An account lockout policy defines the behaviour of the system when incorrect credentials are used to authenticate to the system. The settings are different according to the account type and component of the VMware Cloud Foundation instance.
| Management Component | Account Lockout Settings | Scope |
|---|---|---|
| ESXi |
|
Local user |
| vCenter Single Sign-On |
|
vCenter Single Sign-On domain |
| vCenter Server |
|
Local user |
| NSX Manager |
|
Local user |
| NSX Edge |
|
Local user |
| SDDC Manager |
|
Local user |
Prerequisites
Configure the Local Account Lockout Policy for ESXi
Set the maximum number of failed login attempts and the time that must pass before a local account on an ESXi host in VMware Cloud Foundation is automatically unlocked.
Setting |
Default Value |
|---|---|
Security.AccountLockFailures |
5 |
Security.AccountUnlockTime |
900 |
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.
Select the first ESXi host and click the Configure tab.
In the System section, click Advanced system settings.
On the Advanced system settings page, click Edit.
In the key filter text box, enter Security.AccountLockFailures and enter a value according to the requirements of your organization.
In the key filter text box, enter Security.AccountUnlockTime, enter a value according to the requirements of your organization, and click OK.
Repeat this procedure on the remaining hosts in the cluster.
Repeat this procedure on the remaining clusters in the workload domain.
Repeat this procedure on all clusters in the remaining workload domains.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cluster = "sfo-m01-cl01" $maxFailures = "5" $unlockInterval = "900"
Perform the configuration by running the command in the PowerShell console.
Update-EsxiAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -failures $maxFailures -unlockInterval $unlockInterval
Repeat this procedure on all remaining clusters in the
$sddcDomainNameworkload domain.Repeat this procedure on all clusters in the remaining workload domains.
Configure the Account Lockout Policy for vCenter Single Sign-On
Set the maximum number of failed login attempts and the interval of time between failures for a user account in the vsphere.local domain in VMware Cloud Foundation. Set also the time that must pass before the account is automatically unlocked.
| Setting | Default Value |
|---|---|
| Maximum number of failed login attempts | 5 |
| Time interval between failures | 180 seconds |
| Unlock time | 900 seconds |
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- From the vSphere Client Menu, select Administration.
- In the Single sign on section, click Configuration.
- On the Configuration page, click the Local accounts tab.
- In the Lockout policy section, click Edit.
- Enter values for the settings according to the requirements of your organization and click Save.
PowerShell Procedure
- Start PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxFailures = "5" $failureAttemptInterval = "180" $unlockInterval = "900"
- Perform the configuration by running the command in the PowerShell console.
Update-SsoAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -failureInterval $failureAttemptInterval -unlockInterval $unlockInterval
Configure the root User Account Lockout Policy for vCenter Server
Set the maximum number of failed login attempts and the time that must pass before the account is automatically unlocked for the root local account in the vCenter Server appliances in VMware Cloud Foundation.
Setting |
Default Value |
|---|---|
Maximum number of failed login attempts |
3 |
Unlock time for root |
300 seconds |
Unlock time |
900 seconds |
UI Procedure
Log in to the vCenter Server appliance using SSH as root.
Enable shell access.
shell
Back up the authentication requirements for the appliance using the following command.
cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
Verify that all settings for configuring the account lockout policy for the rootuser are added in the /etc/security/faillock.conf file.
If some properties are missing in the /etc/security/faillock.conf file, add them manually.
dir = /var/log/faillock audit silent deny = 3 unlock_time = 1200 even_deny_root root_unlock_time = 300 fail_interval = 900
- To configure the lockout policy for the root user account, in the /etc/security/faillock.conf file, set values to the following properties according to the requirements of your organization and save the file.
Setting Property in /etc/security/faillock.conf Maximum number of failed attempts deny Unlock time for the root user account root_unlock_time Unlock time for all local accounts unlock_time Repeat this procedure for each workload domain vCenter Server.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxFailures = "5" $rootUnlockInterval = "300" $unlockInterval = "900"
Perform the configuration by running the command in the PowerShell console.
Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
Repeat this procedure for each workload domain vCenter Server.
Configure the Local User Account Lockout Policy for NSX Manager
Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Manager appliances in VMware Cloud Foundation.
Method |
Setting |
Default Value |
|---|---|---|
API |
max-auth-failures |
5 |
lockout-reset-period |
180 seconds |
|
lockout-period |
900 seconds |
|
CLI |
max-auth-failures |
5 |
lockout-period |
900 seconds |
UI Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
- In the VMs and templates inventory, expand the management domain vCenter Server tree and expand the management domain data center.
Expand the VM folder containing the NSX Manager cluster.
Select the first node of the NSX Manager cluster and click Launch web console.
Log in to the NSX Manager node as admin.
To configure the account lockout policy for logging in or making an API request to the NSX Manager UI according to your organization's requirements, run the following commands.
set auth-policy api lockout-period <lockout-period> set auth-policy api lockout-reset-period <lockout-reset-period> set auth-policy api max-auth-failures <auth-failures>
To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the following commands.
set auth-policy cli lockout-period <lockout-period> set auth-policy cli max-auth-failures <auth-failures>
Repeat this procedure on the remaining NSX Local Manager nodes in the management domain.
Repeat this procedure on the NSX Local Manager nodes for all VI workload domains.
Repeat this procedure on all NSX Global Manager clusters.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cliMaxFailures = "5" $cliUnlockInterval = "900" $apiMaxFailures = "5" $apiUnlockInterval = "900" $apiFailureInterval = "180"
Perform the configuration by running the command in the PowerShell console.
Update-NsxtManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval -apiFailures $apiMaxFailures -apiFailureInterval $apiFailureInterval -apiUnlockInterval $apiUnlockInterval
Repeat this procedure for all NSX Local Manager clusters in the VI workload domains.
- Configure the account lockout policies on all NSX Global Manager clusters manually in the appliance console of each node.
Configure the Local User Account Lockout Policy for NSX Edge
Set the maximum number of failed login attempts and the time that must pass before an account is automatically unlocked for the local users of the NSX Edge appliances in VMware Cloud Foundation .
Method |
Setting |
Default Value |
|---|---|---|
CLI |
max-auth-failures |
5 |
lockout-period |
900 seconds |
UI Procedure
If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge cluster.
Select the first node of the NSX Edge cluster and click Launch web console.
If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
Log in to the NSX Edge node as admin.
To configure the account lockout policy for logging in to the NSX CLI according to your organization's requirements, run the commands.
set auth-policy cli lockout-period <lockout-period> set auth-policy cli max-auth-failures <auth-failures>
Repeat this procedure on the remaining NSX Edge nodes in the workload domain.
Repeat this procedure on all NSX Edge nodes in the remaining workload domains.
PowerShell Procedure
You can use the PowerShell command for configuring the account lockup policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.
Start PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cliMaxFailures = "5" $cliUnlockInterval = "900"
Perform the configuration by running the command in the PowerShell console.
Update-NsxtEdgeAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval $cliUnlockInterval
Repeat this procedure for all remaining workload domains.
Configure the Local User Account Lockout Policy for SDDC Manager
Set the maximum number of failed login attempts and the time that must pass before an account on the SDDC Manager appliance is automatically unlocked.
Setting |
Default Value |
|---|---|
Maximum number of failed login attempts |
3 |
Unlock time for root |
300 seconds |
Unlock time for all local accounts |
86,400 seconds |
UI Procedure
- Log in to the SDDC Manager appliance using SSH as vcf.
- Change to the root user.
su -
- Back up the authentication requirements for the appliance using the following command.
cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
Verify that all properties for configuring account lockout policy for SDDC Manager users are added in the /etc/security/faillock.conf file.
If some properties are missing in the /etc/security/faillock.conf file, add them manually.
# Configuration for locking the user after multiple failed # authentication attempts. # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. . . . . # admin_group = <admin_group_name> dir = /run/faillock deny = 3 unlock_time = 86400 even_deny_root root_unlock_time = 300 dir = /var/log/faillock
- To configure the lockout policy for the root user account, in the /etc/security/faillock.conf file, set values to the following properties according to the requirements of your organization and save the file.
Setting Property in /etc/security/faillock.conf Maximum number of failed attempts deny Unlock time for the root user account root_unlock_time Unlock time for all local accounts unlock_time
The configuration is applied to all local user accounts on the SDDC Manager appliance.
PowerShell Procedure
- Start PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $rootPass = "VMw@re1!" $maxFailures = "3" $unlockInterval = "86400" $rootUnlockInterval = "300"
- Perform the configuration by running the command in the PowerShell console.
Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
