AD/Domain account gets locked out frequently while authenticating to vCenter Server.
Symptoms
AD/Domain account gets locked out frequently while authenticating to vCenter Server.
Cause:
Ideally we come across this issue post the domain credentials have been reset due to password expiry or various different reasons. Certain servers would either be configured as a service account with previous set of credentials else the old password would be stored as a cache on the underlying servers. The moment we reset our credentials you may observe the account being locked out frequently. Certain API calls would keep authenticating the vCenter Server due to account lockout polices enforced the account gets locked out.
More often the accounts impacted are backup operators account since they are used to backup up all the server which is nothing but API’s being called from the backup server.
Resolution
This is not a VMware issue.
Simplest way in order to determine to source server would be to monitor vCenter task and events.
Go ahead and unlock the account impacted, once unlocked monitor the vCenter events tab.
For eg. Assume if the domain account being locked is ‘root’.
You would find certain events being triggered under vCenter events tab.
root@192.x.x.x.x logged in. Make a note of those IP address which is authenticating to vCenter server using the underling AD account.
You may have one or more IP address authenticating the impacted AD account. Login to these servers and verify if they have been configured as a service account or if any passwords have been stored in the cache if necessary reboot the box after affording for a downtime based on the criticality of the server.