AD Authentication for vCenter fails after password...

UserRYT · ‎11-18-2011

I am currently running a small vsphere 5 environment with the vCenter Server Appliance version 5.0.0.3324 Build 472350.

I have an issue where normal active directory authentication fails after the account has it's password changed. I can log on successfully using Windows Credentials but not if I type out the password.

It looks like vCenter is successfully talking to my domain controllers; I can query user and groups with no problem and I can see the log entry on the DC for successful kerberos login by the vCenter server. However, I do not see any failed login attempts from when I manualy type in the passwords.

If I create a new account in AD and grant it permissions at the vsphere level, I have no problems logging in. But once I change the password, that account can only log on using Windows credentials.

In the vCenter settings - Active Directory, I have validation enabled, if that matters.

So, anyone have any idea what could be causing this problems? Is vCenter caching my credentials somewhere?

Virtualinfra · ‎11-19-2011

Please clarify. What happens if you change the password for your AD account.

Your not able to login to vCenter server or vcenter services fails or ?

Thanks & Regards Dharshan S VCP 4.0,VTSP 5.0, VCP 5.0

peetz · ‎11-20-2011

Is there a chance that you have a very special character in your new password?

There are certain characters that will cause problems. I have no complete list available right now, but e.g. a blank will most probably not work and lead to the problem you are seeing.

- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de

kevyn32 · ‎12-04-2011

I am also experiancing the same problem on a small environment.

I have the vcenter 5 appliance, and 2 esxi 5 hosts.

all users in teh Windows AD can make use of the vcenter as per the privileges I have allowed.

However one user had his password reset last week in AD by the Windows sysadmin, and now he cannot access vcenter.

but all other users are un affected.

Not at work currently so cannot report back any errors in the /var/log/messages on the appliance but it basically says it cannot find that user.

I have restarted the services - same issue.

I have restarted the appliance - same issue.

Any further suggestions?

this will become a large issue as the password policy kicks in to each user over time

( I think they have to change their password every 45 days)

Cheers

K

Questpeqqik · ‎02-24-2012

Hi!

We are also experiencing the same problem on a small farm.

We have a vCenter Appliance and two ESXi hosts. (Essentials Plus solution)

AD authentication is enabled - domain controllers running Windows Server 2008 R2.

Domain Admins have Administrator permissions in the vCenter.

One of our domain admins recently changed his password and are not able to log on using the vSphere Client (or the webclient) any more. He just get an error:

Cannot login domainname\user@192.6.1.22
error
24-02-2012 11:01:29

We tried to add his AD account and give him explicit Administrator permissions in the vCenter, but he's still unable to log on.

Is the appliance caching information?

We tried to restart services and the appliance - but nothing seems to help. We searched logs on the appliance but didn't find anything useful.

It seems to be bug - anyone know of a solution/workaround?

Cheers

T

jzimmerman2 · ‎04-03-2012

We are having the same issue. Anyone find a resolution?

jzimmerman2 · ‎04-03-2012

I figured out our problem. Hopefully this helps someone else.

When our users changed passwords it was due to password expiration or forgotten password. However they still tried to login to vCenter and were denied each time. Eventually getting their password changed after logging into a Windows host and having it prompt them or having an administrator reset their password.

But because the passwords failed previously they were logged as "failed attempts" by the likewise authentication service which is what binds vCenter to active directory. The attempts are not reset when the user is reset/unlocked in Active Directory.

To view failed attempts to the user you can do the following....

ssh to the vCenter appliance as "root".
run the command '/sbin/pam_tally --user username@example.com' without the quotes.

You will get output something like....

User username@example.com (109733597) had 8

Which means there were 8 failed attempts for username@example.com (the number is a UID).

To fix this run the following command

/sbin/pam_tally --user username@example.com --reset

This will reset the failed attempts to 0. Check it with the first command.

In our scenario the users were still able to login to a windows box and check "use windows credentials" when connecting to vcenter. They just couldn't enter the username and password directly into the vSphere client.

Cyberfed27 · ‎03-04-2013

I had the same issue after changing my domain password today. I could no longer log into vCenter in any form with my domain account.

Here was my problem/fix:

When we upgraded to vCenter 5.1 I setup Active Directory authentication for Single Sign on by adding an indentity source.

After your fill in the path to your primary and backup domain controllers at the bottom there is a spot for username/password to test the connection. Well during the setup I used MY domain account credentials to do this connection "test" instead of using the service account we created in our domain for vCenter.

So I logged into webclient via the admin@System-Domain account, edited my active directory identity source to reflect the domain vCenter service account (which has a much longer password expiration date than our regular user domain accounts) and presto everything worked again.

Hope this solves someone's problem!

Cheers

All

AD Authentication for vCenter fails after password change