Service account for ESXi hosts in disconnected status even after remediation on SDDC Manager
search cancel

Service account for ESXi hosts in disconnected status even after remediation on SDDC Manager

book

Article ID: 409749

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

ESXi service account (svc-vcf-esxi_shortname) gets disconnected from SDDC Manager 

SDDC Manager operationsmanager logs : /var/log/vcf/operationsmanager/operationsmanager.log 

YYYY-MM-DD ERROR [vcf_om,ID] [c.v.v.p.h.EsxiHostCommandExecutor,om-exec-21] Exception occured in fetching lockdown mode status on ESXi host: esxi fqdn a connection using service-account : {}
java.lang.UnsupportedOperationException: IP esxi fqdn  cannot be connected
        at com.vmware.evo.sddc.common.client.vmware.vsphere.VcManagerBase.connect(VcManagerBase.java:542)
        at com.vmware.evo.sddc.common.client.vmware.vsphere.VcManagerBase.<init>(VcManagerBase.java:495)
        at com.vmware.evo.sddc.common.client.vmware.vsphere.VcManagerBase.<init>(VcManagerBase.java:468)
        at com.vmware.evo.sddc.common.client.vmware.vsphere.VcManagerFactory.getVcManagerBase(VcManagerFactory.java:436)
        at com.vmware.evo.sddc.common.client.vmware.vsphere.VcManagerFactory.createVcManager(VcManagerFactory.java:52)
        at com.vmware.vcf.passwordmanager.helper.EsxiHostCommandExecutor.isLockDownModeEnabled(EsxiHostCommandExecutor.java:199)
        at com.vmware.vcf.passwordmanager.service.PasswordValidationService.checkLockdownModeEnabled(PasswordValidationService.java:512)
        at com.vmware.vcf.passwordmanager.service.PasswordValidationService.validatePasswordForEntity(PasswordValidationService.java:382)
        at jdk.internal.reflect.GeneratedMethodAccessor3724.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:569)

Environment

SDDC 4.x

SDDC 5.x

Cause

This issue occurs if Lockdown Mode is enabled on the ESXi host.

When Lockdown Mode is active, any operation performed using service account credentials is considered not permitted. As a result, validation of the service account password cannot be performed successfully in this scenario.

 

Resolution

To resolve the issue, use one of the following approaches:

  1. Disable Lockdown Mode on the affected ESXi hosts.

    OR

  2. Add the service account to the Exception Users List on the ESXi hosts.

    To add a user to the exception list, refer to the documentation - Specify Lockdown Mode Exception Users in the VMware Host Client

Powered by Wolken Software