Update: Check the latest post where I teach you How to reset root password in vCenter Server Appliance 6.5, and, there is also a video in this post. VCSA has a default 90 days root password policy. You can change this behavior or you can manage the password policy through AD if VCSA is integrated with Microsoft AD.
If you don't change the password policy when deploying VCSA then the root account get locked after 90 days. Does how-to unlock the VMware VCSA root password? We will see in this article. The Default vCenter SSO configuration password policy is set to expire passwords in 90 days with last 5 passwords which cannot be reused.
How to unlock the root password of the VCSA?
The default root password of the VCSA is vmware. If the account is locked out so you can't login back you have the option to go to the single mode and use this password for GRUB (you'll be asked for it). If the password was changed during installation, then the GRUB password is the same password as been given to the root account during installation.
Steps to proceed:
1. Reboot VCSA appliance and press the spacebar, then type p to enter the boot options.
2. Highlight the VMware vCenter Server Appliance menu and type e to edit the options.
3. Then on the next screen, you just came back to the recap screen where you need to hit b (to boot).
4. The VCSA appliance will boot and you'll be presented with a possibility to enter a new root password. Type passwd root at the prompt. Enter the new root password. As you can see on my screenshot you'll have to use some complex password otherwise you'll get notified that the password is too simple…
The password expiry policy can be adjusted as I detailed in my article here, where you can also see the integration into Microsoft AD, during the installation and setup of VCSA.
- vCenter Server 5.5 (VCSA) – Install/config – part 1
- VCSA 5.5 Installation and configuration – Part 2
If however the root password has been changed during installation and 90 days later expired, then I do not really have a solution. Comment if you want to share yours….
Source: VMware KB2069041
More from ESX Virtualization:
- What Is Erasure Coding?
- How to patch VMware vCenter Server Appliance (VCSA) from Offline Depot ZIP file
- Free Tools
Totie Bash says
Vladan, I don’t get your last question, “If however the root password has been changed during installation and 90 days later expired, than I do not really have a solution.” You clearly showed how you reset the root password, by typing “passwd root” it will ask you to supply a new root password. This is just standard changing password Linux command. Your title should say password recovery on Vcenter appliance. This is like password recovery on linux using grub single user mode where the procedure just takes you to a shell without asking for the root password.
Your’s is better, this happened to me and I used William Lam’s write up:
http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2069041
Vladan SEGET says
Toti,
The question I was thinking about was what If you don’t have the GRUB password, so you can’t get further…
Check the KB for this: “If the vCSA root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.”
Szegho Zsolt says
Hello Vladan
Can you help me please with folowing issue :
We have a vCenter Server Appliance who manage our environment. More than three month ago we upgraded from 5.1 to 5.5 version.
Few days ago we noticed that we cannot log on with root credential. We folowed the steps described in VMWARE KB Unlocking a
locked out root account and we are connected to vCSA and on admin tab we checked the password never expires and submitted.
Now the inventory service is not started, We think the problem was occured because the Certificate regeneration enabled was in the YES status and the new
certificate is not recognised by the inventory service ?
In the Managed Object Browser we have 3 Service endpoint value
on mob/?moid=ServiceDirectory i found 2 service with same key and sslthumbprint and the last with different key and sslthumbprint can we reregister the good service or unregister what isn’t good
Please help us with this isuue what can we do it.
Thank you for your support
zsolt
Vladan SEGET says
Now I’m not working for VMware. If you’re not under SnS and it’s a production environment, there are other ways to get help than asking on someone’s blog… -:).
VMware support for guiding you is the preferred way to get help. I don’t want to be responsible for messing up your production environment. I hope you understand.
Shawn says
Thanks for this. Saved me today.
mr.congdd says
I do not remember the password set last time, then how
suriya says
Thank you for sharing this article.
GRUB password can be cleared by following this article.
http://www.unixarena.com/2016/04/reset-grub-root-password-vcsa-6-0.html