CyberArk is unable to change ESXi local passwords after enabling lockdown mode
search cancel

CyberArk is unable to change ESXi local passwords after enabling lockdown mode

book

Article ID: 395006

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptom:
Normal lockdown mode was enabled and CyberArk could no longer change passwords on an ESXi host
 
 
 
Validation:
In the ESXi /var/log/hostd.log, you see the following NoPermission errors when CyberArk tries to change a password.

When the account that CyberArk is trying to login with doesn't have the Administrator role:

error hostd[2111794] [Originator@6876 sub=Default opID=f8a090f0] [module:pam_lsass]pam_sm_authenticate: failed [error code:40017]
info hostd[2111794] [Originator@6876 sub=Default opID=f8a090f0] Accepted password for user <user>
info hostd[2111794] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=f8a090f0] Event 45312 : Cannot login user <user>: no permission
info hostd[2111794] [Originator@6876 sub=Solo.Vmomi opID=f8a090f0] Throw vim.fault.NoPermission
info hostd[2111794] [Originator@6876 sub=Solo.Vmomi opID=f8a090f0] Result:
--> (vim.fault.NoPermission) {
-->   object = 'vim.Folder:ha-folder-root',
-->   privilegeId = "System.View",
-->   msg = "",
--> }

 

Environment

vCenter v7.0 u3, ESXi v7.0 u3, CyberArk VMware ESX/i API Plugin

 

Cause

The user that CyberArk authenticates with was in the ESXi lockdown mode exception users list but didn't have the Administrator role.

Resolution

The user needs to be in the lockdown exception list and have the Administrator role in order to authenticate to the ESXi host and change passwords.

Assign the Administrator role to the user
  1. Right-click Host in the VMware Host Client inventory and then select Permissions.
  2. Click Add user.
  3. Click the Select a user text box and type in the domain user account (i.e DOMAIN\userAccountName)
  4. Click the arrow next to the Select a role text box and select Administrator from the list.
  5. Click Add and then select Close.

Example user permission list:

 

Verify that the user is in the Lockdown mode Exception users list 

  1. Navigate to Manage, select Security & users, select Lockdown mode
  2. Select Edit settings, Add user exception, Remove user exception as needed

Example of Lockdown Mode Exception users:

 

After adding the Administrator permission, you'll see the following in the ESXi /var/log/hostd.log and CyberArk can change the password:

info hostd[2110364] [Originator@6876 sub=Default opID=f8a083ae] Accepted password for user <user>
info hostd[2110364] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=f8a083ae] Event 45277 : User <user> logged in as gSOAP/2.8
info hostd[2112092] [Originator@6876 sub=Vimsvc.TaskManager opID=f8a083b1 user=<user>] Task Created : haTask-ha-folder-root-vim.host.LocalAccountManager.UpdateUser-2755673590
info hostd[2100139] [Originator@6876 sub=SysCommandPosix opID=f8a083b1 user=<user>] ForkExec(/bin/pam_tally2) 23843769
info hostd[2100139] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=f8a083b1 user=<user>] Event 45278 : Password was changed for account root on host <host>

 

Refer to the following for Enabling or disabling Lockdown mode on an ESXi host
https://knowledge.broadcom.com/external/article/336894/



Powered by Wolken Software