VMware Cloud Community
SandyB
Enthusiast
Enthusiast

Domain Admin account lock out attempts coming from Virtual Center???

We changed our Domain Admin password a few days ago and now on our new Netcrunch monitoring platform we are being spammed by messages saying the domain Administrator account is being locked out from our Virtual Center server....

there are no scheduled tasks or services that run using this account and i cant find anywhere within the Virtual Center application that would hold these credentials.

does anyone have any ideas? :_|

Reply
0 Kudos
29 Replies
NTurnbull
Expert
Expert

Hi, If you go into VC and look at the current sessions, do you have any pre-password change sessions for dom admin? Or do you have you got any RDP sessions open logged in as dom admin?

Thanks,

Neil

Thanks, Neil
Reply
0 Kudos
SandyB
Enthusiast
Enthusiast

the VC server has been rebooted since the password change so there are no VC sessions or RDP sessions hanging around Smiley Sad

Reply
0 Kudos
Rajeev_S
Expert
Expert

Hi,

You can try using ALTools(ALockout.dll) from microsoft. This would list the process which is causing the lockout.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displa...

Hope this helps.

Reply
0 Kudos
jayolsen
Expert
Expert

Maybe a server trying to start as the domain admin. If you open your services snap-in and sort by Log On As column look for domain\administrator account. If so the password probably needs updated within that server.

Reply
0 Kudos
khughes
Virtuoso
Virtuoso

I was going to say the same thing. If you install the virtualcenter with this domain account there are some services that run under it. If you changed your password recently this could cause your account lockout.

  • Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
Reply
0 Kudos
vmroyale
Immortal
Immortal

See if either of these commands turns up anything:

tasklist /FI "USERNAME eq domain\DomainAdmin"

at

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
Reply
0 Kudos
vpert
Enthusiast
Enthusiast

We do have exactly the same issue.

We did a complete new install of every VMware component on this server - no luck. Then we reinstalled the hole server from scratch. We did NOT use the account in question for any installation step. We did NOT even logon with this account to the server - no luck.

When we had the ALockout.dll running the virtualcenter server did not start anymore - so no findings from there. We get every 5 minutes the following events in the Security log on the server as soon the virtualcenter service starts:

Event ID 680 - Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_1_0, with the Logon account of the user in question

right after that a Event ID 529 - Logon failure: Unknown user name or bad password with the User name Logon Process Advapi

Well and after 5 attempts in our case the account gets locked out.

If anyone has a idea how we could trace this further or even solve the issue - help would be really appreciated!

Reply
0 Kudos
NTurnbull
Expert
Expert

Hi, do you have update manager installed? Did you enter your account details in the Update manager proxy configuration?

EDIT: Oh and If you do have update manager installed and using NT Authentication, step back through your ODBC DSN setup as it stores an encrypted version of the users password in the registry

Thanks,

Neil

Thanks, Neil
Reply
0 Kudos
vpert
Enthusiast
Enthusiast

Hi Neil,

thanks for your ideas. Update Manager is installed - but no proxy settings, no ODBC entries with this account.

We did a complete new install of the system - everything from scratch! There must be some account information either on the ESX Servers or the running VM's.....

We did further testing - just had VMware Components installed (VirtualCenter, UpdateManager uso) without any ESX Host connected the user account is used for login as soon as the virtualcenter service is started. So we guess the user account information must come from ??? Active Directory maybe? any ideas?

rgds

Tom

Nachricht geändert durch vpert

OK - did some further analysis: The account get locked out because it's used by the vpxd.exe process (virtualcenter Service). The Event shows a logon type 2 which is "Interactive - logon at keyboard and screen of system" ????? The system we are talking about is a virtual machine?? ...it is getting scary ;-( ....no Console or RDP Sessions open to this system. So I changed the service account from "Local System" to a user account - no luck. The domain account is still used every 5 minutes.

Does anyone have a idea how we can findout why the VirtualCenter Service tries to logon with this domain user account?

Nachricht geändert durch vpert

Issue solved: I finally did a network trace and found out that every 5 minutes there was a communication from the VirtualCenter to a certain system. ...and guess what this system was avirtual appliance with the vkernel CBA running. Well stupid - forgot all about - this appliance is connecting to the virtualcenter to collect statistic information and therefor needed a user account.

Changed the users password in the CBA and that was it!

Thx for everbodies help and hope this will give you a hint Sandy.

OM4EVER
Contributor
Contributor

You know I'm actually having the same problem. Account keeps getting locked out on the domain controllers, I have traced the service to the VPXD service on VC however, I'm not sure what machine keeps trying to do the authentication. From the VC machine, I've done a netstat -anbv and it shows all the machines communicating with process. I still don't see anything that's out of the ordinary, only my ESX servers. how else can I find out? Need help, please

Reply
0 Kudos
abstract
Contributor
Contributor

Hi, I have just changed the password on my personal admin account and after investigation I have discovered that Virtual Center and specifically the Virtual Center service is locking it out. I change the password frequently however I have not seen this problem in the past.

I stopped the Virtual Center service for a couple of hours and there were no bad password attempts so I'm 100% sure this is the culprit.

Did anyone get to the bottom of this?

Cheers.

Reply
0 Kudos
abstract
Contributor
Contributor

I have exactly the same problem after changing the password on my personal admin account.

Did anyone get to the bottom of this?

Cheers.

Reply
0 Kudos
SandyB
Enthusiast
Enthusiast

Hi there,

i eventually traced the issue to the VDI management server once i changed the account from the domain administrator to something else the account stopped becoming locked out. hope this helps.

S.

Reply
0 Kudos
OM4EVER
Contributor
Contributor

When I had this problem it turned out to be a our monitoring utility from Vizioncore that for some unknown reason was attempting to authenticate using my Domain ID. We had to re-install the authentication module and the problem went away

Reply
0 Kudos
SandyB
Enthusiast
Enthusiast

basically check ever service that hooks into Virtual Center.

Reply
0 Kudos
mstahl75
Virtuoso
Virtuoso

We run our SQL server process under a domain account and changed the password in the run up to upgrading to VC Update 4. The account kept locking out during the install process. The issue ended up being with Update Manager. I uninstalled it and everything started working without the lockouts. Update Manager was not running under a domain account so I'm not 100% why it was causing the lockouts. I pinpointed this by stopping and starting that service and checking the to see if the account failed to logon to AD.

Reply
0 Kudos
Mouchel
Enthusiast
Enthusiast

We had exactly the same problem, and I spent ages trying to track it down. It turned out to be a trial version of a Vizioncore program that we had installed on a different server that was doing it. We uninstalled it and that sorted the problem. You need to be looking for any program that might be accessing Virtualcenter, basically.

Reply
0 Kudos
wallakyl
Enthusiast
Enthusiast

I also had this problem and tracked it down to a trial version of VKernel's Capacity Analyzer. If you're having the issue, I suggest you check 3rd party apps first.

Reply
0 Kudos
AndoniP
Contributor
Contributor

this can also happen if a user logs onto the VCenter server via VI client without specifying a domain name as part of their username.

also check that the service starting the Virtual Center Service is valid, and that you have specified a correct username and password to connect to a remote SQL server.

Reply
0 Kudos