You may experience an inability to reconnect their Site Recovery Manager (SRM) site pair or fail to export SRM configuration settings. This issue is typically accompanied by error messages indicating "Authentication failed" or "Password of the user logging on is expired" for an internal SRM service principal account within the vCenter Single Sign-On (SSO) domain.

Example Error Message Pattern:
Internal error: ...Authentication failed: Password of the user logging on is expired. :: User account expired: Name: [SRM-GUID-identifier], Domain: vsphere.local

VMware Site Recovery Manager (SRM) appliance

VMware Live Recovery

The root cause of this problem is the expiration of the password for an automatically generated internal SRM service account (represented by a GUID, e.g., SRM-########-####-####-####-############). These accounts are created within vCenter Single Sign-On during SRM installation or configuration and are essential for SRM to authenticate with vCenter Server and to communicate with its paired site. When this internal account's password expires, SRM loses its ability to perform critical operations, leading to site pair disconnection and functional failures like inability to export configuration.

The resolution involves removing the expired service principal from vCenter SSO and then forcing SRM to re-register and generate a new, valid service principal.

Important Considerations Before Proceeding:

• Ensure you have a recent backup or snapshot of your vCenter Server and SRM appliances/VMs before making any changes.
• Modifying vCenter SSO using tools like Jxplorer requires extreme caution. Incorrect changes can severely impact your vSphere environment. If unsure, consult VMware support.

Steps to Resolve:

1. Identify the Expired Service Principal:

   • Carefully review the exact error message from the SRM UI or log files. Note down the specific Name: (e.g., SRM-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) of the user account reported as "expired." This GUID is unique to your SRM installation.

2. Connect to vCenter SSO via Jxplorer:

   • Download and install Jxplorer.
   • Launch Jxplorer and create a new connection:
     • Host: Your vCenter Server FQDN or IP address
     • Port: Typically 389 (LDAP)
     • Base DN: dc=vsphere,dc=local (or your specific SSO domain if different).
     • Security Level: User + Password
     • User DN: cn=Administrator,cn=Users,dc=vsphere,dc=local
     • Password: The password for your vCenter SSO Administrator.
   • Accept any certificate warnings if prompted.

3. Remove the Expired Service Principal:

   • Once connected, navigate the directory tree on the left pane:
     • dc=vsphere,dc=local
     • cn=ServicePrincipals
   • Locate the specific service principal identified in Step 1 (e.g., cn=SRM-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
   • Right-click on this entry and select "Delete."
   • Confirm the deletion when prompted.

4. Reconfigure SRM Appliance/Instance:

   • For SRM Appliance (VAMI):
     • Open a web browser and navigate to the SRM Appliance Management Interface (VAMI) at https://[SRM_Appliance_IP_or_FQDN]:5480.
     • Log in with root credentials.
     • Go to "Summary" tab.
     • Click on "Reconfigure" or "Reconfigure Appliance." Follow the prompts to re-enter your vCenter Server details and SSO credentials. This process forces SRM to re-register with SSO and generate a new, valid service principal.

5. Verify SRM Functionality:

   • Log out of the SRM vSphere Client/Web Client interface and log back in.
   • Check the SRM Site Pair status. It should now show as Connected.
   • If still disconnected, navigate to Site Recovery > Site Pairs, select your site pair, and click on "Reconnect".
   • Attempt to export the SRM configuration to confirm full functionality.