Changes made to the deny value in /etc/applmgmt/appliance/faillock.conf on the vCenter Server Appliance (VCSA) are not applied to the Virtual Appliance Management Interface (VAMI) for local accounts other than the default root user. Even if the threshold is increased (e.g., from 3 to 5) and the applmgmt service is restarted, local non-built-in accounts remain locked after 3 failed login attempts. 

For the root account specifically, the lockout policy is governed by the configuration described in KB 409895, which allows for modification of the deny value in  faillock.conf to take effect for the root user across services. However, these same steps do not extend the same flexibility to other local users created on the appliance.

VMware vCenter Server 7.x

VMware vCenter Server 8.x

VMware vCenter Server 9.x

This is a hard-coded security specification within the VAMI (applmgmt) authentication module. While the appliance's underlying OS uses faillock.conf for SSH and console access, the VAMI interface enforces a fixed maximum login failure count for any local account that is not a "built-in" system account. This threshold is hard-coded and ignores manual edits to PAM or faillock configuration files.

This is the designed behavior of the VAMI authentication service. There is currently no supported method to modify the login failure threshold for local non-built-in accounts within the VAMI interface.

vCenter Server Appliance のローカルアカウントに対する VAMI のログイン失敗しきい値の変更が反映されない