WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple

Changing VCSA Failed Login Attempt & Lock Out Period

10.05.2012 by William Lam // 2 Comments

I was going through my twitter-feed this morning and came across an interesting article by @herseyc Locked out of the vCenter Server Virtual Appliance. I recommend you give Hersey's article a read as it contains some very useful information about failed login attempts to the VCSA (vCenter Server Appliance).

There was a question posed at the end of the article on how to increase the number of login attempts before an account would be locked out. The answer is to simply modify one of the PAM modules on the VCSA, specifically /etc/pam.d/common-auth

The system default for login attempts before locking out an account is 3 and you can modify this by changing the following line, where X is the number of attempts:

auth    requisite       pam_tally.so deny=X

You also have the option of specifying an "unlock" time which will lock the account for the specified period of time after reaching the max failed login attempts. This can useful if you do not want to manually reset a user account due to a user fat fingering a password. For more details about these parameters, you can search on Google or refer to this article.

Note: The login attempts here is specific to the OS system login on the VCSA (5.0 & 5.1) and not vCenter Server. If you successfully login before hitting the maximum attempts, the tally will automatically reset back to 0.

In vSphere 5.1, and with the use of vCenter SSO, you now have an easy way of controlling password and lock out policy using the new vSphere Web Client. Here is a screenshot of where the configurations are located at:

Note: These policies only pertain to identity sources connected to vCenter SSO and not OS system logins.

Categories // Uncategorized Tags // appliance, lockout, login, pam, VCSA, vcva, vSphere 5.0, vSphere 5.1

VCSA (vCenter Server Appliance) Resources

10.03.2012 by William Lam // 2 Comments

Here is a consolidated page on all the articles I have written about the VCSA (vCenter Server Appliance). Hopefully this will be useful when looking for anything related to VCSA.

VCSA 5.5

  • New vCenter Server Simulator 2.0 enhancements in VCSA 5.5 
  • How to bootstrap vCenter Server onto a single VSAN node Part 1?

VCSA 5.1

  • Automating VCSA 5.1 (vCenter Server Appliance) Configurations
  • How to Register a vCenter Server 5.0 with Admin Tool on VCSA 5.1 Using SSH Port Forwarding
  • Automatically Join Multiple VCSA 5.1 using New vCenter SSO (Single Sign-On)
  • Configuring Additional VCSA 5.1 as vSphere Web Client Servers
  • Configuring New vSphere Web Client Session Timeout
  • Specifying Default Domains for vSphere Web Client Login
  • Default Password for vCenter SSO Admin Account on VCSA
  • How to Add/Remove vCenter SSO Identity Sources Using the Command-Line for Windows vCenter Server & VCSA 
  • VCSA (vCenter Server Appliance) 5.1 VCDB & SSODB Password  
  • Seperating Out the vCenter SSO, vSphere Web Client and vCenter Server Services Using the VCSA 
  • vCenter Server Simulator

VCSA 5.0

  • Automating vCenter Server Appliance 5.0 (VCSA) Configurations

Additional Tips/Tricks

  • Forwarding vCenter Server Logs to a Syslog Server
  • How to Send vCenter Alarm Notification to Growl 
  • Changing VCSA Failed Login Attempt & Lock Out Period  
  • Getting Rid of the Inventory Tree in the New vSphere Web Client
  • vCloud Director Simulator 
  • Automating VCSA Network Configurations For Greenfield Deployments  
  • Automating SSL Certificate Regeneration in VCSA 5.1 & 5.5 (vCenter Server Appliance)
  • How to change the default HTML5 VM console port in vSphere 5.5? - See more at: http://www.virtuallyghetto.com/2013/10/how-to-change-default-html5-vm-console.html#sthash.I7qHQEq5.dpuf

    How to change the default HTML5 VM console port in vSphere 5.5?

  • Hybrid environment leveraging SSO Multi-Master Replication between vCenter Server for Windows & VCSA
  • How to automate NTP configurations on the VCSA using the CLI - See more at: http://www.virtuallyghetto.com/2014/02/how-to-automate-ntp-configurations-on.html#sthash.EwHydV3e.dpuf

    How to automate NTP configurations on the VCSA using the CLI

Categories // Uncategorized Tags // appliance, VCSA, vcva, vSphere, vSphere 5.0, vSphere 5.1

Configuring Additional VCSA 5.1 as vSphere Web Client Servers

09.24.2012 by William Lam // 6 Comments

In my previous article, I showed you how to configure additional vSphere Web Client 5.1 Servers for a Windows environment. For those interested in using the VCSA (vCenter Server Appliance) instead to configure additional vSphere Web Client Servers, here is the process.

Disclaimer: This is for educational purposes only, this is not officially supported by VMware. Please test this in a development environment before using it on actual systems.

Before getting started, it is very important to ensure you have proper DNS resolution (forward / reverse working) on all your VCSA's.

Step 1 - You will need to know the IP Address or hostname of your vCenter SSO Server (If you are using the VCSA, then it is the same address as your vCenter Server). Next, deploy a brand new VCSA and go ahead and configure the IP Address, hostname, etc. in preparation for the next step.

Step 2 - Create a script called configureVCSAvSphereWebClientStandalone.sh (this script reside on the new VCSA itself or on a remote host) which contains the following

#!/bin/bash
# William Lam
# www.virtuallyghetto.com

# User Configurations

VCENTER_SSO_IPADDRESS=172.30.0.181

## DO NOT EDIT BEYOND HERE ##

echo "Adding Lookup Service URL to /etc/vmware/ls_url.txt & /etc/vmware-sso/ls_url.txt"
echo "https://${VCENTER_SSO_IPADDRESS}:7444/lookupservice/sdk" > /etc/vmware/ls_url.txt;echo "https://${VCENTER_SSO_IPADDRESS}:7444/lookupservice/sdk" > /etc/vmware-sso/ls_url.txt;

echo "Retrieving ${VCENTER_SSO_IPADDRESS} SSL Certificate"
echo "" | openssl s_client -connect ${VCENTER_SSO_IPADDRESS}:7444 2> /dev/null 1> /tmp/cert

echo "Storing ${VCENTER_SSO_IPADDRESS} SSL Certificate in /etc/ssl/certs/VMware-Lookup-Service-Root-CA.pem"
openssl x509 -in /tmp/cert > /etc/ssl/certs/VMware-Lookup-Service-Root-CA.pem

echo "Registering vSphere Web Client with ${VCENTER_SSO_IPADDRESS}"
/usr/lib/vmware-vsphere-client/vsphere-client-sso-hook install --ls-server https://${VCENTER_SSO_IPADDRESS}:7444/lookupservice/sdk --user root --password vmware

 
You will need to change the VCENTER_SSO_IPADDRESS variable to the address of your vCenter SSO Server.

Step 3 - Set the script to executable by running the following command:

chmod +x configureVCSAvSphereWebClientStandalone.sh

Step 4 - You can either execute the script locally on the VCSA or my preferred method is just to execute it remotely by running the following command:

ssh [email protected] < configureVCSAvSphereWebClientStandalone.sh

Note: Make sure to replace the IP Address with address of your VCSA

As part of the configuration, the vSphere Web Client service will automatically start up at the very end. Once the service has successfully started, you will be able to connect to the vSphere Web Client URL by going to https://[webclient-hostname-ip]:9443/vsphere-client and you now should be able to see all the vCenter Servers that have registered with the same vCenter SSO server.

Here is another view using the new VIN 1.2 (vSphere Infrastructure Navigator) to show that I have two vSphere Web Client servers (webclient1 and webclient2) registered to my primary vCenter SSO Server (vcenter51-1) as well as two additional vCenter Server (vcenter51-2 and vcenter51-3) that are also registered with the same SSO Server.

As you can see, if you need to add additional vSphere Web Client Servers, the VCSA can easily be configured to enable only this feature to help you scale out and provide additional capacity as well as redundancy. Stay tuned for some more details on configuring a Load Balancer to load balance multiple vSphere Web Client Servers.

Additional Resources: 

  • Automating VCSA 5.1 (vCenter Server Appliance) Configurations
  • Automatically Join Multiple VCSA 5.1 using New vCenter SSO (Single Sign-On)
  • Configuring Additional Windows vSphere Web Client 5.1 Servers

 

Categories // vSphere, vSphere Web Client Tags // lookupservice, sso, VCSA, vcva, vSphere 5.1, vsphere web client

  • « Previous Page
  • 1
  • …
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • Next Page »

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025