Password Remediation on SDDC fails with Error "Failed to update the password. User is not allowed to update or rotate PSC credentials. Please login using an alternate 'ADMIN' account to perform this operation."
Article ID: 407691
Updated On:
Products
Issue/Introduction
Password remediation for [email protected] on VCSA fails when attempting to remediate the password.
You may see errors similar to the following in the SDDC Manager log (/var/log/vmware/vcf/operationsmanager/operationsmanager.log):
Log Snippet:
[c.v.v.p.r.v.PasswordManagerController,http-nio-127.0.0.1-7300-exec-1] updateOrRotatePassword {"operationType":"REMEDIATE","elements":[{"resourceName":"#################################","resourceType":"PSC","credentials":[{"username":"[email protected]","password":"*****"}]}]}
[vcf_om,#####################] [c.v.v.p.r.v.helper.vel.SpecValidator,http-nio-127.0.0.1-7300-exec-1] Received request to Validate operation type REMEDIATE
2025-08-19T05:43:32.441+0000 INFO [vcf_om,####################################] [c.v.v.p.r.v.PasswordAudit:http-nio-127.0.0.1-7300-exec-1] PasswordAudit:Received request for credentials operation=REMEDIATE from user [email protected]
2025-08-19T05:43:32.441+0000 ERROR [vcf_om,#################] [c.v.v.s.s.SoAuthenticationService,http-nio-127.0.0.1-7300-exec-1] [email protected] cannot be used for PSC password operations as it is managed by SDDC Manager.
2025-08-19T05:43:32.441+0000 DEBUG [vcf_om,############################## [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-1] Processing localizable exception User is not allowed to update or rotate PSC credentials. Please login using an alternate ADMIN account to perform this operation.
2025-08-19T05:43:32.441+0000 ERROR [vcf_om,#################################] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-1] [5F6LNJ] PASSWORD_MANAGER_USER_NOT_ALLOWED_PSC User is not allowed to update or rotate PSC credentials. Please login using an alternate ADMIN account to perform this operation.
com.vmware.vcf.passwordmanager.exception.PasswordManagerException: User is not allowed to update or rotate PSC credentials. Please login using an alternate ADMIN account to perform this operation.
at com.vmware.vcf.passwordmanager.service.SsoAuthenitcationService.validateWithExistingSOSUser(SsoAuthenticationService.java:164)
at com.vmware.vcf.passwordmanager.rest.v1.PasswordManagerController$UpdateOrRotatePasswordManagerController.java:208)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.invoke(AuthorizationManagerBeforeMethodInterceptor.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:751)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:703)
at com.vmware.vcf.passwordmanager.rest.v1.PasswordManagerController$$SpringCGLIB$$0.updateOrRotatePassword(<generated>)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:118)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:798)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handle(RequestMappingHandlerAdapter.java:727)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:888)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:706)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at com.vmware.vcf.functionality.toggle.interceptor.FunctionalityToggleApiFilter.doFilterInternal(FunctionalityToggleApiFilter.java:263)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
Environment
VMware Cloud Foundation (VCF) 5.x.x
Cause
Password remediation was attempted using [email protected] credentials.
This account is managed by SDDC Manager and cannot be used for PSC password operations.
Resolution
- Create a new user account on the VCSA with Administrator privileges.
-
-
For details, refer to Broadcom KB: Creating and assigning a role with privileges on VCSA.
-
Example: admin_test
- Assign Administrator access to the newly created account on SDDC Manager.
- Login to SDDC Manager using this new Administrator account.
- Retry the password remediation.
Additional Information
If the above steps do not resolve the issue, please navigate to SDDC Manager > Single Sign-On and assign the required Admin role to the newly created account in SDDC Manager GUI
Feedback
