Hey, for some reason the vpxd.exe, which is running as SYSTEM is trying to authenticate with my AD account. The problem is that it has an old password cached and is causing my AD account to lock out. Does anyone know where this account information is stored so that I can remove my account?
Thank you
maybe a simple restart of the Virtual Center Server service? Are you using Windows Authentication into your VCDB?
Yes I have restarted the service and the server and no luck. Yes it is set in ODBC to use "With Windows Authentication" to connect to the DB. Do I need to change this?
you may want to update the password within ODBC, then restart your vCenter Server Service again. You can also find switches for vpxd.exe availble that may work as well.
C:\Program Files\VMware\Infrastructure\VirtualCenter Server>vpxd.exe /?
Usage: vpxd.exe [FLAGS]
Flags:
-r Register VMware VirtualCenter Server
-u Unregister VMware VirtualCenter Server
-s Run as a standalone server rather than a Service
-c Print vmdb schema to stdout
-b Recreate database repository
-f cfg Use the specified file instead of the default vpxd.cfg
-l licenseKey Store license key in ldap and assign it to VirtualCenter
-e feature Set the feature to be in use for VirtualCenter. This opt
ion takes only one feature at a time.
-p Reset the database password interactively
-P pwd Reset the database password to the specified password
-v Print the version number to stdout
C:\Program Files\VMware\Infrastructure\VirtualCenter Server>
Unfortunatly no luck.
other than changing the password directly on the VCDB, which I assume is SQL, I would say it may be worth getting VMware Support involved.
I'd suggest that it is not attempting to actually authenticate using a valid previous password.
AD does not lock out accounts when the password being used to attempt logon is a previous password - this is a design feature to prevent your exact scenario (imagine someone has told a service to use a domain admin account and then changed the password for that account?)
If the account is getting logged out, ou have an invalid (not previous) credential being used somewhere.
Actually looking through the Domain Controller event logs, my account is being locked out due to bad authentication repeditively from an ip address that points to the VCenter server. Going into the VCenter server logs there is an authentication request failing due to an executable called vpxd.exe That authentication request is using my account.
And yes AD does lock out accounts after too many failed attempts within a certain amount of time. This is set by your system administrator.
My apologies, I did not clarify what I was trying to say.
In the event that you have password history enforced on your domain (e.g. you are trying to prevent users form re-using old passwords) AD is smart enough to relaise that an authentication request using a previous password, is a valid request - the lockout counter will not increase, but you also will not authenticate.
I used to have the technet link for this as we had a series of Unix webservers using and translation service to authenticate to AD and were getting hundres of thousands of event logs for failed logons, without accounts being locked out. As we were maintaining password hostaory we tracked it down to be as a result of cached (history) passwords being verified, before the lockout counter got incremented.
having worked in banks / fortune 100s for the past 8 years, I guess I have gotten used to running in secure, well-locked down environments that require password history for FSA compliance.
Here is an example (answered by an MVP) : http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/64ee3320-94b1-4644-8c46-b...
Anyway, back to your question . .
If you would like to reset the vpxd password, you need to run vpxd -p
At a command prompt run vpxd.exe -p and you'll get a prompt to reset the password. vpxd.exe is the executable for the VC server C:\Program Files\VMware\Infrastructure\VirtualCenter Server\
Also, open you ODBC connections and check the DSN is working (runa test - perhaps delete and recreater it with your new password)
Lastly, look at your windows services and see if the VC is running under your user credentials (services.msc)
I appriciate your help, we have not had a need to have AD remember past passwords. We try to focus on using service accounts. Unfortunatly as this problem reflects, that is not always the case but is for the majority it is. I ran the tests using ODBC, and I have used the vpxd.exe -p command. I am not having any issues connecting to the database, honestly I am not seeing any issues with the software. It is just for some reason trying to authenticate my account. I am sure I have missed something somewhere I have just not figured it out yet.
would it be a good test to change your authentication method to the VCDB to use SQL Authentication, update to DSN and see if the issue you are having goes away?
Found it. It turns out one of my View servers was authenticating my account through the VCenter server. So I changed the account the View server used to connect to the VCenter Server. Here is a link that helped determin that.
Thanks everyone