Local users created in VMware vCenter Single Sign-On 6.0 fail to log in after modifying the maximum lifetime value for password expiration
Article ID: 315293
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
After you modify the maximum lifetime password expiration value for VMware vCenter Single Sign-On 6.0, you experience these symptoms:
- Local users created in VMware vCenter Single Sign-On are unable to log in
- You see the error:
Incorrect username/password
- The C:\PogramData/VMware/vCenterServer/logs/sso/vmware-sts-idmd.log file on the Platform Services Controller has entries similar to:
[2015-06-24T11:36:04.877-05:00 SSO_Domain 7f9cd188-0a25-45a0-9716-5f7f66b1b50f ERROR] [IdentityManager] Failed to authenticate principal [username@SSO_Domain]. User password expired.
[2015-06-24T11:36:04.877-05:00 SSO_Domain 7f9cd188-0a25-45a0-9716-5f7f66b1b50f INFO ] [IdentityManager] Authentication failed for user [username@SSO_Domain] in tenant [SSO_Domain] in [13] milliseconds with provider [SSO_Domain] of type
com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]
[2015-06-24T11:36:04.877-05:00 vsphere.local 7f9cd188-0a25-45a0-9716-5f7f66b1b50f ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: username, Domain: SSO_Domain}'
com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: username, Domain: SSO_Domain}
at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.checkUserAccountFlags(VMwareDirectoryProvider.java:1339)
at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2518)
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- You are able to log in with [email protected]
Note: If you are using a custom VMware vCenter Single Sign-On domain, replace vsphere.local with the name of your VMware vCenter Single Sign-On domain.
Environment
VMware vCenter Server 6.0.x
Cause
This issue occurs when the SSO password expiration lifetime has a larger value than the maximum value permitted.
Resolution
This is a known issue affecting VMware vCenter Server 6.0.
Currently, there is no resolution.
To work around this issue:
- Log in to the VMware vSphere Web Client as [email protected]
Note: If you are using a custom VMware vCenter Single Sign-On domain, replace vsphere.local with the name of your VMware vCenter Single Sign-On domain.
- Navigate to Configuration > Policies > Password Policy > Edit.
- Set the password expiration value to a value less than 999999 days.
- Recreate the users impacted within the VMware vCenter Single Sign-On domain. For more information, see the Add vCenter Single Sign-On Users section in the vSphere Security guide.
Additional Information
To be alerted when this document is updated, click the Subscribe to Article link in the Actions box..
To know more check the below articles:
SSO administrator is locked or expired - Reset the vCenter SSO Administrator Password
Read the article in different language here:
修改密码到期的最长生命周期值后,在 VMware vCenter Single Sign-On 6.0 中创建的本地用户无法登录
パスワード有効期限の最大有効期間値を変更した後に、VMware vCenter Single Sign-On 6.0 で作成されたローカル ユーザーがログインに失敗する
To know more check the below articles:
SSO administrator is locked or expired - Reset the vCenter SSO Administrator Password
Read the article in different language here:
修改密码到期的最长生命周期值后,在 VMware vCenter Single Sign-On 6.0 中创建的本地用户无法登录
パスワード有効期限の最大有効期間値を変更した後に、VMware vCenter Single Sign-On 6.0 で作成されたローカル ユーザーがログインに失敗する
Feedback
Yes
No
Powered by
