VMware Cloud Community
Pernas01
Contributor
Contributor

Password expires for vsphere.local SSO accounts even if set to 0 and shows as "never" with dir-cli

Hi!

We have a scripted setup of a few accounts on VC 7.0.3-19234570. The accounts and the PW/lockout policy are created with VMware.vSphere.SsoAdmin (1.2.2) in the following way;

1. New-SsoPersonUser -UserName sysadmin -Password xxxxxxxxx

2. Set-SsoPasswordPolicy -PasswordLifetimeDays 0
    Set-SsoLockoutPolicy -MaxFailedAttempts 3 -FailedAttemptIntervalSec 900 -AutoUnlockIntervalSec 900

3. Password of sysadmin is changed during handover to the end customer

To verify this the following was run after 90 days: /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account sysadmin --level 2
...
Account: sysadmin
UPN: sysadmin@vsphere.local
Account disabled: FALSE
Account locked: TRUE
Password never expires: FALSE
Password expired: FALSE
Password expiry: never
...
Why is this happening after 90 days even if everything looks ok and appears correct in the VC GUI?

As a side note, to help the end customer to fix this we told them to issue the following commands via the VCSA SSH console  for this account since they were locked out of their VC:
...

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account sysadmin --new xxxxxxxxxxx
/usr/lib/vmware-vmafd/bin/dir-cli user modify --account sysadmin --password-never-expires
...

This created a somehow different dir-cli output for the user:
...
Account: sysadmin
UPN: sysadmin@vsphere.local
Account disabled: FALSE
Account locked: FALSE
Password never expires: TRUE
Password expired: FALSE
Password expiry: N/A
...

Regards,
 Per

 

Reply
0 Kudos
3 Replies
navina
Enthusiast
Enthusiast

If password expiry is suspected, did you get get any warning on UI that "Your password will expire in xx days"?

Regards,
Navin A
Reply
0 Kudos
Pernas01
Contributor
Contributor

Since we have password policy set to PasswordLifetimeDays 0 I don't expect any message regarding that. Haven't seen that either.

However, while trying to reproduce this in an accelerated time manner I'm not that sure anymore it's related to the password not being valid anymore, it's more like it's the automatic account unlock that stops working after a while. It's set to 900 seconds and should always remain active I assume as long as the user knows its password.

Regards,
Per

Reply
0 Kudos
navina
Enthusiast
Enthusiast

I dont think its releated to expired password and rather account was locked.

Account locked: TRUE

This could be because of multiple concurrent login failures and would unlock in 900 seconds.

If my understanding of the issue is wrong, could you please explain in detail.

Regards,
Navin A
Reply
0 Kudos