Re: Authentication failure in vCenter logs.

Silent_Knight · ‎08-11-2010

We have a problem currently where a user account from a person that has left the company is trying to authenticate every 5 minutes to vCenter. The problem is the logs doesn't show you where the account is trying to authenticate from. I suspect it's possibly a script or an applet that's configured to run somewhere...

All that the logs show are:

Error 1331 authenticating user %username%.

Failed to authenticate user <%username%>

Anyone have any ideas on how I can try and trace where the authentication attempts is originating from? Is that possibly hidden away in some other logs?

Cheers,

Hanré

ProPenguin · ‎08-11-2010

Have you checked the services on that server to see if there account is tied to that. I remember making that mistake once and changed my password. Needless to say I kept getting my account locked out. Hope this helps.

Silent_Knight · ‎08-11-2010

Thanks, but none of the services are configured to run with those credentials.

AndreTheGiant · ‎08-11-2010

You can try to use the Windows Firewall to log the request.

Or a sniffer to see if the attach is from the network.

If is locally you can see in the process or in the scheduled tasks.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro

NinjaAx · ‎12-23-2013

if you know the account name use account lockout tools from microsoft to see if its stuck on a pc or server anywhere,

http://www.microsoft.com/en-gb/download/details.aspx?id=18465

Is the account still in AD or is it a local account within VMware?

I also presume you've checked the session manager in vcenter?

If the account is still logged into a host i believe that stays there until the host is rebooted but may be wrong...maybe someone else could confirm that or Google

Hope that helps

Alex