Prevent Password Lockout on Local NSX-T Managers when using Federation


NSX Federation enables admins to manage multiple local NSX-T Managers from a single pane of glass, though the use of a global NSX-T Management cluster. NSX-T Federation is available since NSX-T version 3.0 (production-ready since 3.1) and it’s available through a manual guide for VMware Cloud Foundation version 4.2 and later.

One of the problems occurs after the local NSX-T Manager configuration has been imported into the global NSX-T Manager and the admin password is changed afterwards on the local NSX-T Manager. The admin account will become lock-out.

This can be prevented by adjusting the “lockout_immune_addresses” parameter on the LOCAL NSX-T Manager.
VMware has written a guide to change this, but DON’T USE THIS! It will break your security configuration as it completely rewrites the security configuration in a wrong manner.

This blog provides a better way of setting the parameter.


  1.  Log on to a jump-host that has access to your NSX-T Managers
  2. Retrieve the current security configuration from your local NSX-T Manager using the Postman GET method.
    • Start the Postman application and log in.
    • On the Authorization tab, enter the following settings and click Update Request.
      Type – Basic Auth
      User Name – Admin
      Password – nsx-t_admin_password
    • On the Headers tab, add a key by using the following details.
      Key – Content-Type
      Key Value – application/json
    • On the request pane at the top, send the following HTTP request
      HTTP request method – GET
      URL – https://<nsx-t_manader_FQDN>/api/vi/cluster/api-service (change the FQDN to your local NSX Manager FQDN)
    • After a successful response (“status: 200 OK”), copy the returned JSON-formatted body response from the Body tab to your favorite code-/text-editor.
  3. Add the “lockout_immune_addresses” information to the JSON response:
    • Search for the “lockout_immune_addresses”-line in the JSON response -or- when the line cannot be found in the JSON response, add a new line with “lockout_immune_addresses”.
      be aware that a “,” must be added to end of the previous line
    • add the IP addresses of all global NSX Managers (including the VIP addresses) between the brackets in the following format:
      “lockout_immune_addresses”:[ “”, “”, “”, “” ]
      leave the quotes intact!
  4. Send the new security configuration to the local manager using the Postman PUT method
    • Take the previous Postman HTTP request and change the HTTP request method from GET to PUT.
    • on the Body tab, paste the new JSON formatted security configuration from you code-/text editor.
    • Send the new HTTP request and confirm a successful respone (“status: 200 OK”)
  5. Execute step 2 to 4 for all local NSX-T managers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top