An account lockout policy defines the behaviour of the system when incorrect credentials are used to authenticate to the system. The settings are different according to the account type and component of the VMware Cloud Foundation instance.

Management Component Account Lockout Settings Scope
ESXi
  • Maximum failure attempts
  • Account lockout duration (seconds)
Local user
vCenter Single Sign-On
  • Maximum failure attempts
  • Failed attempt interval (seconds)
  • Account lockout duration (seconds)
vCenter Single Sign-On domain
vCenter Server
  • Maximum failure attempts
  • Account lockout duration (seconds)
  • Root account lockout duration (seconds)
Local user
NSX Manager
  • Maximum failure attempts

  • Account lockout duration (seconds)

  • Account reset duration (seconds)

Local user
NSX Edge
  • Maximum failure attempts

  • Account lockout duration (seconds)

Local user
SDDC Manager
  • Maximum failure attempts

  • Account lockout duration (seconds)

  • Root account lockout duration (seconds)

Local user

Prerequisites

See Password Policy Configuration Prerequisites.

Configure the Local Account Lockout Policy for ESXi

Set the maximum number of failed login attempts and the time that must pass before a local account on an ESXi host in VMware Cloud Foundation is automatically unlocked.

Setting

Default Value

Security.AccountLockFailures

5

Security.AccountUnlockTime

900

UI Procedure

  1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
  2. In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.

  3. Select the first ESXi host and click the Configure tab.

  4. In the System section, click Advanced system settings.

  5. On the Advanced system settings page, click Edit.

  6. In the key filter text box, enter Security.AccountLockFailures and enter a value according to the requirements of your organization.

  7. In the key filter text box, enter Security.AccountUnlockTime, enter a value according to the requirements of your organization, and click OK.

  8. Repeat this procedure on the remaining hosts in the cluster.

  9. Repeat this procedure on the remaining clusters in the workload domain.

  10. Repeat this procedure on all clusters in the remaining workload domains.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    $cluster = "sfo-m01-cl01"
    
    $maxFailures = "5"
    $unlockInterval = "900"
  3. Perform the configuration by running the command in the PowerShell console.

    Update-EsxiAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -failures $maxFailures -unlockInterval $unlockInterval
  4. Repeat this procedure on all remaining clusters in the $sddcDomainName workload domain.

  5. Repeat this procedure on all clusters in the remaining workload domains.

Configure the Account Lockout Policy for vCenter Single Sign-On

Set the maximum number of failed login attempts and the interval of time between failures for a user account in the vsphere.local domain in VMware Cloud Foundation. Set also the time that must pass before the account is automatically unlocked.

The lockout policy applies only to user accounts in the vCenter Single Sign-On built-in identity provider vsphere.local. The policy does not apply to local system accounts and [email protected].
Setting Default Value
Maximum number of failed login attempts 5
Time interval between failures 180 seconds
Unlock time 900 seconds

UI Procedure

  1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
  2. From the vSphere Client Menu, select Administration.
  3. In the Single sign on section, click Configuration.
  4. On the Configuration page, click the Local accounts tab.
  5. In the Lockout policy section, click Edit.
  6. Enter values for the settings according to the requirements of your organization and click Save.

PowerShell Procedure

  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $maxFailures = "5"
    $failureAttemptInterval = "180"
    $unlockInterval = "900"
    
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SsoAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -failureInterval $failureAttemptInterval -unlockInterval $unlockInterval

Configure the root User Account Lockout Policy for vCenter Server

Set the maximum number of failed login attempts and the time that must pass before the account is automatically unlocked for the root local account in the vCenter Server appliances in VMware Cloud Foundation.

Setting

Default Value

Maximum number of failed login attempts

3

Unlock time for root

300 seconds

Unlock time

900 seconds

UI Procedure

  1. Log in to the vCenter Server appliance using SSH as root.

  2. Enable shell access.

    shell
  3. Back up the authentication requirements for the appliance using the following command.

    cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
  4. Verify that all settings for configuring the account lockout policy for the rootuser are added in the /etc/security/faillock.conf file.

    If some properties are missing in the /etc/security/faillock.conf file, add them manually.

     dir = /var/log/faillock
    audit
    silent
    deny = 3
    unlock_time = 1200
    even_deny_root
    root_unlock_time = 300
    fail_interval = 900
    
  5. To configure the lockout policy for the root user account, in the /etc/security/faillock.conf file, set values to the following properties according to the requirements of your organization and save the file.
    Setting Property in /etc/security/faillock.conf
    Maximum number of failed attempts deny
    Unlock time for the root user account root_unlock_time
    Unlock time for all local accounts unlock_time
  6. Repeat this procedure for each workload domain vCenter Server.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $maxFailures = "5"
    $rootUnlockInterval = "300"
    $unlockInterval = "900"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
  4. Repeat this procedure for each workload domain vCenter Server.

Configure the Local User Account Lockout Policy for NSX Manager

Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Manager appliances in VMware Cloud Foundation.

Method

Setting

Default Value

API

max-auth-failures

5

lockout-reset-period

180 seconds

lockout-period

900 seconds

CLI

max-auth-failures

5

lockout-period

900 seconds

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the VM folder containing the NSX Manager cluster.

  4. Select the first node of the NSX Manager cluster and click Launch web console.

  5. Log in to the NSX Manager node as admin.

  6. To configure the account lockout policy for logging in or making an API request to the NSX Manager UI according to your organization's requirements, run the following commands.

    set auth-policy api lockout-period <lockout-period>
    set auth-policy api lockout-reset-period <lockout-reset-period>
    set auth-policy api max-auth-failures <auth-failures>
  7. To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the following commands.

    set auth-policy cli lockout-period <lockout-period>
    set auth-policy cli max-auth-failures <auth-failures>
  8. Repeat this procedure on the remaining NSX Local Manager nodes in the management domain.

  9. Repeat this procedure on the NSX Local Manager nodes for all VI workload domains.

  10. Repeat this procedure on all NSX Global Manager clusters.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $cliMaxFailures = "5"
    $cliUnlockInterval = "900"
    $apiMaxFailures = "5"
    $apiUnlockInterval = "900"
    $apiFailureInterval = "180"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-NsxtManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval -apiFailures $apiMaxFailures -apiFailureInterval $apiFailureInterval -apiUnlockInterval $apiUnlockInterval
  4. Repeat this procedure for all NSX Local Manager clusters in the VI workload domains.

  5. Configure the account lockout policies on all NSX Global Manager clusters manually in the appliance console of each node.

Configure the Local User Account Lockout Policy for NSX Edge

Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Edge appliances in VMware Cloud Foundation .

Method

Setting

Default Value

CLI

max-auth-failures

5

lockout-period

900 seconds

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.

    1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
    2. In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge cluster.

    3. Select the first node of the NSX Edge cluster and click Launch web console.

  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.

  3. Log in to the NSX Edge node as admin.

  4. To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the commands.

    set auth-policy cli lockout-period <lockout-period>
    set auth-policy cli max-auth-failures <auth-failures>
  5. Repeat this procedure on the remaining NSX Edge nodes in the workload domain.

  6. Repeat this procedure on all NSX Edge nodes in the remaining workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the account lockup policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $cliMaxFailures = "5"
    $cliUnlockInterval = "900"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-NsxtEdgeAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval
  4. Repeat this procedure for all remaining workload domains.

Configure the Local User Account Lockout Policy for SDDC Manager

Set the maximum number of failed login attempts and the time that must pass before an account on the SDDC Manager appliance is automatically unlocked.

Setting

Default Value

Maximum number of failed login attempts

3

Unlock time for root

300 seconds

Unlock time for all local accounts

86,400 seconds

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as vcf.
  2. Change to the root user.
    su -
  3. Back up the authentication requirements for the appliance using the following command.
    cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
  4. Verify that all properties for configuring account lockout policy for SDDC Manager users are added in the /etc/security/faillock.conf file.

    If some properties are missing in the /etc/security/faillock.conf file, add them manually.

    # Configuration for locking the user after multiple failed
    # authentication attempts.
    #
    # The directory where the user files with the failure records are kept.
    # The default is /var/run/faillock.
    .
    .
    .
    .
    # admin_group = <admin_group_name>
    dir = /run/faillock
    deny = 3
    unlock_time = 86400
    even_deny_root
    root_unlock_time = 300
    dir = /var/log/faillock
    
  5. To configure the lockout policy for the root user account, in the /etc/security/faillock.conf file, set values to the following properties according to the requirements of your organization and save the file.
    Setting Property in /etc/security/faillock.conf
    Maximum number of failed attempts deny
    Unlock time for the root user account root_unlock_time
    Unlock time for all local accounts unlock_time

The configuration is applied to all local user accounts on the SDDC Manager appliance.

PowerShell Procedure

  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    # Replace with the name of your management domain
    $sddcDomainName = "sfo-m01"
    
    $rootPass = "VMw@re1!"
    $maxFailures = "3"
    $unlockInterval = "86400"
    $rootUnlockInterval = "300"
    
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval