In this blog, we will address a recent issue encountered during the integration of NSX with an external identity provider, LDAP. After completing the LDAP integration, we discovered that Active Directory (AD) users were unable to log into the NSX user interface, while local users could access it without any problems. We thoroughly validated all configurations and found no missing or incorrect settings. The connection status with the LDAP server indicated success in the NSX UI, confirming that NSX and the LDAP server were able to communicate over the necessary port.

We are currently operating NSX version 4.x in our data center

Issue : NSX UI was giving error “The credentials were incorrect or the account specified has been locked.”

Note : We were able to login vcenter sever with same LDAP integration and domain user and this issue was happening with NSX only.

Observation : During our troubleshooting, we observed that the customer had integrated with the ABC.net domain, while the user IDs were created under the ABC.com domain. This Active Directory configuration appears to involve a primary domain along with an alternative UPN suffix..

Resolution : We referred to Broadcom KB documents  and found resolution to add alternative domain in NSX LDAP configuration .  After adding ABC.com in alternative domain, LDAP users started authenticated.

Reference documents

https://knowledge.broadcom.com/external/article/324177/ldap-users-cannot-log-into-nsxt-ui-or-ar.html

https://knowledge.broadcom.com/external/article/324162/ldap-users-cannot-log-into-nsxt-ui-or-ar.html