Set an external identity source for VMware NSX

In this article, learn how to set up an external identity source for VMware NSX in an instance of Azure VMware Solution.

You can set up NSX to use an external Lightweight Directory Access Protocol (LDAP) directory service to authenticate users. A user can sign in by using their Windows Server Active Directory account credentials or credentials from a third-party LDAP server. Then, the account can be assigned an NSX role, like in an on-premises environment, to provide role-based access for NSX users.

Screenshot that shows NSX connectivity to the LDAP Windows Server Active Directory server.



For more information about Secure LDAP (LDAPS) and certificate issuance, contact your security team or your identity management team.

Use Windows Server Active Directory as an LDAPS identity source

  1. Sign in to NSX Manager, and then go to System > User Management > LDAP > Add Identity Source.

    Screenshot that shows NSX Manager with the options highlighted.

  2. Enter values for Name, Domain Name (FQDN), Type, and Base DN. You can add a description (optional).

    The base DN is the container where your user accounts are kept. The base DN is the starting point that an LDAP server uses when it searches for users in an authentication request. For example, CN=users,dc=azfta,dc=com.


    You can use more than one directory as an LDAP provider. An example is if you have multiple Windows Server Azure Directory domains, and you use Azure VMware Solution as a way to consolidate workloads.

    Screenshot that shows the User Management Add Identity Source page in NSX Manager.

  3. Next, under LDAP Servers, select Set as shown in the preceding screenshot.

  4. On Set LDAP Server, select Add LDAP Server, and then enter or select values for the following items:

    Name Action
    Hostname/IP Enter the LDAP server’s FQDN or IP address. For example, or
    LDAP Protocol Select LDAPS.
    Port Leave the default secure LDAP port.
    Enabled Leave as Yes.
    Use Start TLS Required only if you use standard (unsecured) LDAP.
    Bind Identity Use your account that has domain Administrator permissions. For example, <>.
    Password Enter the password for the LDAP server. This password is the one that you use with the example <> account.
    Certificate Leave empty (see step 6).

    Screenshot that shows the Set LDAP Server page to add an LDAP server.

  5. After the page updates and displays a connection status, select Add, and then select Apply.

    Screenshot that shows details of a successful certificate retrieval.

  6. On User Management, select Save to complete the changes.

  7. To add a second domain controller or another external identity provider, return to step 1.


A recommended practice is to have two domain controllers to act as LDAP servers. You can also put the LDAP servers behind a load balancer.

Assign roles to Windows Server Active Directory identities

After you add an external identity, you can assign NSX roles to Windows Server Active Directory security groups based on your organization's security controls.

  1. In NSX Manager, go to System > User Management > User Role Assignment > Add.

    Screenshot that shows the User Management page in NSX Manager.

  2. Select Add > Role Assignment for LDAP. 

    1. Select the external identity provider that you selected in step 3 in the preceding section. For example, NSX External Identity Provider.

    2. Enter the first few characters of the user's name, the user's sign-in ID, or a group name to search the LDAP directory. Then select a user or group from the list of results.

    3. Select a role. In this example, assign the FTAdmin user the CloudAdmin role.

    4. Select Save.

    Screenshot that shows the Add User page in NSX Manager.

  3. Under User Role Assignment, verify that the permissions assignment appears.

    Screenshot that shows the User Management page confirming that the user was added.

Your users should now be able to sign in to NSX Manager by using their Windows Server Active Directory credentials.