After changing the NSX admin account password, unable to update the NSX admin credentials via the HCX Administrator portal
search cancel

After changing the NSX admin account password, unable to update the NSX admin credentials via the HCX Administrator portal

book

Article ID: 401546

calendar_today

Updated On:

Products

VMware HCX VMware NSX

Issue/Introduction

  • Attempting to update the NSX admin account credentials from within the HCX Administrator Web portal (https://<HCX-FQDN-OR-IP>:9443) results in a failure with message: "The credentials are incorrect or the account specified has been locked"
  • The NSX admin account password had been changed prior to attempting the update.

Environment

VMware NSX
VMware HCX

Cause

By default, after five consecutive failed attempts to authenticate to NSX-T, the NSX admin account is locked for 15 minutes. This lock is enforced by source IP, thus only source IPs trying to authenticate via incorrect credentials will be locked. If the password is changed for the admin account of NSX-T and not immediately updated within HCX, HCX will lock itself out within minutes due to the frequency of API calls that HCX sends to NSX-T.

Resolution

To remedy this, you may either:

A.) Change the NSX-T API Authentication Policy. 

Steps to do so are: 

  1. Login to the NSX-T Managers via SSH utilizing the 'admin' account to reach the central CLI.
  2. Run the command 'set auth-policy api lockout-period 0'.
  3. Navigate to the HCX Administrator portal (https://<HCX-FQDN-OR-IP>:9443) and enter the updated NSX-T admin credentials.
  4. Verify that the updated admin account credentials were accepted and also that from the "Dashboard" page within the Administrator portal, NSX shows as being healthy, with a green dot being seen in the NSX section:
  5. Set the NSX-T Authentication Policy back to default via set auth-policy api lockout-period 900

 

B.) Update the password within HCX and let the Authentication Lockout Period elapse.

Steps to do so are: 

  1. Navigate to the HCX Administrator page  (https://<HCX-FQDN-OR-IP>:9443) and enter the updated NSX-T admin credentials.
  2. Power down the HCX Manager VM for 15 minutes (or to match the duration of the NSX-T Authentication Policy if it's been altered from its default of 15 minutes).
         • This is to prevent any API calls from the HCX Manager to NSX-T from making authentication attempts while the lockout elapses.
  3. Once the lockout period has elapsed, power the HCX Manager VM back on.
  4. From the "Dashboard" page within the Administrator portal, verify that NSX shows as being healthy, with a green dot being seen within the NSX section (See screen image above).

Additional Information

More information on the NSX Authentication Policy options can be found here: Authentication Policy Settings.

Powered by Wolken Software