From time to time in the vSphere Client interface I come across the notification:
Your password will expire in xx days. I decided to learn how to manage password policies in VMWare vSphere, how to change the time when a password expiry notification appears for local and domain vSphere users and set the password settings for some users to never expire. Here is what I have found.
Password & Lockout Policy on VMWare Single Sign On (SSO)
In my case, I decided to disable the password expiration for the local user email@example.com (since nobody works under this local account permanently, and the vSphere administrators authenticate under their Active Directory domain accounts).
By default, the SSO policy is applied for vSphere local users, which requires a user password to be changed every 90 days.
You can find the SSO password policy settings in the following section of the vSphere Client: Administration -> Single Sign On -> Configuration.
As you can see on the Password Policy tab, the following requirements are applied to the passwords of all local vCSA users:
- The minimum password length is 8 characters (maximum — 20 characters);
- A password expires in 90 days (maximum lifetime);
- The last 5 passwords are not allowed to be reused;
- Some password complexity restrictions.
Click Edit and change the policy settings. For example, you can change Maximum lifetime to 365 (it means that you have to change passwords once a year) or enter 0 here (meaning that the password is not expired).
Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users
If you do not want to change your password policy for all vCenter users, you can change the password policy and the expiration settings for the specific user. For example, you want to set the password for the local backup_user to never expire. To do it, connect to your vCSA host using the SSH client.
You will need the dir-cli tool, which is located in /usr/lib/vmware-vmafd/bin/.
Check that the local user exists:
./dir-cli user find-by-name --account backup_user
Enter password for firstname.lastname@example.org: Account: backup_user UPN: backup_user@VCENTER.LOCAL/
You can change the password for this user:
./dir-cli password reset --account backup_user --password OldBackupP@$$ --new NewBackupP@$$
Or you can set password to never expire:
./dir-cli user modify --account backup_user --password-never-expires
Enter password for email@example.com: Password set to never expire for [backup_user]
Root Password Expiration on vCenter VCSA
When you install the vCenter Server Appliance, the password lifetime for root user is set to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root is also subject to password expiration policy.
You can view the password policy settings in the vCSA Appliance Management (
https://your_vcenter_name:5480/ui/access). Go to the Administration section and check the values in the “Password expiration settings” section.
- Password expires: Yes
- Password validity (days): 90
- Password expires on: Jun 13, 2020, 2:00:00 AM
You can change the password expiration settings for root or set it to never expire (if its value is 0).
Also you can check the root password expiration setting from your vCSA console:
chage -l root
Last password change : Mar 15, 2019 Password expires : Jun 20, 2019 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
It is interesting that the vCSA Appliance Management interface does not prompt root to change the password or show any password expiring warning.
However, if you try to upgrade the vCenter Server Appliance you may come across the following error message:
Appliance (OS) root password is expired or is going to expire soon. Please change the root password before installing an update.
Or when trying to change the expired root password in vCSA Appliance Management, a warning may appear:
Permission Denied. Set the maximum number of days when the password will expire. Administrator configuration updated successfully.
In this case, you have to change the root password in the vCSA console with this command:
Changing Password Expiration Notification Settings on VMWare vCenter
By default an expiring password notification in a vCenter Client starts to appear 30 days before it expires.
If users authenticate in vCenter using their AD accounts, the domain password policy is applied for user passwords. A user will see a notification prompting them to change the password 30 days before it expires. So if your domain policy enforces password change once in 30 days, VMWare vCenter users constantly see an annoying warning
Your password will expire.
In vCSA you can configure how many days before the password expires a user will see this notification.
If you are using vSphere HTML5 client, this setting is specified in the configuration file on the vCenter Server Appliance server:
Open the file and find the sso.pending.password.expiration.notification.days parameter.
Change its value to 7. It means that the password expiry notification will appear 7 days before it happens. Then restart your vSphere client:
service-control --stop vsphere-ui
service-control --start vsphere-ui
If you are using the old Web Client (Flex), you will have to change the value of the sso.pending.password.expiration.notification.days parameter in the
After you have edited the setting, restart the Web Client service:
service-control --stop vsphere-client
service-control --start vsphere-client