Managing password expiration settings in VMWare vSphere

Are you trying to figure out how to do ‘managing password expiration settings in VMWare vSphere’?

This guide is for you.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix VMWare related errors.
In this context, we shall look into the process of managing password policies in VMWare vSphere.

Password & Lockout Policy on VMWare Single Sign On (SSO)

Usually, you might have come across a notification “Your password will expire in xx days” in the vSphere Client interface. 
Suppose we want to disable the password expiration for the local user administrator@vcenter.local, here are the steps that we follow.
By default, the SSO policy is applied for vSphere local users. It requires a user password to be changed every 90 days.
We can find the SSO password policy settings in the following section of the vSphere Client: Administration >> Single Sign-On >> Configuration.
Then on the Password Policy tab, the following requirements are applied to the passwords of all local vCSA users:
i. The minimum password length is 8 characters (maximum — 20 characters)
ii. A password expires in 90 days (maximum lifetime)
iii. The last 5 passwords are not allowed to be reused
iv. Some password complexity restrictions.

Now we click Edit and change the policy settings. For example, we can change the Maximum lifetime to 365 (it means that we have to change passwords once a year). Or we can also enter 0 here (meaning that the password is not expired).

Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users

In case, if we don’t want to change the password policy for all vCenter users, we can change the password policy and the expiration settings for the specific user.
For example, we want to set the password for the local backup_user to never expire.
For doing so, first, we connect to the vCSA host using the SSH client.
Next, we enable the SSH access to vCSA in the Access >> SSH login >> Enabled section of the Appliance Management (https://your_vcenter_name:5480/ui/access).
Then we will need the dir-cli tool, which is located in /usr/lib/vmware-vmafd/bin/. For that, we run the below command.

cd /usr/lib/vmware-vmafd/bin/

For checking whether the local user exists or not, we run the below command.

./dir-cli user find-by-name --account backup_user
Enter password for administrator@vcenter.local:
Account: backup_user
UPN: backup_user@VCENTER.LOCAL/

After that, we can change the password for this user.

./dir-cli password reset –account backup_user –password OldBackupP@$$ –new NewBackupP@$$

Or we can set password to never expire:

./dir-cli user modify –account backup_user –password-never-expires

Enter password for administrator@vsphere.local:
Password set to never expire for [backup_user]

Root Password Expiration on vCenter VCSA

Generally, when we install the vCenter Server Appliance, the password lifetime for the root users is set to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root is also subject to the password expiration policy.
We can view the password policy settings in the vCSA Appliance Management. For that, we go to the Administration section and check the values in the “Password expiration settings” section.

Password expires: Yes
Password validity (days): 90
Password expires on: Dec 15, 2020, 4:00:00 AM

We can change the password expiration settings for a root or set it to never expire (if its value is 0).
Also, we can check the root password expiration setting from the vCSA console:

chage -l root

Moreover, it is an interesting fact that the vCSA Appliance Management interface does not prompt root to change the password or show any password expiring warning.
However, if we try to upgrade the vCenter Server Appliance we may come across the following error message:
Appliance (OS) root password is expired or is going to expire soon. Please change the root password before installing an update.
A warning message may appear as below when trying to change the expired root password in vCSA Appliance Management.
Permission Denied. Set the maximum number of days when the password will expire. Administrator configuration updated successfully.
In our case, we are changing the root password in the vCSA console using the below command.


Managing Password Expiration Notification Settings in VMWare vCenter

By default, an expiring password notification in a vCenter Client starts to appear 30 days before it expires.
The domain password policy is applied for user passwords if users authenticate in vCenter using their AD accounts. A user will see a notification prompting them to change the password 30 days before it expires. So if the domain policy enforces password change once in 30 days, VMWare vCenter users constantly see an annoying warning “Your password will expire”.
In vCSA, we can configure how many days before the password expires a user will see this notification.
If we are using vSphere HTML5 client, this setting is specified in the configuration file on the vCenter Server Appliance server: /etc/vmware/vsphere-ui/webclient.properties.
For that, we open the file and find the sso.pending.password.expiration.notification.days parameter.
Then we change its value to 7. It means that the password expiry notification will appear 7 days before it happens. Then we restart the vSphere client:

service-control –stop vsphere-ui
service-control –start vsphere-ui

If we are using the old Web Client (Flex), we will have to change the value of the sso.pending.password.expiration.notification.days parameter in the /etc/vmware/vsphere-client/webclient.properties file.
After we have edited the setting, restart the Web Client service:

service-control –stop vsphere-client
service-control –start vsphere-client

[Need any further assistance in managing the password expiration settings in VMWare vSphere? – We are here to help you]


This article will guide you on the steps to manage the password expiration settings in VMWare vSphere.