vCenter Server incorrectly shows password expiry banner notification for Active Directory users
search cancel

vCenter Server incorrectly shows password expiry banner notification for Active Directory users

book

Article ID: 332301

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Password expiry banner notification is displayed for Active Directory users in the vCenter HTML5, despite password not expiring soon.



  • Following snippets are observed at var/log/vmware/sso/ssoAdminServer.log on the vCenter. 
    YYYY-MM-DDTHH:MM:SS.XXXX INFO ssoAdminServer[1674:pool-2-thread-39] [OpId=q-536742:password-expiration-notification:PrincipalManagerPropertyProvider:449761-nqcw-h5:70194414] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] [User {Name: <userName>, Domain: <AD_DOMAIN_NAME>} with role 'Administrator'] Retrieving remaining days until password expiration for own account
    YYYY-MM-DDTHH:MM:SS.XXXX INFO ssoAdminServer[1674:pool-2-thread-39] [OpId=q-536742:password-expiration-notification:PrincipalManagerPropertyProvider:449761-nqcw-h5:70194414] [com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] Vmodl method PrincipalManagementService.getDaysRemainingUntilSelfPasswordExpiration return value is 19



Environment

VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

  • Microsoft Dynamic Access Control is used to set individual password expiration. 
  • vCenter is using the default GPO to determine the Password expiration to display the notification instead.
  • In Active Directory, Microsoft Dynamic Access Control (DAC) and Fine-Grained Password Policies (FGPP) can override the default domain password policy for specific users/groups. vCenter, however, queries AD only for the Default Domain Policy via LDAP and does not interpret DAC/FGPP rules. As a result, the password expiration warning shown in vCenter may differ from the actual AD-enforced expiration.
  • Below is an example workflow for the same:

Resolution

Currently, there is no resolution. Microsoft Dynamic Access Control is currently not covered in regards to password expiration, therefore this misleading information is shown.

Workaround:
Notifications can be switched off by setting the default expiration time to 0. 
 
Note: Be aware that this change will also set the notification off for the local SSO users.

Powered by Wolken Software