Set password expiry policy for a specific SSO user in vCenter
search cancel

Set password expiry policy for a specific SSO user in vCenter

book

Article ID: 367383

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vCenter Server

Issue/Introduction

Some user accounts (such as service account) are used for third party integrations and often need to the password set to never expire. Setting the user password expiry attribute in vCenter UI is a global parameter, thus it impacts all the users and a specific user can't be set as password never expires.

Environment

VMware vCenter Server

Cause

If the password of the service account expires and if that is used for any third party integration such as backup, the integration will fail and the third party tools will experience errors such as backup job failure.

 

/var/log/vmware/sso/websso.log will have similar entries as below.

yyyy-mm-ddThh:mm:ss.mssZ ERROR websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [<user_name>@<SSO_Domain>]. User password expired.

yyyy-mm-ddThh:mm:ss.mssZ INFO websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [<user_name>@<SSO_Domain>] in tenant [<SSO_Domain>] in [23] milliseconds with provider [<SSO_Domain>] of type [com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]

yyyy-mm-ddThh:mm:ss.mssZ ERROR websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: <user_name>, Domain: <SSO_Domain>}'

com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: <user_name>, Domain: <SSO_Domain>}

com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: <user_name>, Domain: <SSO_Domain>}

 

Resolution

"dir-cli" , an internal tool can be used to achieve this requirement.

  • Login to the vCenter using ssh
  • Type "shell" and enter to land on bash shell if it is not set as default.
  • To determine the password expiry attribute of a user, run " /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account <Account Name>  --level 2 "
  • To disable the password expiry for a user, run "/usr/lib/vmware-vmafd/bin/dir-cli user modify --account <Account Name> --password-never-expires"
  • To enable the password expiry back, run "/usr/lib/vmware-vmafd/bin/dir-cli user modify --account <Account Name> --password-expires"

 

This command line utility dir-cli has many other functions as well. Refer to the dir-cli Command Reference documentation.

Additional Information

Example snippets: 

 

Set the password expiry to "never":

# /usr/lib/vmware-vmafd/bin/dir-cli user modify --account test --password-never-expires
Enter password for [email protected]:
Password set to never expire for [<User_Name>].

 

Validation

#  /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account <User_Name> --level 2
Enter password for [email protected]:
Account: <User_Name>
UPN: <User_Name>@<SSO_DOMAIN>
Account disabled: FALSE
Account locked: FALSE
Password never expires: TRUE
Password expired: FALSE
Password expiry: N/A

 
Powered by Wolken Software