VMware Cloud Community
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 05:51 AM

Cannot login error vcenter

I am trying to trace down where a bad login is comming from.  This is occuring every 2 mintes on a vCenter 5 server.  The error in the events viewer only shows the Cannot login ASP\username@::1

I am trying to trace down where this login is comming from.  I am assuming that it is comming from a 3rd party application that is trying to log in.  I am guessing that there is a service that is setup using an old employees login.  I would like to find out where I would look to find the IP address that this login is comming from.

Thanks

Tags (3)
Reply
0 Kudos
13 Replies
memaad
Virtuoso
Virtuoso
‎01-28-2013 06:04 AM

Hi,

Are you using any monitoring application which monitors ESXI host or any other plugin isntalled on VMware vCenter server.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 06:21 AM

VMware SRM is installed.

VMware Update Manager is also installed.

vRanger is also used for backups.

I would really like to know if I would be able to look into the vpxd.log and see if that would be able to tell me where this login is comming from. 

Thanks

Reply
0 Kudos
memaad
Virtuoso
Virtuoso
‎01-28-2013 06:27 AM

Hi,

Enable verbose logging for vCenter server and  have look at vpxd.logs. This might help you to narrow down the  application which is trying to access it.

The vCenter Logging level can also be increased using the vSphere Client.

  1. Connect the vSphere Client to the vCenter Server.
  2. Select Administration > vCenter Server Settings > Logging options
  3. Select the preferable logging option from the drop down menu.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 08:06 AM

So it looks like the account is trying to log in from vCenter.  The Error is Cannot longin ASP\userid@::1.

::1 is the loopback ip address of vCenter.  So now that I know it is comming from vCenter, I have to figure out where to look.  On the vCenter server Orchestrotor, SRM, Update Manger are all installed on this host.

Any ideas of where to look?

Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 08:44 AM

With Verbose Logging I get more info on the internal task ID that is being called.  Is there a way to map this task ID with a name of what the task is?

Here is a section of the logs.

2013-01-28T10:15:52.866-05:00 [10172 info 'Default' opID=346663b2] [VpxLRO] -- BEGIN task-internal-21409972 --  -- vim.SessionManager.login -- 521e2481-6699-fdf4-9bcd-3eded86ca858
2013-01-28T10:15:52.866-05:00 [10172 info 'Libs' opID=346663b2] [ADS] Account pstaskoadm found, but not local
2013-01-28T10:15:52.866-05:00 [10172 info 'Default' opID=346663b2] Error 1326 authenticating user .\pstaskoadm.
2013-01-28T10:15:52.976-05:00 [10172 info 'Default' opID=346663b2] Error 1331 authenticating user ASP\pstaskoadm.
2013-01-28T10:15:52.976-05:00 [10172 error 'Default' opID=346663b2] Failed to authenticate user <ASP\pstaskoadm>
2013-01-28T10:15:53.178-05:00 [05764 warning 'Libs'] Encountered other certificate error: 27
2013-01-28T10:15:54.192-05:00 [05764 warning 'Libs'] Encountered other certificate error: 27
2013-01-28T10:15:55.206-05:00 [05764 warning 'Libs'] Encountered other certificate error: 27

2013-01-28T10:15:52.866-05:00 [10172 info 'Default' opID=346663b2] [VpxLRO] -- BEGIN task-internal-21409972 --  -- vim.SessionManager.login -- 521e2481-6699-fdf4-9bcd-3eded86ca858
2013-01-28T10:15:52.866-05:00 [10172 info 'Libs' opID=346663b2] [ADS] Account pstaskoadm found, but not local
2013-01-28T10:15:52.866-05:00 [10172 info 'Default' opID=346663b2] Error 1326 authenticating user .\pstaskoadm.
2013-01-28T10:15:52.929-05:00 [05764 verbose 'QsAdapter.HTTPService'] HTTP Response: Complete (processed 0 bytes)
2013-01-28T10:15:52.929-05:00 [05764 verbose 'QsAdapter.HTTPService'] User agent is 'VMware vim-java 1.0'
2013-01-28T10:15:52.976-05:00 [10172 info 'Default' opID=346663b2] Error 1331 authenticating user ASP\pstaskoadm.
2013-01-28T10:15:52.976-05:00 [10172 error 'Default' opID=346663b2] Failed to authenticate user <ASP\pstaskoadm>
2013-01-28T10:15:53.163-05:00 [05644 verbose 'ProxySvc Req80518'] New proxy client TCPStreamWin32(socket=TCP(fd=21632) local=172.20.0.236:80,  peer=172.20.0.237:43224)
2013-01-28T10:15:53.178-05:00 [05764 warning 'Libs'] Encountered other certificate error: 27
2013-01-28T10:15:53.178-05:00 [05764 verbose 'SSL SoapAdapter.HTTPService'] User agent is 'VMware vim-java 1.0'

2013-01-28T10:15:55.986-05:00 [10172 info 'Default' opID=346663b2] [VpxLRO] -- FINISH task-internal-21409972 --  -- vim.SessionManager.login -- 521e2481-6699-fdf4-9bcd-3eded86ca858
2013-01-28T10:15:55.986-05:00 [10172 info 'Default' opID=346663b2] [VpxLRO] -- ERROR task-internal-21409972 --  -- vim.SessionManager.login: vim.fault.InvalidLogin:
--> Result:
--> (vim.fault.InvalidLogin) {
-->    dynamicType = <unset>,
-->    faultCause = (vmodl.MethodFault) null,
-->    msg = "",
--> }
--> Args:
-->
--> Arg userName:
--> "pstaskoadm"
--> Arg password:
--> (not shown)
-->
--> Arg locale:
-->
2013-01-28T10:15:56.236-05:00 [05764 warning 'Libs'] Encountered other certificate error: 27

Reply
0 Kudos
memaad
Virtuoso
Virtuoso
‎01-28-2013 09:12 AM

Hi,


Can you check whether this account "ASP\pstaskoadm"  exist ? in AD

Regar

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 09:18 AM

It no longer does.  This was an old admin.  My guess is that he used personal credientials to setup something.  I am trying to figure out how to trace this back to what it could be.

Reply
0 Kudos
memaad
Virtuoso
Virtuoso
‎01-28-2013 09:22 AM

Hi,

Check in permission tab at vCenter server , Datacenter , ESX host level.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 09:30 AM

I dont follow what you are asking?

The errors are happening at the vCenter Server level.  I am sure that it is one of the plug ins, or other extra tools that have been added.  Ex. Update mangager, SRM, ect.  I am looking for guidance to track down which one of these is the issue.

Thanks

Reply
0 Kudos
memaad
Virtuoso
Virtuoso
‎01-28-2013 09:45 AM

Hi,

Check whether user information exist in permission tab at vCenter server level.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 10:31 AM

It does not.  The only thing there is the Administrators group.  This is linked with AD.  The account was an AD account.

Reply
0 Kudos
memaad
Virtuoso
Virtuoso
‎01-28-2013 10:35 AM

Hi,

Can you enable verbose logging for vCenter server logs.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
TdisalvoOrinoco
Enthusiast
Enthusiast
‎01-28-2013 11:28 AM

I have.  That was the information that was listed above.  Prior to the verbose logs the only thing I got was .

Cannot login ASP\pstaskoadm@::1
error
1/28/2013 2:26:40 PM
ASP\pstaskoadm

But no other detail.

With Verbose I got the session numbers and other details about what was failing.

Reply
0 Kudos