Tuesday, August 05, 2025

Password expiration for both the VCSA root user and the vSphere administrator

Password expiration for both the VCSA root account and the vSphere administrator (typically administrator@vsphere.local) is a common issue, especially if the default 90-day expiration settings are overlooked. It recently happened to me in one lab environment. Fortunately, both passwords can be recovered. This blog post outlines the recovery methods that worked in my case.

Resetting the VCSA Root Password 

You can reset the VCSA Root Password via a Reboot (Single-User Mode) and change root password. This is the most common and reliable method if you're completely locked out.

  1. Reboot the VCSA: Reboot the vCenter Server Appliance
  2. Access the GRUB Menu: As the Photon OS starts, press the 'e' key to enter the GNU GRUB Edit Menu
  3. Edit the Boot Line: Locate the line that begins with "linux" and append the following to the end of the line: rw init=/bin/bash
  4. Boot the System: Press F10 to continue booting
  5. Change the Password: At the command prompt, run the passwd command. Enter and confirm the new root password
  6. Unmount and Reboot: Unmount the filesystem by running the command umount / and then reboot the appliance with reboot -f
  7. Log in with new root password: Confirm you can log in with the new root password to VCSA console or via ssh 

Recovering the vSphere Administrator Password

To reset the SSO administrator password, you will need to use a command-line tool on the VCSA. This typically requires you to be logged in VCSA appliance as the root user. As you have already reset VCSA Root Password, you can login to VCSA via ssh if SSH Service is already enabled or you have to enable SSH Service in VCSA console to be able to ssh into VCSA.

  1. SSH to the VCSA: Log in to the VCSA via SSH with the root user credentials you recovered in the previous step
  2. Start the vdcadmintool: Run the following command to start the service tool:
    • /usr/lib/vmware-vmdir/bin/vdcadmintool
  3. Reset the Account Password: From the menu that appears, select option 3 to "Reset account password."
  4. Provide the Account UPN: When prompted, enter the username for the SSO administrator. This is typically administrator@vsphere.local. If you used a custom domain, enter administrator@your_domain
  5. Record the New Password: The tool will generate a new, temporary password. Copy this password.
  6. Log in to vSphere Client: Log in to the vSphere Client with the administrator@vsphere.local username and the new, generated password.
  7. Change the Password: Once logged in, navigate to Administration > Single Sign-On > Users and Groups. Find the administrator user, right-click, and select "Edit User" to set a new password of your choice. 

Preventing Future Password Expirations

To avoid this situation in the future, you can modify the password expiration policies for both VCSA root and SSO administrator accounts.

For the VCSA Root User

  1. Log in to the VCSA's VAMI at https://<vCenter_FQDN>:5480
  2. Go to Administration and change the password expiration settings. You can set the password validity to a high number (e.g., 3650 days)

For the vSphere Administrator

  1. Log in to the vSphere Client
  2. Navigate to Administration > Single Sign-On > Configuration > Policies > Password Policy
  3. Adjust the "Maximum lifetime" for the password to a longer duration

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)