We had an interesting issue in class last night. Students were not able to connect to the vCenter Virtual Server Appliance 5.0 with the vSphere Client when authenticating with their Active Directory user. The error that was displayed when logging in was – “Cannot complete login due to an incorrect user name or password.” The root user could login without issue.
We did some quick testing and everything with AD seemed fine. We checked to make sure the account was not locked or disabled, reset the users’ password, and authenticated successfully using the username against another resource.
I did some searching around the VMware KB and found this http://kb.vmware.com/kb/2008986
If the active directory user has 3 failed login attempts against the vCenter Server Appliance they will be denied login access, even if they are not locked out of AD they will not be able to access the vCenter Server. Once the user has made 3 failed login attempts against the vCenter Server Appliance the counter of failed login attempts for the user must be reset before the user will be allowed access. The following command is run as root on the vCenter Server Virtual Appliance to reset the count of failed login attempts for a user:
/sbin/pam_tally –user user@domain –reset
The KB has some more information on the issue, including a script you can use to determine the number of failed attempts for each user.
I had not run into this issue before and until I had it happen I had never read anything about it. If you experience an issue with a user not being able to log into the vCenter Server Virtual Appliance this may be the cause.
I have not had time to do much digging yet so I am not sure if there is a way to increase the number of failed attempts before a user is denied access or to configure a lock out period (or if there is a lock out period). If anyone has any details on the configuration possibilities of this please feel free to share. Thanks!
@lamw responded with a great post on Changing the VCSA Failed Login Attempt & Lock Out Period.