Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Virtualization / VMWare / VMWare vSphere: Managing Password Expiration Settings

January 28, 2020 VMWare

VMWare vSphere: Managing Password Expiration Settings

From time to time in the vSphere Client interface I come across the notification: Your password will expire in xx days. I decided to learn how to manage password policies in VMWare vSphere, how to change the time when a password expiry notification appears for local and domain vSphere users and set the password settings for some users to never expire. Here is what I have found.

Contents:
  • Password & Lockout Policy on VMWare Single Sign On (SSO)
  • Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users
  • Root Password Expiration on vCenter VCSA
  • Changing Password Expiration Notification Settings on VMWare vCenter

vmware vsphere you password will expire in 11 days

Password & Lockout Policy on VMWare Single Sign On (SSO)

In my case, I decided to disable the password expiration for the local user administrator@vcenter.local (since nobody works under this local account permanently, and the vSphere administrators authenticate under their Active Directory domain accounts).

By default, the SSO policy is applied for vSphere local users, which requires a user password to be changed every 90 days.

You can find the SSO password policy settings in the following section of the vSphere Client: Administration -> Single Sign On -> Configuration.

As you can see on the Password Policy tab, the following requirements are applied to the passwords of all local vCSA users:

  • The minimum password length is 8 characters (maximum — 20 characters);
  • A password expires in 90 days (maximum lifetime);
  • The last 5 passwords are not allowed to be reused;
  • Some password complexity restrictions.

Click Edit and change the policy settings. For example, you can change Maximum lifetime to 365 (it means that you have to change passwords once a year) or enter 0 here (meaning that the password is not expired).

vmware vsphere password and locout policies

Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users

If you do not want to change your password policy for all vCenter users, you can change the password policy and the expiration settings for the specific user. For example, you want to set the password for the local backup_user to never expire. To do it, connect to your vCSA host using the SSH client.

Enable the SSH access to vCSA in the Access -> SSH login -> Enabled section of the Appliance Management (https://your_vcenter_name:5480/ui/access).

vmware vcenre appliance - enable ssh access

You will need the dir-cli tool, which is located in /usr/lib/vmware-vmafd/bin/.

cd /usr/lib/vmware-vmafd/bin/

Check that the local user exists:

./dir-cli user find-by-name --account backup_user

Enter password for administrator@vcenter.local:
Account: backup_user
UPN: backup_user@VCENTER.LOCAL/

vmware tool dir-cli - change user password

You can change the password for this user:

./dir-cli password reset --account backup_user --password OldBackupP@$$ --new NewBackupP@$$

Or you can set password to never expire:

./dir-cli user modify --account backup_user --password-never-expires

Enter password for administrator@vsphere.local:
Password set to never expire for [backup_user]

Root Password Expiration on vCenter VCSA

When you install the vCenter Server Appliance, the password lifetime for root user is set to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root is also subject to password expiration policy.

You can view the password policy settings in the vCSA Appliance Management (https://your_vcenter_name:5480/ui/access). Go to the Administration section and check the values in the “Password expiration settings” section.

  • Password expires: Yes
  • Password validity (days): 90
  • Password expires on: Jun 13, 2020, 2:00:00 AM

vCSA Appliance Management - Password expiration settings

You can change the password expiration settings for root or set it to never expire (if its value is 0).

Also you can check the root password expiration setting from your vCSA console:

chage -l root

vmware vcsa - get local user password expiration settings

Last password change : Mar 15, 2019
Password expires : Jun 20, 2019
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

It is interesting that the vCSA Appliance Management interface does not prompt root to change the password or show any password expiring warning.

However, if you try to upgrade the vCenter Server Appliance you may come across the following error message:

Appliance (OS) root password is expired or is going to expire soon. Please change the root password before installing an update.

Or when trying to change the expired root password in vCSA Appliance Management, a warning may appear:

Permission Denied. Set the maximum number of days when the password will expire. Administrator configuration updated successfully.

In this case, you have to change the root password in the vCSA console with this command:

passwd

vsphere vCSA change root password

Changing Password Expiration Notification Settings on VMWare vCenter

By default an expiring password notification in a vCenter Client starts to appear 30 days before it expires.

If users authenticate in vCenter using their AD accounts, the domain password policy is applied for user passwords. A user will see a notification prompting them to change the password 30 days before it expires. So if your domain policy enforces password change once in 30 days, VMWare vCenter users constantly see an annoying warning Your password will expire.

In vCSA you can configure how many days before the password expires a user will see this notification.

If you are using vSphere HTML5 client, this setting is specified in the configuration file on the vCenter Server Appliance server: /etc/vmware/vsphere-ui/webclient.properties.

Open the file and find the sso.pending.password.expiration.notification.days parameter.

sso.pending.password.expiration.notification.days

Change its value to 7. It means that the password expiry notification will appear 7 days before it happens. Then restart your vSphere client:

service-control --stop vsphere-ui
service-control --start vsphere-ui

If you are using the old Web Client (Flex), you will have to change the value of the sso.pending.password.expiration.notification.days parameter in the /etc/vmware/vsphere-client/webclient.properties file.

After you have edited the setting, restart the Web Client service:

service-control --stop vsphere-client
service-control --start vsphere-client

1 comment
0
Facebook Twitter Google + Pinterest
previous post
DNS Resolution via VPN Not Working on Windows 10
next post
Reactivating Windows 10 After a Hardware Upgrade or Reinstall

Related Reading

How to Install Free VMware Hypervisor (ESXi)?

January 24, 2023

Using VMware Converter for P2V Migration (Physical to...

October 19, 2022

Using iPerf to Test Network Speed and Bandwidth

September 29, 2022

Adding Drivers into VMWare ESXi Installation Image

September 26, 2022

VMWare: Virtual Machine Disks Consolidation is Needed

September 16, 2022

1 comment

Shlomi February 8, 2020 - 9:47 pm

WOW good as always!!!
many thanks, keep the amazing job.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Shrinking VMDK Virtual Disk Size on VMWare ESXi
  • ESXi: Slow Disk Performance on HPE Gen8
  • Windows Server Licensing for Virtual Environments
  • Invalid State of a Virtual Machine on VMWare ESXi
  • Match Windows Disks to VMWare VMDK Files
  • Accessing USB Flash Drive from VMWare ESXi
  • System Logs on ESXi Host are Stored On Non-Persistent Storage
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top