Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Inability to log in: One of the most obvious symptoms of an account issue is the inability to log in to the UAG using the account.Error messages: When attempting to log in, you may receive error messages indicating that the password has expired or that the account is locked .Within the UAG Logs, which can be gathered as a bundle from the support settings section of the admin portal.the admin.log contains logging related to the UI and you can search for log lines related to the account here: Reference: Collecting Logs from the Unified Access Gateway Appliance The Admin.log will contain messages similar to the following: 03/24 13:58:06,138+0000:uag1: Invalid authentication attempt by user admin from X.X.X.X. 10 attempts are remaining 03/24 13:58:06,730+0000 uag1: Invalid authentication attempt by user admin from X.X.X.X. 9 attempts are remaining 03/24 13:58:07,293+0000 ERROR config.UAGAuthenticationProvider[authenticate: 123]:uag1: Invalid authentication attempt by user admin from X.X.X.X. 8 attempts are remaining 03/24 13:58:07,903+0000 uag1: Invalid authentication attempt by user admin from X.X.X.X. 7 attempts are remaining ..... 03/24 13:58:10,718+0000 ERROR config.UAGAuthenticationProvider[authenticate: 123]:uag1: Invalid authentication attempt by user admin from X.X.X.X. 2 attempts are remaining 03/24 13:58:11,286+0000 uag1: Invalid authentication attempt by user admin from X.X.X.X. 1 attempts are remaining 03/24 13:58:42,851+0000 ERROR config.UAGAuthenticationProvider[authenticate: 123]:uag1: Invalid authentication attempt by user admin from X.X.X.X. 0 attempts are remaining 03/24 13:58:49,710+0000 ERROR config.UAGAuthenticationProvider[authenticate: 79]: UAG admin account is locked. Please try after 5 mins 03/24 14:00:52,188+0000 ERROR config.UAGAuthenticationProvider[authenticate: 79]: UAG admin account is locked. Please try after 5 mins
The intent of this knowledge base article is to provide a comprehensive resource for potential issues that you might encounter with the unified access gateway and appliance accounts.
Potential Causes Include: The password expired. The root password expires 365 days after deploying the OVA file.The keyboard in use does not map correctly to the UAG. For example, an en-us locale keyboard has @ mapped as the shift character on the number 2, whereas on an en-uk locale keyboard, this value is swapped. Password errors at deployment. These could potentially include a manual password set with a typo, or potentially a different locale keyboardA password potentially may have not been documented internally and is now forgotten.A password initially set when deploying as a OVF directly does not need the minimum criteria. The password should be at least 8 characters long, contains at least one uppercase and one lowercase letter, one digit, and one special character, which includes ! @ # $ % * ( ) characters" Documentation: Reset the Admin Password using the Unified Access Gateway Console
Reduced functionality:Depending on the UAG configuration, some features or functions may be disabled or limited when the root password has expired. This is done to prevent unauthorized access or changes to the system.Security risks:Intermittently locked accounts may be user error however equally could be due to unauthorized users attempting to gain access to the system . Please factor this consideration into any on-site investigation of any account issue.Increased workload:When the root password expires, the system administrator will need to reset the password and update any scripts or processes that rely on the root account. This can be time-consuming and may require additional resources.Overall, a root password expiry on a UAG can cause inconvenience, security risks, and additional workload for the system administrator. Prevention is better than cure and it is important to regularly monitor and update passwords to prevent these issues from occurring.
Caution During Deployment:When you deploy, please document your configuration in an appropriate manner so it can be referenced by additional or future team members within your organization .PowerShell Parameters for Deploying Unified Access Gateway ParameterDescriptionosLoginUsernameCustom Admin name (disables root if selected)PasswordPolicyFailedLockoutThe default is 3 attempts and then account LockoutPasswordPolicyUnlockTimeThe default is 15 minutes Design Consideration:Please ensure that the principle of least privilege is applied and only internal / required resources can access the admin interface and SSH - The granularity of this policy can vary with each organization however as a general recommendation do not expose the ability to SSH to the device from the internet.Password Minimum Criteria: The password should be at least 8 characters long, contains at least one uppercase and one lowercase letter, one digit, and one special character, which includes ! @ # $ % * ( ) charactersadminpwd will return a "User admin does not exist" with an appliance deployed without these criteria met. Password Expiry Monitoring: Superusers and low-privileged administrators can view the time period left for password expiry. On the Account Settings page, the Password expires in (days) field provides the countdown in the number of days until the date on which the password expires.Each Admin user can be aware of their password expiry date and take appropriate action such as resetting their password. Keyboard Mapping Issues: To test that the keyboard is mapping characters correctly, try entering the password in response to the "Login:" username prompt. This allows you to see each password character and may identify where characters are being misinterpreted. Password Resets: Superuser Administrators do have the ability to reset the accounts of lower-level admins: Modify User Account SettingsIf there is a scenario where no UI-based accounts are known, you can console into the UAG appliance interface either with SSH or directly through the Vcenter console and utilize the command below to reset the account password, A step-by-step walkthrough of the procedure is available in documentation: Reset the Admin Password using the Unified Access Gateway Console adminpwd You can also verify the status of the admin account by running this command pam_tally2 Root or OS Login Username Password Resets:OS Login Username is an option during setup to create a custom sudo user. If you choose to set this option, the root account is deactivated and this custom account will replace the traditional root account: Deploy Unified Access Gateway Using the OVF Template Wizard outlines details on this configuration option.Basic Procedure:1. Restart the o/s.2. Hit 'e' Because Photon OS reboots so quickly, you won't have much time to type e. Note: Within the VM appliance properties, you can edit settings and configure a boot delay to help Edit Settings>VM Options>Boot Options>Boot Delay 3. Add / Append the following to the end of the line that starts with linux. rw init=/bin/bash This line should now be as below: linux /boot/$photon_linux root=$rootpartition rw init=/bin/bash Important : For a FIPS appliance, the line should be linux /boot/$photon_linux root=$rootpartition rw init=/bin/bash fips=1 RedeploymentNote, if the password is forgotten and you do encounter issues with resetting accounts, typically the most efficient resolution is redeployment and this can be used as an opportunity to update the UAG version to the latest edition compatible with your release of Horizon View.
UAG Documentation Pages: Troubleshooting Root Login IssuesPhoton OS Documentation: Resetting a Lost Root Password