Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When attempting to rotate,update,or remediate a password for a NSX-T component in the SDDC Manager UI, you get the following error, "Password management operation failed" In the operationsmanager.log we see similar errors: 2023-03-28T20:29:42.487+0000 DEBUG [vcf_om,e76c9c17e51fce97,50f3] [c.v.v.p.helper.NsxtApiUtil,om-exec-5] Failed to get NSXT user details : {"module_name":"com mon-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} with status : 2023-03-28T20:29:42.509+0000 ERROR [vcf_om,e76c9c17e51fce97,50f3] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-5] The credentials were incorrect or the accoun t specified has been locked. com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: The credentials were incorrect or the account specified has been loc
The purpose of this document is to help troubleshoot failed credential operations with NSX-T Components.
This issue could be caused by the following:NSX-T passwords have expired.NSX-T passwords have been changed manually outside of SDDC.
Pull the most recent passwords from the SDDC Manager lookup_passwordsAPI Explorer Steps for the NSX-T ManagersOnly need to be performed on one manager per cluster. 1.Log into the NSX-T manager as root.(Either from a console window or SSH)2. Clear password history echo "" >/etc/security/opasswd 3. Run the command /etc/init.d/nsx-mp-api-server stop 4.Set the password(s) to match what is present in SDDC DB. passwdpasswd adminpasswd audit 5. Run the command. touch /var/vmware/nsx/reset_cluster_credentials 6. Run the command. /etc/init.d/nsx-mp-api-server start 7.Verify the accounts are not locked out with pam_tally2 pam_tally2 -u root -rpam_tally2 -u admin -rpam_tally2 -u audit -r 8.Retry the credential operation from the SDDC Manager UI. Steps for the NSX-T Edges1.Log into the NSX-T edge as root.(Either from a console window or SSH)2. Clear password history echo "" >/etc/security/opasswd 3. Run the command /etc/init.d/nsx-edge-api-server stop 4.Set the password(s) to match what is present in SDDC DB. passwdpasswd adminpasswd audit 5. Run the command. touch /var/vmware/nsx/reset_cluster_credentials 6. Run the command. /etc/init.d/nsx-edge-api-server start 7.Verify the accounts are not locked out with pam_tally2 pam_tally2 -u root -rpam_tally2 -u admin -r 8.Retry the credential operation from the SDDC Manager UI. Steps to change password expiration on NSX-T edges and Managers: 1.Connect to the NSX-T Manager or NSX-T Edge with the admin account.You can elevate to admin from a root connection with su admin.2.Reset the expiration period.You can set the expiration period for between 1 and 9999 days. nsxtmgr> set user admin password-expiration 9999 nsxtmgr> set user audit password-expiration 9999 nsxtmgr> set user root password-expiration 9999
Check to see if there's any locks: curl http://localhost/locks | json_pp > releaseLock.json curl -X PUT -H "Content-Type:application/json" http://localhost/locks -d @releaseLock.json =============================================================SDDC Manager unable to perform any password operations on NSX-T Managers, with the error: {"module_name":"common-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} (88561)============================================================= If the password has expired and you're not able to reset it from the CLI/Console you'll have to reset it from the GRUB: https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-8816B842-2EC4-40A8-A618-F68DB29FABD2.html=============================================================SDDC Manager password operations are not allowed because of a failed password task (90716)