OPERATIONAL DEFECT DATABASE
...
...
When attempting to rotate,update,or remediate a password for a NSX-T component in the SDDC Manager UI, you get the following error, "Password management operation failed" In the operationsmanager.log we see similar errors: 2023-03-28T20:29:42.487+0000 DEBUG [vcf_om,e76c9c17e51fce97,50f3] [c.v.v.p.helper.NsxtApiUtil,om-exec-5] Failed to get NSXT user details : {"module_name":"com mon-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} with status : 2023-03-28T20:29:42.509+0000 ERROR [vcf_om,e76c9c17e51fce97,50f3] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-5] The credentials were incorrect or the accoun t specified has been locked. com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: The credentials were incorrect or the account specified has been loc
The purpose of this document is to help troubleshoot failed credential operations with NSX-T Components.
This issue could be caused by the following:NSX-T passwords have expired.NSX-T passwords have been changed manually outside of SDDC.
Pull the most recent passwords from the SDDC Manager lookup_passwordsAPI Explorer Steps for the NSX-T ManagersOnly need to be performed on one manager per cluster. 1.Log into the NSX-T manager as root.(Either from a console window or SSH)2. Clear password history echo "" >/etc/security/opasswd 3. Run the command /etc/init.d/nsx-mp-api-server stop 4.Set the password(s) to match what is present in SDDC DB. passwdpasswd adminpasswd audit 5. Run the command. touch /var/vmware/nsx/reset_cluster_credentials 6. Run the command. /etc/init.d/nsx-mp-api-server start 7.Verify the accounts are not locked out with pam_tally2 pam_tally2 -u root -rpam_tally2 -u admin -rpam_tally2 -u audit -r 8.Retry the credential operation from the SDDC Manager UI. Steps for the NSX-T Edges1.Log into the NSX-T edge as root.(Either from a console window or SSH)2. Clear password history echo "" >/etc/security/opasswd 3. Run the command /etc/init.d/nsx-edge-api-server stop 4.Set the password(s) to match what is present in SDDC DB. passwdpasswd adminpasswd audit 5. Run the command. touch /var/vmware/nsx/reset_cluster_credentials 6. Run the command. /etc/init.d/nsx-edge-api-server start 7.Verify the accounts are not locked out with pam_tally2 pam_tally2 -u root -rpam_tally2 -u admin -r 8.Retry the credential operation from the SDDC Manager UI. Steps to change password expiration on NSX-T edges and Managers: 1.Connect to the NSX-T Manager or NSX-T Edge with the admin account.You can elevate to admin from a root connection with su admin.2.Reset the expiration period.You can set the expiration period for between 1 and 9999 days. nsxtmgr> set user admin password-expiration 9999 nsxtmgr> set user audit password-expiration 9999 nsxtmgr> set user root password-expiration 9999
Check to see if there's any locks: curl http://localhost/locks | json_pp > releaseLock.json curl -X PUT -H "Content-Type:application/json" http://localhost/locks -d @releaseLock.json =============================================================SDDC Manager unable to perform any password operations on NSX-T Managers, with the error: {"module_name":"common-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} (88561)============================================================= If the password has expired and you're not able to reset it from the CLI/Console you'll have to reset it from the GRUB: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html=============================================================SDDC Manager password operations are not allowed because of a failed password task (90716)
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
