Search the VMware Knowledge Base (KB)
View by Article ID

VMware vCenter Server shows VMware ESXi 5.x host with Lockdown Mode enabled when it is not enabled (2017394)

  • 3 Ratings

Symptoms

  • VMware vCenter Server shows Lockdown Mode as enabled. However, it is disabled on the host.
  • vCenter Server continues to show the incorrect status for the host even after:

    • The vSphere Client is restarted.
    • The host management services are restarted.
    • The VirtualCenter Server service is restarted.
    • The host is removed and re-added to the vCenter Server inventory.

  • This issue occurs when using Autodeployed ESXi 5.x hosts.
  • If the host is restarted, Lockdown Mode is disabled, but vCenter Server shows that it is enabled.
  • Changing Lockdown Mode from vCenter Server fails with the error:

    A general system error occurred: Invalid fault
    Call "HostSystem.EnableAdmin" for object "esxi host FQDN" on vCenter Server

Cause

This issue occurs because vCenter Server enables and disables Lockdown Mode for the ESXi hosts, without checking the current Lockdown status of the host to determine the current state. That is, if vCenter Server (through the vSphere Client) puts a host into Lockdown Mode and the Direct Console User Interface (DCUI) is used to take the host out of Lockdown Mode, vCenter Server is not notified of the state change and still operates as if the host is in Lockdown Mode.

Resolution

To work around this issue, enable Lockdown Mode to make it consistent with vCenter Server and then disable Lockdown Mode through vCenter Server.

To enable Lockdown Mode from the DCUI:
  1. Log in directly to the ESXi host.
  2. Open DCUI on the host.
  3. Press F2 for Initial Setup.
  4. Toggle to Configure Lockdown Mode setting.
To enable Lockdown Mode from the ESXi command line:

Check if Lockdown Mode is enabled, run the command:

vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
  • To enable Lockdown Mode:

    Run the command:

    vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

  • To enable Lockdown Mode from the PowerCLI:

    Run the command:

    (get-vmhost hostname | get-view).EnterLockdownMode() get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown


    Note: If Lockdown Mode is disabled in DCUI, running the PowerCLI command creates a task in vCenter Server. However, the task can fail with the message:

    The Administrator permission is already disabled on the host (Except for the vim user)

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Update History

02/14/2013 - Updated notes in resolution. 03/29/2013 - Updated Product Versions to 5.1 and title to 5.x 09/25/2013 - Updated Cause section

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 3 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 3 Ratings
Actions
KB: