VMware vCenter Server 4.x/5.x logs display multiple login failures
search cancel

VMware vCenter Server 4.x/5.x logs display multiple login failures

book

Article ID: 344543

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction


Symptoms:

Numerous log in attempts to vCenter Server are reported in the Windows Security logs:


Logon Failure:
Reason:Unknown user name or bad password
User Name:XXXXXXX
Domain:YYYYYYYY
Logon Type:2
Logon Process:Advapi
Authentication Package:Negotiate
Workstation Name:RNUMSRIGGAP17
Caller User Name:RNUMSRIGGAP17$
Caller Domain:RNUMDMAS
Caller Logon ID:(0x0,0x3E7)
Caller Process ID:4900
Transited Services:-
Source Network Address:-
Source Port:-


  • In the vpxd.log file (located at: C:\ProgramData\VMware\VMware VirtualCenter\Logs) contains entries similar to:

    09:06:51.882 'App' 5236 info] [VpxLRO] -- BEGIN task-internal-48 -- -- vim.SessionManager.login
    09:06:51.882 'BaseLibs' 5236 info] [ADS] Account xxxxx2 found, but not local

    09:06:51.882 'BaseLibs' 5236 info] Error 1326 authenticating user .\xxxxx.
    09:06:51.913 'BaseLibs' 5236 info] Error 1326 authenticating user YYYYY\xxxxxx
    09:06:51.913 'App' 5236 error] Failed to authenticate user <YYYYY\xxxxxx>
    09:06:51.913 'App' 5236 info] [VpxLRO] -- FINISH task-internal-48 -- -- vim.SessionManager.login


    Environment

    VMware VirtualCenter 2.5.x
    VMware vCenter Server 5.0.x
    VMware VirtualCenter 2.0.x
    VMware vCenter Server 5.1.x
    VMware vCenter Server 4.0.x
    VMware vCenter Server 5.5.x
    VMware vCenter Server 4.1.x

    Cause

    This issue occurs when a process running in your environment is attempting to make a connection on port 443 to vCenter Server.
    If there are services in your environment attempting a connection on port 443 to the Windows Server hosting vCenter Server, ensure these services require access to the vpxd.exe process on port 443. If they do not require vCenter Server access this issue will occur.
    Some VMware products (for example, vRealize Operations Manager (formerly known as vCenter Operations Manager)) do require access to the vpxd.exe on port 443. To access vCenter Server information this way is by design.

    Resolution

    vCenter Server's main process, vpxd.exe listens on port 443. If you have other services installed on the same Windows Server, which is hosting vCenter Server, ensure these services are not listening on port 443. Contact the vendor of the third party service to determine how to prevent the product from listening on port 443, or install the service on a different machine.
    Note: If you are having difficulty logging into vCenter Server using the vSphere Client, ensure that you use a valid username, password, correct capitalization, and standard English characters on the client machine.
    To resolve this issue, determine the machine or process running in your environment attempting to make a connection on port 443 to vCenter Server.
    To determine the machine or process attempting to make a connection, perform one of these options:
    • Use the netstat -anb command, to identify the IP address of the machine that is accessing port 443:
      1. In vCenter Server, open a command prompt. For more information, see Opening a command or shell prompt (1003892).
      2. Run the command:

        netstat -anb

      3. From the output, use the IP address you see to determine the machine that is accessing port 443 of vpxd.exe. Use the commands below as examples:

        netstat -anb|findstr "443"

        or

        netstat -anb|findstr "<IP address>"
    • Install Wireshark, to identify the IP address of the machine that is accessing port 443:
      1. Install Wireshark on the vCenter Server machine.
      2. Configure Wireshark with a filter:

        • To show all existing and new connections to vCenter Server:

          tcp.dstport == 443 and ip.dst == <IP address of the vCenter Server machine>

        • To show only new incoming connections to vCenter Server:

          ip.dst == <ip of VC server> and tcp.dstport == 443 and tcp.flags.syn == 1

      3. Check the source IP address captured when the messages are recorded in the vCenter Server log files.


    Additional Information

    For information on installing and configuring Wireshark, see The Wireshark website.
    Note: The preceding link was correct as of September 11th 2013. If you find the link is broken, please provide feedback and a VMware employee will update the link.
    Opening a command or shell prompt
    VMware vCenter Server 4.x/5.x ログで複数のログイン失敗が表示される
    VMware vCenter Server 4.x/5.x 日志显示多次登录失败

    Powered by Wolken Software