VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configuring Account Lockout Policies in
VMware Cloud Foundation

An account lockout policy defines the behaviour of the system when incorrect credentials are used to authenticate to the system. The settings are different according to the account type and component of the
VMware Cloud Foundation
 instance.
Management Component
Account Lockout Settings
Scope
ESXi
  • Maximum failure attempts
  • Account lockout duration (seconds)
Local user
vCenter Single Sign-On
  • Maximum failure attempts
  • Failed attempt interval (seconds)
  • Account lockout duration (seconds)
vCenter Single Sign-On domain
vCenter Server
  • Maximum failure attempts
  • Account lockout duration (seconds)
  • Root account lockout duration (seconds)
Local user
NSX Manager
  • Maximum failure attempts
  • Account lockout duration (seconds)
  • Account reset duration (seconds)
Local user
NSX Edge
  • Maximum failure attempts
  • Account lockout duration (seconds)
Local user
SDDC Manager
  • Maximum failure attempts
  • Account lockout duration (seconds)
  • Root account lockout duration (seconds)
Local user

Configure the Local Account Lockout Policy for ESXi

Set the maximum number of failed login attempts and the time that must pass before a local account on an ESXi host in
VMware Cloud Foundation
 is automatically unlocked.
Setting
Default Value
Security.AccountLockFailures
5
Security.AccountUnlockTime
900

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. In the
    Hosts and clusters
     inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the default management vSphere cluster.
  4. Select the first ESXi host and click the
    Configure
     tab.
  5. In the
    System
     section, click
    Advanced system settings
    .
  6. On the
    Advanced system settings
     page, click
    Edit
    .
  7. In the key filter text box, enter
    Security.AccountLockFailures
     and enter a value according to the requirements of your organization.
  8. In the key filter text box, enter
    Security.AccountUnlockTime
    , enter a value according to the requirements of your organization, and click
    OK
    .
  9. Repeat this procedure on the remaining hosts in the cluster.
  10. Repeat this procedure on the remaining clusters in the management domain.
  11. Repeat this procedure on all clusters in the VI workload domains.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$maxFailures = "5"
$unlockInterval = "900"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-EsxiAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -failures $maxFailures -unlockInterval $unlockInterval
  4. Repeat this procedure on all remaining clusters in the management domain.
  5. Repeat this procedure on all VI workload domains and their clusters.

Configure the Account Lockout Policy for vCenter Single Sign-On

Set the maximum number of failed login attempts and the interval of time between failures for a user account in the vsphere.local domain in
VMware Cloud Foundation
. Set also the time that must pass before the account is automatically unlocked.
The lockout policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider
vsphere.local
. The policy does not apply to local system accounts and
administrator@vsphere.local
.
Setting
Default Value
Maximum number of failed login attempts
5
Time interval between failures
180 seconds
Unlock time
900 seconds

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. From the vSphere Client Menu, select
    Administration
    .
  3. In the
    Single sign on
     section, click
    Configuration
    .
  4. On the
    Configuration
     page, click the
    Local accounts
     tab.
  5. In the
    Lockout policy
     section, click
    Edit
    .
  6. Enter values for the settings according to the requirements of your organization and click
    Save
    .

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxFailures = "5"
$failureAttemptInterval = "180"
$unlockInterval = "900"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SsoAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -failureInterval $failureAttemptInterval -unlockInterval $unlockInterval

Configure the root User Account Lockout Policy for vCenter Server

Set the maximum number of failed login attempts and the time that must pass before the account is automatically unlocked for the
root
 local account in the vCenter Server appliances in
VMware Cloud Foundation
.
Setting
Default Value
Maximum number of failed login attempts
3
Unlock time for root
300 seconds
Unlock time
900 seconds

UI Procedure

  1. Log in to the vCenter Server appliance using SSH as
    root
    .
  2. Enable shell access.
    shell
  3. Back up the authentication requirements for the appliance using the following command. 
    cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth-`date +%F_%H:%M:%S`.back
  4. Change the maximum number of failed attempts using the following command.
    sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth
  5. Change the unlock time for the
    root
     account using the following command.
    sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth
  6. Change the unlock time for the root account using the following command.
    sed -i -E 's/unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth
  7. Repeat this procedure for each VI workload domain vCenter Server.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxFailures = "5"
$unlockInterval = "900"
$rootUnlockInterval = "300"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
  4. Repeat this procedure for each VI workload domain vCenter Server.

Configure the Local User Account Lockout Policy for NSX Manager

Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Manager appliances in
VMware Cloud Foundation
.
Method
Setting
Default Value
API
max-auth-failures
5
lockout-reset-period
180 seconds
lockout-period
900 seconds
CLI
max-auth-failures
5
lockout-period
900 seconds

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. In the
    VMs and templates
     inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the VM folder containing the NSX Manager cluster.
  4. Select the first node of the NSX Manager cluster and click
    Launch web console
    .
  5. Log in to the NSX Manager node as
    admin
    .
  6. To configure the account lockout policy for logging in or making an API request to the NSX Manager UI according to your organization's requirements, run the following commands.
    set auth-policy api lockout-period <lockout-period>
set auth-policy api lockout-reset-period <lockout-reset-period>
set auth-policy api max-auth-failures <auth-failures>
  7. To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the following commands.
    set auth-policy cli lockout-period <lockout-period>
set auth-policy cli max-auth-failures <auth-failures>
  8. Repeat this procedure on the remaining NSX Local Manager nodes in the management domain.
  9. Repeat this procedure on the NSX Local Manager nodes for all VI workload domains.
  10. Repeat this procedure on all NSX Global Manager clusters.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cliMaxFailures = "5"
$cliUnlockInterval = "900"
$apiMaxFailures = "5"
$apiUnlockInterval = "900"
$apiFailureInterval = "180"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval -apiFailures $apiMaxFailures -apiFailureInterval $apiFailureInterval -apiUnlockInterval $apiUnlockInterval
  4. Repeat this procedure for all NSX Local Manager clusters in the VI workload domains.
  5. Configure the account lockout policies on all NSX Global Manager clusters manually in the appliance console of each node.

Configure the Local User Account Lockout Policy for NSX Edge

Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Edge appliances in
VMware Cloud Foundation
 .
Method
Setting
Default Value
CLI
max-auth-failures
5
lockout-period
900 seconds

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
    1. Log in to the management domain vCenter Server at
      https://<management_vcenter_server_fqdn>/ui
       by using an account with
      Administrator
       privileges.
    2. In the
      VMs and templates
       inventory, expand the management domain vCenter Server tree and expand the management domain data center.
    3. Expand the VM folder containing the NSX Edge cluster.
    4. Select the first node of the NSX Edge cluster and click
      Launch web console
      .
  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
  3. Log in to the NSX Edge node as
    admin
    .
  4. To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the commands.
    set auth-policy cli lockout-period <lockout-period>
set auth-policy cli max-auth-failures <auth-failures>
  5. Repeat this procedure on the remaining NSX Edge nodes in the management domain.
  6. Repeat this procedure on all NSX Edge nodes in the VI workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the account lockup policies only on the NSX Edge nodes in
VMware Cloud Foundation
 that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the
NSX-T Data Center documentation
.
  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cliMaxFailures = "5"
$cliUnlockInterval = "900"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtEdgeAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval
  4. Repeat this procedure for all VI workload domains.

Configure the Local User Account Lockout Policy for SDDC Manager

Set the maximum number of failed login attempts and the time that must pass before an account on the SDDC Manager appliance is automatically unlocked.
Setting
Default Value
Maximum number of failed login attempts
3
Unlock time for root
300 seconds
Unlock time for all local accounts
86400 seconds

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as
    vcf
    .
  2. Change to the
    root
     user.
    su -
  3. Back up the authentication requirements for the appliance using the following command. 
    cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth-`date +%F_%H:%M:%S`.back
  4. Change the maximum number of failed attempts using the following command.
    sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth
  5. Change the unlock time for the
    root
     account using the following command.
    sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth
  6. Change the unlock time for all local accounts using the following command.
    sed -i -E 's/unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth
The configuration is applied to all local user accounts on the SDDC Manager appliance.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain
$sddcDomainName = "sfo-m01"

$rootPass = "VMw@re1!"
$maxFailures = "3"
$unlockInterval = "86400"
$rootUnlockInterval = "300"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval

Content feedback and comments