“Cannot complete login due to an expired password” error during automated or manual tasks from vCenter.
search cancel

“Cannot complete login due to an expired password” error during automated or manual tasks from vCenter.

book

Article ID: 426664

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • After modifying following advanced settings, operations such as vMotion, HA configuration, VM deployments and backups fail due to a password expiration error:

    • Advance settings on ESXi Host:
      Configure > Advanced System Settings > Security.PasswordMaxDays

    • Advance settings on vCenter Server
      Configure > Advanced Settings > VirtualCenter.VimPasswordExpirationInDays

  • Logs on vCenter server (/var/log/vmware/vpxd/vpxd.log) reports errors similar to:

YYYY-MM_DDThh:mm:ss info vpxd[06466] [Originator@6876 sub=vmomi.soapStub[35733]] SOAP request returned HTTP failure; <SSL(<io_obj p:0x00007fe23c73ed20, h:61, <TCP '<VC-IP addr> : 44210'>, <TCP '<ESXi IP addr> : 443'>>), /sdk>, method: login; code: 500(Internal Server Error); fault: (vim.fault.PasswordExpired) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>
-->    msg = "Received SOAP response fault from [<SSL(<io_obj p:0x00007fe23c73ed20, h:61, <TCP '<VC-IP addr> : 44210'>, <TCP '<ESXi IP addr> : 443'>>), /sdk>]: login
--> Cannot complete login due to expired password."
--> }
YYYY-MM_DDThh:mm:ss error vpxd[06466] [Originator@6876 sub=VpxdVlf] Exception in VLF: N3Vim5Fault15PasswordExpired9ExceptionE(Fault cause: vim.fault.PasswordExpired

  • Logs on ESXi host (/var/run/log/hostd.log) reports errors similar to:

YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099084]: [Originator@6876 sub=Solo.Vmomi] Arg userName:
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099039]: --> "vpxuser"
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099084]: [Originator@6876 sub=Solo.Vmomi] Arg password:
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099039]: --> (not shown)
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099039]: -->
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099084]: [Originator@6876 sub=Solo.Vmomi] Arg locale:
YYYY-MM_DDThh:mm:ss Db(167) Hostd[2099039]: --> "en"
YYYY-MM_DDThh:mm:ss In(166) Hostd[2099084]: [Originator@6876 sub=Solo.Vmomi] Throw vim.fault.PasswordExpired
YYYY-MM_DDThh:mm:ss In(166) Hostd[2099084]: [Originator@6876 sub=Solo.Vmomi] Result:
YYYY-MM_DDThh:mm:ss In(166) Hostd[2099039]: --> (vim.fault.PasswordExpired) {
YYYY-MM_DDThh:mm:ss In(166) Hostd[2099039]: -->    msg = "",
YYYY-MM_DDThh:mm:ss In(166) Hostd[2099039]: --> }

Environment

vCenter Server 8.x
vSphere ESXi 8.x

Cause

The issue is caused by a mismatch in password expiration settings where VirtualCenter.VimPasswordExpirationInDays on vCenter is equal to or greater than Security.PasswordMaxDays setting on ESXi, leading to expired vpxuser credentials and failed authentication attempts.

Resolution

To avoid this issue, always ensure "VirtualCenter.VimPasswordExpirationInDays" is set to smaller value than "Security.PasswordMaxDays".

  • Take a snapshot of vCenter Server

  • Navigate to:vCenter > Configure > Advanced Settings

  • Set VirtualCenter.VimPasswordExpirationInDays to a value lower than Security.PasswordMaxDays

  • Restart vpxd service for the change to take effect (service-control --restart vpxd)

As a workaround, Disconnect and reconnect the affected ESXi host from vCenter.

Additional Information

https://knowledge.broadcom.com/external/article/320773

  • Below command helps to check last password update timestamp for ESXi hosts from vCenter database:.

VCDB=# select dns_name,password_last_upd_dt, maintenance_mode from vpx_host where dns_name like '%hostname%' order by password_last_upd_dt;

  • This issue occurs when VirtualCenter.VimPasswordExpirationInDays is configured with a value equal to or greater than Security.PasswordMaxDays.
    The Security.PasswordMaxDays setting controls the maximum age of the vpxuser password on the ESXi host. When this value is reached, the vpxuser password expires.
    The VirtualCenter.VimPasswordExpirationInDays setting instructs vCenter Server to check the age of the vpxuser password once per day and reset it if the password age exceeds the configured value.
    If both settings are configured with the same value, or if VirtualCenter.VimPasswordExpirationInDays is greater than Security.PasswordMaxDays, the vpxuser password on the ESXi host may expire before vCenter Server has an opportunity to reset it. This condition can result in authentication failures and related service disruptions.To prevent this issue, VirtualCenter.VimPasswordExpirationInDays must always be set to a lower value than Security.PasswordMaxDays, ensuring that vCenter Server can rotate the vpxuser password before it expires on the ESXi host.
Powered by Wolken Software