Local users created in VMware vCenter Single Sign-On 6.0 fail to log in after modifying the maximum lifetime value for password expiration
search cancel

Local users created in VMware vCenter Single Sign-On 6.0 fail to log in after modifying the maximum lifetime value for password expiration

book

Article ID: 315293

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

After you modify the maximum lifetime password expiration value for VMware vCenter Single Sign-On 6.0, you experience these symptoms:
  • Local users created in VMware vCenter Single Sign-On are unable to log in
  • You see the error:

    Incorrect username/password
     
  • The C:\PogramData/VMware/vCenterServer/logs/sso/vmware-sts-idmd.log file on the Platform Services Controller has entries similar to:

    [2015-06-24T11:36:04.877-05:00 SSO_Domain ########-####-####-####-########b50f ERROR] [IdentityManager] Failed to authenticate principal [username@SSO_Domain]. User password expired.
    [2015-06-24T11:36:04.877-05:00 SSO_Domain ########-####-####-####-########b50f INFO ] [IdentityManager] Authentication failed for user [username@SSO_Domain] in tenant [SSO_Domain] in [13] milliseconds with provider [SSO_Domain] of type
    com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]
    [2015-06-24T11:36:04.877-05:00 vsphere.local ########-####-####-####-########b50f ERROR] [ServerUtils] Exception 'com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: username, Domain: SSO_Domain}'
    com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: username, Domain: SSO_Domain}
    at com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider.checkUserAccountFlags(VMwareDirectoryProvider.java:1339)
    at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:2518)

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
     
  • You are able to log in with [email protected]

    Note: If you are using a custom VMware vCenter Single Sign-On domain, replace vsphere.local with the name of your VMware vCenter Single Sign-On domain.



Environment

VMware vCenter Server 6.0.x

Cause

This issue occurs when the SSO password expiration lifetime has a larger value than the maximum value permitted.

Resolution

This is a known issue affecting VMware vCenter Server 6.0.
 
Currently, there is no resolution.
 
To work around this issue:
 
  1. Log in to the VMware vSphere Web Client as [email protected]

    Note: If you are using a custom VMware vCenter Single Sign-On domain, replace vsphere.local with the name of your VMware vCenter Single Sign-On domain.
     
  2. Navigate to Configuration > Policies > Password Policy > Edit.
  3. Set the password expiration value to a value less than 999999 days.
  4. Recreate the users impacted within the VMware vCenter Single Sign-On domain. For more information, see the Add vCenter Single Sign-On Users section in the vSphere Security guide.


Powered by Wolken Software