VMware vSphere

 View Only

  • 1.  vCenter keeps locking accounts

    Posted May 05, 2014 05:11 PM

    Hello everyone!

    I need some troubleshooting for this issue I'm having. Environment is vCenter Server Appliance Version 5.5.0 Build 1588022. The problem is vCenter keeps locking out both my vdp and vcops SSO accounts (vdp@vsphere.local and vcops@vsphere.local). I proceeded logging on vSphere Web Client with SSO Admin account (administrator@vsphere.local) and went to Administration > Single Sign On > Users and Groups and noticed vdp account was locked. Then I unlocked it, but in the sudden of a refresh page, it became locked out again. I changed the password for this account, disabled it, then re-enabled it again. Whenever I unlock, vCenter keeps unlocking it. I tailed my vCenter appliance's /var/log/messages, till I found every second vmdird keeps locking those accounts:

    2014-05-05T17:07:18+00:00 vcsa01 vmdird: t@140575374509824: LoginBlocked DN (cn=vcops,cn=users,dc=vsphere,dc=local), error (9239)(Account access blocked)

    2014-05-05T17:07:22+00:00 vcsa01 vmdird: t@140575349331712: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:23+00:00 vcsa01 vmdird: t@140575374509824: LoginBlocked DN (cn=vcops,cn=users,dc=vsphere,dc=local), error (9239)(Account access blocked)

    2014-05-05T17:07:26+00:00 vcsa01 vmdird: t@140575349331712: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:27+00:00 vcsa01 vmdird: t@140575374509824: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:29+00:00 vcsa01 vmdird: t@140575349331712: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:31+00:00 vcsa01 vmdird: t@140575374509824: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:32+00:00 vcsa01 vmdird: t@140575349331712: LoginBlocked DN (cn=vcops,cn=users,dc=vsphere,dc=local), error (9239)(Account access blocked)

    2014-05-05T17:07:35+00:00 vcsa01 vmdird: t@140575349331712: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    2014-05-05T17:07:35+00:00 vcsa01 vmdird: t@140575374509824: Lockout policy check - account lockout. (cn=vdp,cn=users,dc=vsphere,dc=local)

    Any tips on this?

    Thank you!



  • 2.  RE: vCenter keeps locking accounts

    Posted May 05, 2014 07:41 PM

    Hi,

    check your account lockout policies settings in SSO config, for more info see:

    VMware KB: Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts  

    also have a look at this KB:

    VMware KB: Active Directory account locks out due to repeated failed login attempts from vCenter Server  

    Regards,

    P.



  • 3.  RE: vCenter keeps locking accounts

    Posted May 06, 2014 12:05 PM

    Hi,

    I checked those policies and didn't see anything different from default, yet I changed it by now, but the problem still persists.

    The second KB doesn't apply for me.

    Thanks, anyway.



  • 4.  RE: vCenter keeps locking accounts

    Posted May 23, 2014 03:48 PM

    This just hit us and hard.  We are running vCenter 5.1 and the default expiration policy is something like 385 days.  What we had to do was this:

    Go to the section where you control the policies.

    Set the maximum age to 0.

    Set the minimum number of password before re-use to 1.

    Save the policy.

    Go to the user account that keeps getting locked out in Users and Groups.

    Edit the account and set the password to something that will take but is temporary.

    Edit the account again and set the password back to the very first one you had that is used by the VDP appliances and other accounts you are using.

    Make sure the account is unlocked.

    The account is getting locked because the password has expired and if you change it in SSO but don't change it on the source, then after three attempts, the account is locked.  VDP and other applications are trying to login all the time to update their local information, so you will see the account locked pretty quickly if the password doesn't match what VDP thinks it should be.

    This should prevent the account from getting locked right away and allow things to proceed.  The alternative is to set those policies, create a new account for each of these services with the correct permissions and switch them to use those new accounts.  But this can be problematic with VDP if things don't go just right (it might think it is a new registration and you will have to re-enter your backup jobs and stuff). 



  • 5.  RE: vCenter keeps locking accounts

    Posted May 26, 2014 07:58 PM

    Hey shawn,

    I marked your answer as helpful, because somehow I did it in a hurry, but in a different way. I had to use an LDAP browser in order to fix those parameters for vdp account, and it did work, but I'm pretty sure your procedure could work also.

    Thanks.



  • 6.  RE: vCenter keeps locking accounts