick on Manage configurationEnter your vIDM system admin passwordSelect the Install SSL Certificates option on the left side barSelect the Trusted CAs tabPaste the connector certificate copied to the clipboard earlier in the Root or Intermediate Certificate text boxThen click Add.Your will be presented with a warning: Note: THIS OPERATION WILL RESTART YOUR VIDM SERVER SO MAY AFFECT CURRENT LOGGED IN USERS ! Click Ok.Once the service restart is complete, the spinning wheel on the page should go away. Please retry NSX-T API again.
Another possible cause for this behavior is if the NSX Manager date is behind the vIDM date.Check /var/log/proxy/reverse-proxy.log on the NSX Manager at time of failed authentication. Example logging if NSX date is behind vIDM date:2022-05-10T17:00:00.688Z INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch information from vIDM Discovery Endpoint https://{vIDM hostname}/SAAS/auth/.well-known/openid-configuration2022-05-10T17:00:00.778Z INFO https-jsse-nio-<IP>-443-exec-2 NsxTrustManager 30035 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Trust thumbprint of CN=XXXXXXXXXXXX,OU=XXXXXX,O=XXX Inc.,C=XX2022-05-10T17:00:00.862Z INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch public key from https://{vIDM hostname}/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem2022-05-10T17:00:00.904Z INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Validate access token locally: <token info>2022-05-10T17:00:00.905Z WARN https-jsse-nio-<IP>-443-exec-2 CustomOidcAuthorizationCodeAuthenticationProvider 30035 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed2022-05-10T17:00:00.905Z ERROR https-jsse-nio-<IP>-443-exec-2 NsxBasicAuthenticationFilter 30035 - [nsx@6876 comp="nsx-manager" errorCode="MP60204" level="ERROR" subcomp="http"] errororg.springframework.security.authentication.BadCredentialsException: Could not obtain user details from token...Caused by: org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Token has been issued in the future: <UNIX timestamp>
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.