VMware vSphere

After I changed my domain password and rebooted my pc... my domain account locks after a minute or so of establishing network connection to one of the vSphere vCenters

The event log in the vSphere server shows "Cannot login <domain\user>@IP<IP> every 70 seconds

What I think is happening is  that I logged on to one our many jump servers and accessed a vCenter (vSphere 5) then disconnected the session while the client was running, the session is disconnected but is trying to reconnect.

Is this a reasonable hypothesis?

If so it means the default setting of the client to try and keep reconnecting is a bit of a loose cannon - I haven't yet seen how to time it out from the vCenter, any pointers would be most helpful

I'm not quite I fully understand, but try this.  Do you have another account that is part of the administrator role in vCenter? If so, log into vCenter and terminate any of your idle sessions.  Or you could always restart the vCenter Server Service, which will drop active and idle sessions.

I know what you did, some service, appliance (probably VDR) is using domain credentials to login.  The password is cached, and therefore it gets locked because it's trying to use an old password.  You need to reset the password used by vSphere, appliance, or service on vCenter to stop locking an account.

NOW you see why it's a good idea to create accounts specific to a service.. so they have their OWN credentials and not sharing something else.  This is best practice.

I saw this happen a lot of times with admin accounts. In most cases the admins were logged on to a server or any other system with the old credentials or had some scheduled tasks running which caused the lockout. I think this has nothing to do with vCenter Server. I'd check the DC's security event logs to see whether they contain any hints.

André

If you have ruled out any running services that might have been configured under your account, download the Microsoft Account Lockout tools and you will be able to track down where the lockouts are coming from.

http://www.microsoft.com/en-us/download/details.aspx?id=18465

LockoutStatus will tell you which domain controller logged your bad password attempts.  EventCombMT can then search that domain controller's security log for your username and return all security events, which will tell you from which host the bad password was sent.  You can further run EventCombMT against that hosts's security log, and so on, until you narrow it down.

Guys

Thanks so much for your help

First of all this isn’t showing up as a session in vcenter – I´ve even restarted the vCenter server.

I’ve checked all the windows services and appliances on both my pc and the vcenter (veeam, converter, tasks, obdc, network shares, plugins etc) and haven’t found anything that uses my domain account.

The domain controller points to the vCenter server as generating the lockout, the vCenter server event log “Cannot login <domain\user>@IP<IP>” points to a network device.

The vCenter is behind a firewall in linked mode to another vcenter seperated by another firewall  – if I don’t establish vpn access to the subnet where the vCenter is located I don’t get locked out

With the network cable unpluged netstat –ao from my pc shows a SYN_SENT :https to the vCenter, the PID is java process – when I kill it, 30 seconds later it’s back.

From another pc I am able to logon no problems – no messages in the event log, so the problem seems to originate on my pc….

Reconnected the network cable on my own pc and quick login, but within a few minutes the domain account is locked out and the vCenter event log shows “BadUsernameSessionEvent.fullFormat not found, BadUsernameSessionEvent.catogory not found”

I’m also connected to the vcenter with a local windows account and the event log messages are different these say “Cannot login <domain\user>@IP<IP>”

Changed my domain account from the vCenter, (CLTL + ALT + END) (the security policy was higher 10 characters instead of 8 – domain default) then quick login to the vCenter from my pc…

12 hours without  lockout… seems there was a credential mismatch between my pc and the vCenter....