Last week I was working on a change plan to update one of our vSphere environments with new SSL certificates on vSphere 5.1 installed on a Windows virtual machine. When I tried to update the SSL certificates of the vCenter Inventory service, I received the following error message:

image

In the vc-update-ssl.log log file I saw the following message:

Cannot authenticate user – Return code is InvalidCredentials 3

The first thing I thought was a typo when entering the password for the SSO Admin user. But after three times I stll got the same error. So the next step was logging into the vSphere web-client as admin@system-domain. But I was unable to logon because the associated user’s password is expired. That explains a lot.

image

Lucky me VMware has a KB article with a solution: KB2060150. The reason why the user password is expired, is because of the default password policy:

This issue occurs when the Admin@system-domain password has expired; the default is 365 days.

To resolve this issue you have to change the password policy and in particular the MAX_LIFE_SEC column in the RSA database.

Follow the steps described in KB2060150 to change the MAX_LIFE_SEC column.

To increase the MAX_LIFE_SEC column:

    1. Stop the vCenter Single Sign-on service (SSO).
    2. Log in to SQL Management Studio.
    3. Go to the RSA database.
    4. Expand Tables and highlight the dbo.IMS_AUTHN_PASSWORD_POLICY table.
    5. Right-click and select Edit Top 200 Rows.
       Scroll over to the MAX_LIFE_SEC column. The default setting is 31536000 seconds (365 days).

       Note: Select the policy that contains Password Policy for SSO system users within the NOTES  field.

    6. Increase this value (for example: 47304000 seconds = 546.5 days, 63072000 seconds = 730 days, 90000000 seconds = 1041days).
    7. Restart the vCenter Single Sign-on service.
       Once the service has started, log in the Web Client to vCenter Server with admin@system-domain:default URL is https://vCenter-server-fqdn:9443
       Navigate to Administration > Configuration.
    8. Click the Policies tab.
    9. Click Edit.
    10.Change maximum lifetime to 0 (never expire) or enter the approximate number of days corresponding to the value you set in the database, MAX_LIFE_SEC field above.
       Save your changes and exit the edit.

Note: Instead of steps 6 and 7, you can scroll to the column named PERIODIC_EXPIRE, and set that value to 0. This will prevent password expiration. You should only do this if your security policy allows non-expiring passwords.

When you succeed in step7, you can continue updating the SSL certificates with the ssl-updater.bat tool.

Published by afokkema

One thought on “ssl-updater.bat: Cannot validate the Lookup Service connection: 3

  1. In my case the password was too strong (seriously!). After logging into web client and resetting the password to Simple12! it worked like a charm.

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.