• When  attempting to run a vCenter Server Virtual Appliance Management Interface (VAMI) backup using Secure File Transfer Protocol (SFTP), the operation fails with the error: "Access to the backup server is denied. Check your credentials."
• This error appears even when your username and password are correct.
• The backup schedule shows the proper SFTP path and credentials.
• You can connect to the SFTP server using the same credentials from the command line.
• This failure prevents all backups from completing, leaving your vCenter Server without disaster recovery protection.

Additional symptoms reported:

• vCenter Server 7.0 and later, using VAMI backup with SFTP protocol

The Secure Shell (SSH) host key for the SFTP server is missing from the vCenter's trusted hosts file. This file is located at `/root/.ssh/known_hosts`.

This occurs when:

• The SFTP server regenerates its SSH keys
• The SFTP server is rebuilt or replaced
• The known_hosts file is cleared
• Initial backup configuration does not store the host key

1. Log in to the vCenter Server Appliance via SSH as root.
   
   
2. Retrieve the stored backup password from VECS:
   
   /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store APPLMGMT_PASSWORD --text

   Look for an entry like `location_password_default`. Then retrieve it:
   
   /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store APPLMGMT_PASSWORD --alias location_password_default --output

/tmp/backup_pass.txt

cat /tmp/backup_pass.txt

rm /tmp/backup_pass.txt
   
   Note: This password for the following steps.
   
   
3. Test the SFTP connection using the retrieved password:
   
   curl -u <username>:<retrieved-password> sftp://<server>:22/<path>/ --list-only -v
   
   Look for: `Did not find host <server> in /root/.ssh/known_hosts`
   
   
4. Clear existing entries for the SFTP server:
   
   ssh-keygen -R <server>

ssh-keygen -R <server-ip-address>
   
   
5. Connect to the SFTP server to accept the SSH host key:
   
   sftp -oPort=22 <username>@<server>
   
   
6. Type `yes` when you see "Are you sure you want to continue connecting (yes/no)?".
   
   
7. Enter the password retrieved in step 2 when prompted. Verify the connection succeeds.
   
   
8. Type `exit` to close the SFTP session.
   
   
9. Verify the connection now works with the stored password. Enter this entire block as one command:
   
   sshpass -p '<retrieved-password>' sftp -oPort=22 <username>@<server> << EOF
pwd
exit
EOF
   
   
10. Navigate to the vCenter VAMI interface at https://<vcenter-server>:5480.
    
    
11. Retry the backup. The stored password will be used automatically for scheduled backups.

• The error message "Access to the backup server is denied" is misleading. It suggests an authentication problem when the issue is SSH host key verification.
  
  
• If ssh-keyscan does not add the host key, use the manual acceptance method in step 4.
  
  
• For more information, see Troubleshooting vCenter Server Appliance VAMI backup.
  
  
• For backup configuration guidance, see File-Based Backup and Restore of vCenter Server