vCenter's UI is inaccessible and services won't start after changing the vCenter's hostname/pnid from VAMI
search cancel

vCenter's UI is inaccessible and services won't start after changing the vCenter's hostname/pnid from VAMI

book

Article ID: 400859

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The service restart gets stuck at 'vmware-certificateauthority'
  • In vCenter /var/log/vmware/vmon.log, you will observe "[YYYY-MM-DDTHH:MM:SS] Wa(03)+ host-2235  "Error 46 while finding SSO group \"ActAsUsers\":\ndir-cli failed. Error 1326: Operation failed with error ERROR_LOGON_FAILURE (1326) \n"
root@vcenter [ ~ ]#less /var/log/vmware/vmon/vmon.log

YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####             "translatable": "An error occurred while invoking external command : '%(0)s'",
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####             "args": [
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####                 "Error 46 while finding SSO group \"ActAsUsers\":\ndir-cli failed. Error 1326: Operation failed with error ERROR_LOGON_FAILURE (1326) \n"
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####             ],
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####             "localized": "An error occurred while invoking external command : 'Error 46 while finding SSO group \"ActAsUsers\":\ndir-cli failed. Error 1326: Operation failed with error ERROR_L
OGON_FAILURE (1326) \n'"
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####         }
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####     ],
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####     "componentKey": null,
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####     "problemId": null,
YYYY-MM-DDTHH:MM:SS Z Wa(03)+ host-#####     "resolution": null

 

  •  If you get the above error, we need to check the Machine Account password length and the password policy.
  • SSH into the vCenter and Run:

 

To check the Machine Account Password :

root@vcenter [ ~ ] /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmdir]' | grep "dcAccountPassword"

The output looks similar to:
+  "dcAccountPassword" REG_SZ          "######################################"


To check the password policy, Run:

#root@vcenter[~] ldapsearch -o ldif-wrap=no -LLL -h localhost -b "dc=vsphere,dc=local" -s sub "objectclass=vmwPasswordPolicy" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'SSOPWD'


The example output for the above command should look similar to:

#ldapsearch -o ldif-wrap=no -LLL -h localhost -b "dc=vsphere,dc=local" -s sub "objectclass=vmwPasswordPolicy" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'SSOPWD'
dn: cn=password and lockout policy,dc=vsphere,dc=local
objectClass: top
objectClass: vmwLockoutPolicy
objectClass: vmwPasswordPolicy
objectClass: vmwPolicy
cn: password and lockout policy
Enabled: TRUE
vmwPasswordProhibitedPreviousCount: 5
vmwPasswordLifetimeDays: 90
vmwPasswordMaxLength: 50
vmwPasswordMinLength: 8
vmwPasswordMinAlphabeticCount: 2
vmwPasswordMinUpperCaseCount: 1
vmwPasswordMinLowerCaseCount: 1
vmwPasswordMinNumericCount: 1
vmwPasswordMinSpecialCharCount: 1
vmwPasswordMaxIdenticalAdjacentChars: 3
vmwPasswordChangeMaxFailedAttempts: 5
vmwPasswordChangeFailedAttemptIntervalSec: 180
vmwPasswordChangeAutoUnlockIntervalSec: 300
nTSecurityDescriptor::
  • In the first output mentioned above, the password contains more than 20 characters, and the Password's Maximum length is 50.

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

  • vCenter does not support a maximum password length above 20 characters for the Machine Account. 

 

Resolution

  1. SSH into the vCenter
  2. Set the Maximum password length to 20 and the minimum password length to 8 for the Machine Account using the commands below 

    For setting the PasswordMaxlength to 20, Run the below command:

#ldapmodify -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'SSOPWD' <<EOF
dn: cn=password and lockout policy,dc=vsphere,dc=local
changetype: modify
replace: vmwPasswordMaxLength
vmwPasswordMaxLength: 20
EOF

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

For setting the PasswordMinlength to 8, Run the below command:

#ldapmodify -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'SSOPWD' <<EOF
dn: cn=password and lockout policy,dc=vsphere,dc=local
changetype: modify
replace: vmwPasswordMinLength
vmwPasswordMinLength: 8
EOF
  3. Now, Reset the Machine Account Password using the kb LDAP Error Code 49 : Reset Machine Account Password of vCenter Server Appliance using Shell Script
Powered by Wolken Software