vCenter root account getting locked every 15 mins
Article ID: 325052
Updated On:
Products
Issue/Introduction
vCenter root account getting locked every 15 mins
Every 5 mins root authentication failure is recorded in /var/log/vmware/messages
python: pam_unix(passwd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=rootpython: pam_unix(passwd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=rootpython: pam_unix(passwd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Environment
VMware vCenter Server 8.0
Cause
Applications will try to reach vCenter with the root/SSO administrator password. If vCenter passwords are updated and the respective applications are not updated with latest credentials, they will continue to poll/login to vCenter with invalid credentials leading to account lockout.
Resolution
Identify the source of the root login attempt from /var/log/vmware/vapi/endpoint/endpoint-access.log
YYYY-MM-DDTHH:MM:SS.###Z | jetty-default-2593 | Invoking operation create from service com.vmware.cis.session with id 65375f50-8e47-4617-8960-84a42012b337YYYY-MM-DDTHH:MM:SS.###Z | sso2 | ##.##.##.## - - [01/Aug/2023:01:59:13 +0000] "POST /rest/com/vmware/cis/session HTTP/1.1" 200 44 "-" "Java/11.0.18" 112YYYY-MM-DDTHH:MM:SS.###Z | jetty-default-2421 | Invoking operation create from service com.vmware.cis.session with id 5fe100bd-68dc-4b80-809d-d3151f3b57a0YYYY-MM-DDTHH:MM:SS.###Z | sso5 | ##.##.##.##- - [01/Aug/2023:01:59:13 +0000] "POST /rest/com/vmware/cis/session HTTP/1.1" 401 573 "-" "Java/11.0.18" 23
##.##.##.## is an IP adress which is using root account.
Feedback
