In my Lab deployments of NSX I’ve come across an issue whereby logging into the vSphere Web Client with authorized accounts results in the inability to manage NSX via the Networking and Security Plugin. If an account doesn’t have access to administer NSX you will see the 0 NSX Managers reported in the Web Client as shown below.
There isn’t a lot of detailed guidelines at the moment as to what needs to be configured in the NSX Manager and Web Client Plugin to grant access to users other than the specified NSX service account and SSO Administrator. I’ve found that NSX loves FQDNs when configuring user access especially if logging in with Domain Accounts.
Configuring NSX Management Service:
Log into the NSX Manager and go to Manager -> NSX Management Service where you configure the Lookup Service and vCenter Server connectivity. While I’ve seen example configs using IP addresses for the Lookup Service and vCenter Server I’d suggest using a FQDN/DNS Names for production deployments…But more importantly I’ve discovered that using the UPN format for User Names works best when using Domain Accounts for admin.
Most important configuration item here is using the UPN for the vCenter User Name…in my case I use a dedicated service account called service.nsx. Using the UPN and adding the domain part of the user name acts like a default domain for when logging into the Web Client with Domain Based accounts. With the full UPN configured you only need to enter in the first part of the user account when logging in.
Configuring User and Group Permissions:
After you have configured the Lookup and vCenter Connectivity in the NSX Manager, jump over to the Web Client and login with the service account as shown below:
With this account you will have access to Administrator NSX and add new Users and Groups. Click on the Networking & Security Inventory Tab and in the left pane click on the IP of the NSX Manager. In the Middle Pane click on Manage and then the Users Tab.
If you have upgraded from a vShield Manager all the previous user accounts are carried across however if you login with that format carried over you will see 0 NSX Managers listed. For individual users delete the existing entries and re-create them with their full UPN account details. As highlighted below the users shown next to the red arrow will not have the correct rights to administer NSX…The re-created accounts next to the green arrow will be able to login and have management rights.
For Group config, the same applies…use the [email protected] format and all members of the group will be able to login.
Just to finish off, there is an official VMwareKB here on the issue. However it only talks about the configured users having appropriate vCenter Permissions.
- Log in to the NSX Manager via the Web UI.
- Click Manage vCenter Registration.
- Navigate to COMPONENTS > NSX Management Service.
- Ensure that vCenter Server is configured correctly.