jburen
Expert
Expert

Group-based Access Control not working in NSX-V

Jump to solution

I rebuilt my lab environment and configured SSO for vCenter:

- Joined VCSA to AD

- Added AD as an Identity Provider

- Added AD group "NSX_Enterprise_Admins" with Read-Only permissions at the datacenter level

At this point, I can log in to vCenter with an account that is a member of the AD group "NSX_Enterprise_Admins".

Then, I added the AD domain to NSX.

NSX_Domain.PNG

And finally, I added a vCenter group with the NSX Enterprise Admins role.

NSX_Group.PNG

Unfortunately, when I log in with an account that is a member of the AD group "NSX_Enterprise_Admins" I get this error:

No_NSX_Manager.PNG

I really have no idea what I can check or change to get this working. I tried adding the vCenter group as "NSX_Enterprise_Admins@lab.local" but that didn't make a difference. I also tried four different ways of entering the user name on both interfaces (HTML5 and FLEX):

- LAB\Administrator

- administrator@lab.local

- Use windows session authentication

- administrator

And of course, when I add the user account instead of the group, it works...

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
1 Solution

Accepted Solutions
jburen
Expert
Expert

Well, yesterday I removed the AD group from NSX and today I added it again. And it worked... I really have no idea what caused the issue but for now, the problem is solved.

Consider giving Kudos if you think my response helped you in any way.

View solution in original post

0 Kudos
7 Replies
RoderikdeBlock
Enthusiast
Enthusiast

Is the lookup service in the NSX manager configured correctly? Time not in sync between NSX and vCenter server?

pastedImage_0.png

Roderik de Block Blog: https://roderikdeblock.com
0 Kudos
jburen
Expert
Expert

I use the Domain Controller as an NTP server for both vCenter and NSX Manager. The time zone is also the same on both. So time should be in sync.

NSX_vCenter.PNG

I know that SSO works when I add a user to NSX. But when I add a group I get the error...

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
larsonm
Expert
Expert

I've seen this before as well.  When the issue came up, we simply added the few individual users rather than the group.

0 Kudos
jburen
Expert
Expert

That's what I did as a workaround but it should work with a group... It's not a very big deal but I hate it when I don't know what's causing it. There must be a cause for this issue.

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
RoderikdeBlock
Enthusiast
Enthusiast

I've also seen some posts where group nesting is the issue:

"One of the things we have found is that NSX Manager doesnt like nested AD groups.
Nested groups are also quite common in enterprise AD enviroments, using the AGDLP standard.
So our standard way of assigning rights would be:

the user –> member of a global group representing a user role –> member of a domain local group representing the resource –> the resource itself.

In this case the resource was the ‘auditor’ right in NSX manager.
We find that if we assign a user directly, it works
If we assign the user via an AD global group, it works
But when we nest it via a Domain Local Group, and then the Global group, then it doesnt work!"

Roderik de Block Blog: https://roderikdeblock.com
0 Kudos
jburen
Expert
Expert

And to make it even stranger.... I think it *did* work one time but then I found out that the NSX Administrator permissions were not enough so I added the "NSX Enterprise Administrators" group and removed the "NSX Administrators" group. And after that things fell apart...

I will see if I can reset the whole SSO config.

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
jburen
Expert
Expert

Well, yesterday I removed the AD group from NSX and today I added it again. And it worked... I really have no idea what caused the issue but for now, the problem is solved.

Consider giving Kudos if you think my response helped you in any way.

View solution in original post

0 Kudos