In VMware Identity Manager (vIDM), the Configadmin account is repeatedly locked despite using the correct credentials. This issue persists even after resetting the password, with the account being locked again after a few successful logins. The problem is often accompanied by Audit even showing multiple failed login attempts originating from any endpoints integrated with vIDM. These endpoints continue attempting to authenticate using the old Configadmin credentials, causing the account to lock.

Audit Events :

{
"baseType" : "Action",
"uuid" : "#########-####-####-############",
"timestamp" : 1739868691857,
"organizationId" : 2,
"tenantId" : "####-########",
"actorId" : null,
"actorUserName" : "configAdmin",
"actorDomain" : "System Domain",
"actorUuid" : "#########-####-####-############",
"clientId" : null,
"deviceId" : null,
"workspaceId" : null,
"sourceIp" : "##.###.##.##.###",
"objectType" : "LOGIN",
"objectId" : null,
"objectName" : null,
"values" : {
"deviceType" : null,
"success" : "false",
"authMethods" : "Password",
"actorExternalId" : null,
"failureMessage" : "invalid password"
}
}

Monitor for Failed Login Attempts:

Access the Audit Events in vIDM by navigating to Dashboard -> Reports -> Audit Events to check for failed login attempts.
Additionally, monitor the /opt/vmware/horizon/workspace/logs/horizon.log file for log entries like the following:

2025-02-06T03:53:19,008 WARN  (Thread-8) [tenantIdNAME;-;192.168.##.##;] com.vmware.vidm.password.impl.PasswordLocker - User password locked due to maximum attempts: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2025-02-06T03:53:19,008 INFO  (Thread-8) [tenantIdNAME;-;192.168.##.##;] com.vmware.horizon.federationbroker.UserPasswordValidationService - Unable to authenticate local user configAdmin for tenant xxxxxx-xxxxxxxx:error.invalidCredentials

2025-02-18T00:56:58,041 WARN  (Thread-255601) [tenantIdNAME;-;192.168.##.##;] com.vmware.vidm.password.impl.PasswordLocker - User password locked due to maximum attempts: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2025-02-18T00:56:58,041 INFO  (Thread-255601) [tenantIdNAME;-;192.168.##.##;] com.vmware.horizon.federationbroker.UserPasswordValidationService - Unable to authenticate local user configAdmin for tenant xxxxxx-xxxxxxxx:error.invalidCredentials

You can see the IP xx.xx.xx.xx in above messages trying to lock the account due to incorrect passwords. 

WARN com.vmware.vidm.password.impl.PasswordLocker - User password locked due to maximum attempts

VMware Identity Manager (vIDM) 3.3.x

The issue occurs when the Configadmin account password is changed in vIDM, but the new password is not propagated to external endpoints that use vIDM for authentication. These integrated services continue to send API requests using the outdated password, resulting in repeated failed login attempts and subsequent account lockout. The specific error, as seen in the logs, is tied to excessive authentication attempts from the endpoint using the old password.

To resolve this issue, follow these steps:

Update Passwords on Integrated Endpoints:

After changing the Configadmin password in vIDM, ensure that the new credentials are updated in all integrated endpoints (e.g., Skyline Collector, Aria Operations for Logs, Aria lifecycle Manager, Aria operations etc.).
For each integrated service, log in to its configuration settings and update the vIDM admin password.

Locate the IP addresses linked to failed login attempts as shown in the log snippets under the issue/introduction section, trace them to the corresponding endpoints, and update the passwords.

Note: At times, the service engine IPs of the Load Balancer may appear as the source IP in audit events. To determine the actual source IP, you will need to collaborate with your network team for further investigation.