Reset AVI Controller Admin User Login when credentials have expired and Basic Authentication option is not enabled
search cancel

Reset AVI Controller Admin User Login when credentials have expired and Basic Authentication option is not enabled

book

Article ID: 420704

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

This article addresses a specific issue where the local 'admin' user on an AVI Controller is unable to log in to the UI and is blocked due to expired credentials after credentials_timeout_threshold expire. 

Controller doesn't have any other Local/LDAP users configured to access/modify the configuration.

Environment

Avi controller Authentication 

Local user 'admin' password expired

No other local users are present to access/modify the configuration.

Cause

Root cause of this issue is the expiration of the local 'admin' user's password, as defined by the credentials_timeout_threshold parameter within the Default-User-Account-Profile.

The provided profile snippet confirms "credentials_timeout_threshold": 180, meaning the password for local accounts associated with this profile expires every 180 days.

Resolution

To resolve this issue we need to change the admin user password using API call.

Under system settings  if "Allow Basic Authentication" option is not enabled KB AVI Controller Admin User Login Fails Due to Users credentials have expired won't work. We have to follow below procedure to reset the admin credentials.

Please run this commands from any machine that has access to the controller IP address and can run curl commands ( We can run these commands from non leader controller node as well)

Step-1: Log in to the Controller CLI as the admin user (you will still be blocked from shell commands immediately after login, but this initial login is required for sudo)

admin@:~$ sudo -i
[sudo] password for admin: <Enter-Current-Admin-Password>

 

Step-2: Run the curl command to get the session ID, cookie and csrf token values.

curl -k -c cookies.txt -e "https://<controller-leader-ip>/" -X POST  --data "username=admin&password=Password" "https://<controller-leader-ip>/login"  -H "X-Avi-Version: <controller-version>" --insecure

 

Step-3: Check if have a file name "cookie.txt" in the current folder and has the below data in it. Copy csrftoken from the "cookies.txt" file

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_##.##.#.##   FALSE   /       TRUE    1764773914      refreshtoken    None
#HttpOnly_##.##.#.##   FALSE   /       TRUE    1764773914      accesstoken     None
#HttpOnly_##.##.#.##   FALSE   /       TRUE    1764773914      sessionid       ##############################
#HttpOnly_##.##.#.##   FALSE   /       TRUE    1764773914      avi-sessionid   ##############################
##.#.#.#     FALSE   /       TRUE    1796137114      csrftoken       ##############################

 

Step-4: Please run the below curl command after updating the required details.

curl -k -b cookies.txt -e "https://<controller-leader-ip>/" -X PUT "https://<controller-leader-ip>/api/useraccount" --insecure -H "Content-Type: application/json" -H "X-Api-Version: <controller-version>" -H "X-CSRFToken: <csrf-token-copied-from-above>" -H "Referer: https://<controller-leader-ip>/" -d '{"full_name":"System Administrator","name":"admin","username":"admin","email":"<email-id>","local":true,"is_superuser":true,"old_password":"########","password":"########","confirm_password":"########"}' -vvv

 

>> If we see HTTP 200 response from the curl command, admin credentials are successfully changed.

*   Trying ##.##.#.##:443...
* Connected to ##.##.#.## (##.##.#.##) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=#######
*  start date: #############
*  expire date: ############
*  issuer: C=##; ST=####; L=###; O=#######; OU=#########; CN=########
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://##.##.#.##/api/useraccount
* [HTTP/2] [1] [:method: PUT]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ##.##.#.##]
* [HTTP/2] [1] [:path: /api/useraccount]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [cookie: avi-sessionid=##################; refreshtoken=None; accesstoken=None; csrftoken=##################; sessionid=##################]
* [HTTP/2] [1] [content-type: application/json]
* [HTTP/2] [1] [x-api-version: 30.2.3]
* [HTTP/2] [1] [x-csrftoken: ##################]
* [HTTP/2] [1] [referer: https://##.##.#.##/]
* [HTTP/2] [1] [content-length: 211]
> PUT /api/useraccount HTTP/2
> Host: ##.##.#.##
> User-Agent: curl/8.7.1
> Accept: */*
> Cookie: avi-sessionid=##################; refreshtoken=None; accesstoken=None; csrftoken=##################; sessionid=##################
> Content-Type: application/json
> X-Api-Version: 30.2.3
> X-CSRFToken: ##################
> Referer: https://##.##.#.##/
> Content-Length: 211
> 
* upload completely sent off: 211 bytes
< HTTP/2 200 
< date: Wed, 03 Dec 2025 08:00:21 GMT
< content-type: application/json; charset=utf-8
< content-length: 4
* Replaced cookie avi-sessionid="##################" for domain ##.##.#.##, path /, expire 1764835658
< set-cookie: avi-sessionid=##################; Path=/; Expires=###, 04 ######## GMT; Max-Age=86400; HttpOnly; Secure; SameSite=None
* Replaced cookie sessionid="##################" for domain ##.##.#.##, path /, expire ######
< set-cookie: sessionid=##################; Path=/; Expires=###, ########## GMT; Max-Age=86400; HttpOnly; Secure; SameSite=None
* Replaced cookie accesstoken="None" for domain ##.##.#.##, path /, expire ######
< set-cookie: accesstoken=None; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=None
* Replaced cookie refreshtoken="None" for domain ##.##.#.##, path /, expire ########
< set-cookie: refreshtoken=None; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=None
< vary: Cookie
< cache-control: private, no-cache, must-revalidate
< x-request-id: ###################
< strict-transport-security: max-age=31536000; includeSubdomains
< x-frame-options: SAMEORIGIN
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-methods: GET
< access-control-allow-headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With,X-Avi-Tenant,X-Avi-UserAgent,X-Avi-Tenant-UUID,X-CSRFToken,X-PORTAL-AUTHTOKEN
< referrer-policy: strict-origin
< x-content-type-options: nosniff
< content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:;
< x-xss-protection: 1; mode=block
< access-control-expose-headers: X-NEXT-CALL
< 
* Connection #0 to host ##.##.#.## left intact
null%

Additional Information

Admin account is locked and "Allow Basic Authentication" setting is enabled use KB AVI Controller Admin User Login Fails Due to Users credentials have expired to reset the password.

Powered by Wolken Software