Logging in to the root account of vCenter Server Appliance (VCSA) fails.
The root account of the vCenter Server Appliance6.7 U1 and later is locked or account is expired.
Forgot the root password.
The root account password has beenlost or forgotten
You are unable to login to vCenter
Note: The above symptoms can also occur on an external Platform Services Controller (PSC) running on vSphere 6.5 and 6.7.
Environment
VMware vCenter Server 7.0.x VMware vCenter Server 8.0.x VMware vCenter Server Appliance 6.7.x
Cause
With the change within VCSA 6.7 U1, the SSO user who is part of SystemConfiguration.BashShellAdministrator group will be able to log in to Bash shell and can call any commands using sudo and without password. This aims at reducing the gap between the root and SSO administrator user. The user has to enable shell to log in to the bash shell. By default, the user will be logged into appliance shell.
If first time logging in, enable shell then enter shell.
shell.set --enable true
shell
Once in shell as sso-user, run the below command to change to root shell.
sudo -i
Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password. pam_tally2 --user=root --reset
For 8.0 U2 onwards: /usr/sbin/faillock --user root --reset
Note: pam_tally2 is deprecated in Photon 4, use faillock instead
Then once in root shell, run passwd to change the root password.
passwd
Alternately, you could use the command:sudo passwd root
Confirm that you can access the vCenter Server Appliance using the new root password.
You could set the Root password to never expire in order to prevent this issue by running command: # chage -I -1 -m 0 -M 99999 -E -1 rootor at the VAMI( https://<vcenter_fqdn>:5480)
The Root user will be prompted for resetting the password when they try to SSH to the machine if expired or expiring.
You can also login to VAMI using the SSO administrator and reset the root password from there.
Email notification is sent earlier to prevent from having the Root password expired.
An alarm will be triggered in vsphere-ui to notify the user about the password expiry.
Changes in 8.0 U2 and above versions:
You will get below error while executing pam_tally2 in 8.0 U2 or above versions, as this utility was deprecated in Photon 4 and 8.0 U2 is using Photon 4 version. The alternate utility on Photon 4 is "/usr/sbin/faillock" to unlock the accounts.
More information: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-523261AF-B36C-4C42-AD0C-8AD8D6AAEFE5.html
Add the host with the forgotten password to the domain. Next, try logging in the ESXi host with the TestUser credentials. Here's how you are to specify the user name: User@Domain or Domain\User. Once you log in the host, go to the Security & users tab to reset the root password.
To reset the password you can enter the following command: “passwd”. Now you will be prompted to enter your new password for the root user and repeat this again. Now you can reboot your appliance and login with your new root password.
If the vCenter Server appliance is deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware.
To reset the root account password, enter the passwd commands in the console. Enter a new password, then reenter the same password to confirm the change. Note: The passwords for all user accounts must meet the following requirements. Passwords must be at least eight characters long.
You can use the 'id' command to confirm that you are root. Now you can simply use the 'passwd' command to reset the root password. Changing password for root. Type 'exit' to close the root shell when you are done.
Procedure. In the vCenter Server Management Interface, click Administration. In the Password section, click Change. Enter the current password and the new password, then click Save.
At the ESXi welcome screen, press F2 to access the System Customization menu. Log in as the root user with the current password. Navigate to "Configure Password" in the menu. Follow the prompts to enter and confirm the new password.
When you install the vCenter Server Appliance, the password lifetime for root user is set to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root is also subject to password expiration policy.
In a Web browser, go to the vCenter Server Management Interface, https:// appliance-IP-address-or-FQDN :5480.Log in as root. The default root password is the password that you set while deploying vCenter Server.
Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.