Account for VCSA 8.x  is locked.

Check journalctl , there are error messages about locked account :    

    Consecutive login failures for user xxx   account temporarily locked

# journalctl  -b 0 > journalctl_-b--0.txt

# cat  journalctl_-b--0.txt | grep "Consecutive login failures for user"

vCenter 8.0.x

There are two possible reasons

1)  Localos user account was locked due to 3 times failed logins within 15 minutes.

  Need to follow KB 390131 to find out the IP address which launched the failed connection.

2) For vCenter 8.0 version GA to 8.0U3e, there is a known issue with /etc/pam.d/system-auth, need to change the settings about PAM.

   This issue has been fixed in vCenter 8.0 U3g.

1) Check the current settings:

$ cat system-auth
# Begin /etc/pam.d/system-auth
auth    required      pam_faillock.so preauth
auth    required      pam_unix.so
auth    required      pam_faillock.so authfail
auth    optional      pam_faildelay.so delay=4000000
# End /etc/pam.d/system-auth

2) Change it to : 

# Begin /etc/pam.d/system-auth
auth    required      pam_faillock.so preauth
auth    sufficient    pam_unix.so                        # Exit if returns success
auth    required      pam_faillock.so authfail           # Else, record failure
auth    optional      pam_faildelay.so delay=4000000
auth    required      pam_deny.so                        # For failed auths/pam_unix, convert pam_faillock's return value of ignore to login failed.
# End /etc/pam.d/system-auth

The fix is to correct the VC-provided PAM configuration so the failed login count is only incremented on failed logins.  

This is done by changing two lines in the PAM configuration:
a) Change the pam_unix line prefix from required to sufficient.  

From 

   auth    required      pam_unix.so

To:

 auth    sufficient    pam_unix.so      

b) Append a deny line at the end.   

   auth    required      pam_deny.so