I have been looking for a bad login issue for a while now and think I have traced it back to a vCOPs weekly report.
Basically, we use Veeam ONE and it alerts every Monday at 8:00 AM about a bad login attempt. It reports the bad login as coming from our vCOPs UI VM.
Based on the schedule I assumed it was a scheduled task of some sort. I ended up searching the ciq.log for the bad login account and found it;
[pool-3-thread-1] INFO com.vmware.cm.reportschedule.manager.impl.ReportScheduledExecutionManagerImpl 2013-07-22 08:00:00,295-0400 - Submitted scheduled report.
reportScheduleId: 1
reportId: 41
inventoryObjectReference: IOR - uid = 0 aliveId = 8 moid = group-d0 type = WORLD
reportSettingId: 7
userIdentity: UserIdentity [username=domain\user]
[pool-2-thread-1] ERROR com.vmware.cm.report.manager.runner.ReportRunner 2013-07-22 08:00:07,619-0400 - run: ReportRunInfo [inventoryObjectReference=IOR - uid = 0 aliveId = 8 moid = group-d0 type = WORLD, reportId=41, reportSettingId=7, userIdentity=UserIdentity [username=domain\user]]
got an exception while generating reports = org.springframework.security.BadCredentialsException: Invalid user: domain\user
exception backtrace = org.springframework.security.BadCredentialsException: Invalid user: domain\user
com.vmware.vcops.api.security.VCOpsSpringAuthenticationProvider.authenticate(VCOpsSpringAuthenticationProvider.java:59)
com.vmware.cm.core.manager.impl.WebSessionImpersonator.createUserSession(WebSessionImpersonator.java:64)
com.vmware.cm.report.manager.runner.ReportRunner.login(ReportRunner.java:284)
com.vmware.cm.report.manager.runner.ReportRunner.initRequestAttributes(ReportRunner.java:247)
com.vmware.cm.report.manager.runner.ReportRunner.run(ReportRunner.java:135)
I also used this website to search for all sched reports;
http://www.jume.nl/entry/vcops-show-all-scheduled-reports
It found one report scheduled with the same user cred.
The problem is I can't seem to find the report when I go into vCOPs. I have also reset the password for the invalid account, logged in with that account and still can't see the report.
How do I find and delete this scheduled report.
BTW, I am running vCOPs 5.6.0
Hi,
Based on the logged exceptions, we know:
a. the scheduled report is attached to the World object.
b. the assigned password for the schedule creator's username was no longer valid.
So, you should be able to find the scheduled report under "World" --> "Reports"; and you should be able to delete it there.
To complete the "fix" for (b) i.e. you want to retain this scheduled report, you need to:
i. login as the user who owns the schedule.
ii. navigate to ANY scheduled report that this user owns.
iii. UPDATE the assigned password to the scheduled report. (Which updates the singular password stored for the user for all schedules.)
In other words, updating your password in the user management screens is not sufficient as it does not update the stored password for scheduled reports.
FYI, login credentials are usually encrypted into an irreversible form and stored. For scheduled reports and data collection, credentials are encrypted into a reversible form.
Hope this helps.
James Ang
vCenter Operations R&D
Thank you for the information, but I contacted VMware support and they ended up going into the database table and removing the entry from there.
Prior to clearing the information support was unable to find any trace of the scheduled report in the GUI.
I had previously attempted to login as the user and recreate the same report, but that did not clear the scheduled report.
Just for my edification...
RE: "I had previously attempted to login as the user and recreate the same report, but that did not clear the scheduled report."
Did you recreate the report or the schedule (with password)?
Thanks.
James Ang
vCenter Operations R&D
I logged in with the credentials of the original user and there were no scheduled reports visible.
I then attempted to create a scheduled report as that user.
I then deleted the scheduled report, but the original scheduled report was still listed in the DB.
Was the user previously removed and added back?
James Ang
vCenter Operations R&D
The user account was never removed. The only change was the user account password. Had that not changed we never would have seen the problem.
The real issue was the database didn't cleanup when the scheduled report was removed/deleted.
Thanks for the response and feedback. We will investigate further.
James Ang
vCenter Operations R&D
Cool to see you used my blog post by the way - this keeps me wanna blog and help other people out. Too bad your database is somehow corrupted.
Hey, that blog is what gave me proof the issue was a scheduled report / DB issue!
Thank you for putting it out there!
And as far as the health of the DB, all is well since VMware support cleaned out that old bit of data.
FYI he's a link to the blog post! VCOPS: Show all scheduled reports