Set password expiry for a specific SSO user in vCenter
search cancel

Set password expiry for a specific SSO user in vCenter

book

Article ID: 367383

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vCenter Server

Issue/Introduction

Some user accounts (such as service account) are used for third party integrations and often need to the password set to never expire. Setting the user password expiry attribute in vCenter UI is a global parameter, thus it impacts all the users and a specific user can't be set as password never expires.

Environment

VMware vCenter Server

Cause

You might notice that the user password may have expired and the third party integration may break.

 

/var/log/vmware/sso/websso.log will have similar entries as below.

yyyy-mm-ddThh:mm:ss.mssZ ERROR websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [[email protected]]. User password expired.

yyyy-mm-ddThh:mm:ss.mssZ INFO websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [[email protected]] in tenant [vsphere.local] in [23] milliseconds with provider [vsphere.local] of type [com.vmware.identity.idm.server.provider.vmwdirectory.VMwareDirectoryProvider]

yyyy-mm-ddThh:mm:ss.mssZ ERROR websso[56:tomcat-http--18] [CorId=29b33506-52fe-42c1-96ad-451a7e609e5a] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: test, Domain: vsphere.local}'

com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: test, Domain: vsphere.local}

com.vmware.identity.idm.PasswordExpiredException: User account expired: {Name: test, Domain: vsphere.local}

Resolution

"dir-cli" , an internal tool can be used to achieve this requirement.

  • Login to the vCenter using ssh
  • Type "shell" and enter to land on bash shell if it is not set as default.
  • To determine the password expiry attribute of a given user, run " /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account <Account Name>  --level 2 "
  • To set the user to password never expire, run "/usr/lib/vmware-vmafd/bin/dir-cli user modify --account <Account Name> --password-never-expires"

 

This command line utility dir-cli has many other functions as well. Please refer to the documentation 

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-authentication-8-0/managing-certificates-and-services-with-cli-commands-authentication/dir-cli-utility-authentication.html 

 

Additional Information

Example snippets: 

 

Set the password expiry to "never":

root@vcenter-1 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli user modify --account test --password-never-expires
Enter password for [email protected]:
Password set to never expire for [test].

Validation

root@vcenter-1 [ ~ ]#  /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account test  --level 2
Enter password for [email protected]:
Account: test
UPN: [email protected]
Account disabled: FALSE
Account locked: FALSE
Password never expires: TRUE
Password expired: FALSE
Password expiry: N/A
Powered by Wolken Software