Bobcares

Managing password expiration settings in VMWare vSphere

by | Dec 13, 2020

Are you looking for details about ‘managing password expiration settings in VMWare vSphere’? You’re at the right place.

Here at Bobcares, we have seen several such VMWare related errors as part of our Server Management Services for web hosts and online service providers.

Today we will take a look at managing password policies in VMWare vSphere.

 

Password & Lockout Policy on VMWare Single Sign On (SSO)

Usually, you might have come across a notification “Your password will expire in xx days” in the vSphere Client interface. Here is a screenshot of the same.

managing password expiration settings in vmware vsphere

Now let’s see how our Support Engineers manage this password policy.

Suppose we want to disable the password expiration for the local user administrator@vcenter.local, here are the steps that we follow.

By default, the SSO policy is applied for vSphere local users. It requires a user password to be changed every 90 days.

We can find the SSO password policy settings in the following section of the vSphere Client: Administration >> Single Sign-On >> Configuration.

Then on the Password Policy tab, the following requirements are applied to the passwords of all local vCSA users:

  • The minimum password length is 8 characters (maximum — 20 characters)
  • A password expires in 90 days (maximum lifetime)
  • The last 5 passwords are not allowed to be reused
  • Some password complexity restrictions.

Now we click Edit and change the policy settings. For example, we can change the Maximum lifetime to 365 (it means that we have to change passwords once a year). Or we can also enter 0 here (meaning that the password is not expired).

 

Change Password Expiration Settings to Never Expire for Local VMWare vCSA Users

In case, if we don’t want to change the password policy for all vCenter users, we can change the password policy and the expiration settings for the specific user.

For example, we want to set the password for the local backup_user to never expire.

For doing so, first, we connect to the vCSA host using the SSH client.

Next, we enable the SSH access to vCSA in the Access >> SSH login >> Enabled section of the Appliance Management (https://your_vcenter_name:5480/ui/access).

Then we will need the dir-cli tool, which is located in /usr/lib/vmware-vmafd/bin/. For that, we run the below command.

cd /usr/lib/vmware-vmafd/bin/

For checking whether the local user exists or not, we run the below command.

./dir-cli user find-by-name --account backup_user
Enter password for administrator@vcenter.local:
Account: backup_user
UPN: backup_user@VCENTER.LOCAL/

After that, we can change the password for this user.

./dir-cli password reset –account backup_user –password OldBackupP@$$ –new NewBackupP@$$

Or we can set password to never expire:

./dir-cli user modify –account backup_user –password-never-expires
Enter password for administrator@vsphere.local:
Password set to never expire for [backup_user]

 

Root Password Expiration on vCenter VCSA

Generally, when we install the vCenter Server Appliance, the password lifetime for the root users is set to 365 days (vCenter 6.5 or earlier) or 90 days (vSphere 6.7). So root is also subject to the password expiration policy.

We can view the password policy settings in the vCSA Appliance Management. For that, we go to the Administration section and check the values in the “Password expiration settings” section.

Password expires: Yes
Password validity (days): 90
Password expires on: Dec 13, 2020, 2:00:00 AM

We can change the password expiration settings for a root or set it to never expire (if its value is 0).

Also, we can check the root password expiration setting from the vCSA console:

chage -l root

Moreover, it is an interesting fact that the vCSA Appliance Management interface does not prompt root to change the password or show any password expiring warning.

However, if we try to upgrade the vCenter Server Appliance we may come across the following error message:

Appliance (OS) root password is expired or is going to expire soon. Please change the root password before installing an update.

A warning message may appear as below when trying to change the expired root password in vCSA Appliance Management.

Permission Denied. Set the maximum number of days when the password will expire. Administrator configuration updated successfully.

In our case, we are changing the root password in the vCSA console using the below command.

passwd

 

Managing Password Expiration Notification Settings in VMWare vCenter

By default, an expiring password notification in a vCenter Client starts to appear 30 days before it expires.

The domain password policy is applied for user passwords if users authenticate in vCenter using their AD accounts. A user will see a notification prompting them to change the password 30 days before it expires. So if the domain policy enforces password change once in 30 days, VMWare vCenter users constantly see an annoying warning “Your password will expire”.

In vCSA, we can configure how many days before the password expires a user will see this notification.

If we are using vSphere HTML5 client, this setting is specified in the configuration file on the vCenter Server Appliance server: /etc/vmware/vsphere-ui/webclient.properties.

For that, we open the file and find the sso.pending.password.expiration.notification.days parameter.

Then we change its value to 7. It means that the password expiry notification will appear 7 days before it happens. Then we restart the vSphere client:

service-control –stop vsphere-ui
service-control –start vsphere-ui

If we are using the old Web Client (Flex), we will have to change the value of the sso.pending.password.expiration.notification.days parameter in the /etc/vmware/vsphere-client/webclient.properties file.

After we have edited the setting, restart the Web Client service:

service-control –stop vsphere-client
service-control –start vsphere-client

[Need any further assistance in managing the password expiration settings in VMWare vSphere? – We are here to help you]

 

Conclusion

Today, we saw how our Support Engineers manage the password expiration settings in VMWare vSphere.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF