Last week I was working on a change plan to update one of our vSphere environments with new SSL certificates on vSphere 5.1 installed on a Windows virtual machine. When I tried to update the SSL certificates of the vCenter Inventory service, I received the following error message:
In the vc-update-ssl.log log file I saw the following message:
Cannot authenticate user – Return code is InvalidCredentials 3
The first thing I thought was a typo when entering the password for the SSO Admin user. But after three times I stll got the same error. So the next step was logging into the vSphere web-client as admin@system-domain. But I was unable to logon because the associated user’s password is expired. That explains a lot.
Lucky me VMware has a KB article with a solution: KB2060150. The reason why the user password is expired, is because of the default password policy:
This issue occurs when the Admin@system-domain password has expired; the default is 365 days.
To resolve this issue you have to change the password policy and in particular the MAX_LIFE_SEC column in the RSA database.
Follow the steps described in KB2060150 to change the MAX_LIFE_SEC column.
To increase the MAX_LIFE_SEC column:
1. Stop the vCenter Single Sign-on service (SSO).
2. Log in to SQL Management Studio.
3. Go to the RSA database.
4. Expand Tables and highlight the dbo.IMS_AUTHN_PASSWORD_POLICY table.
5. Right-click and select Edit Top 200 Rows.
Scroll over to the MAX_LIFE_SEC column. The default setting is 31536000 seconds (365 days).
Note: Select the policy that contains Password Policy for SSO system users within the NOTES field.
6. Increase this value (for example: 47304000 seconds = 546.5 days, 63072000 seconds = 730 days, 90000000 seconds = 1041days).
7. Restart the vCenter Single Sign-on service.
Once the service has started, log in the Web Client to vCenter Server with admin@system-domain:default URL is https://vCenter-server-fqdn:9443
Navigate to Administration > Configuration.
8. Click the Policies tab.
9. Click Edit.
10.Change maximum lifetime to 0 (never expire) or enter the approximate number of days corresponding to the value you set in the database, MAX_LIFE_SEC field above.
Save your changes and exit the edit.
Note: Instead of steps 6 and 7, you can scroll to the column named PERIODIC_EXPIRE, and set that value to 0. This will prevent password expiration. You should only do this if your security policy allows non-expiring passwords.
When you succeed in step7, you can continue updating the SSL certificates with the ssl-updater.bat tool.