"Associated users password is expired" error when logging in to the vSphere Web Client

Products

VMware vCenter Server

Issue/Introduction

Increasing the MAX_LIFE_SEC column in the dbo.IMS_AUTHN_PASSWORD_POLICY table resolves the issue.

Symptoms:

Logging in to the vSphere Web Client using admin@system-domain fails with the error:

associated users password is expired
The C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli\ssopass command fails.
You see a certificate error similar to:

sslhandshakefailed
Installing the vSphere Web Client after the SSO user account for admin@system-domain has expired fails with the error:

The provided credentials are not valid. Please check VM_ssoreg.log in system temporary folder for details

Environment

VMware vCenter Server 5.1.x

Cause

This issue occurs when the Admin@system-domain password has expired; the default is 365 days.

Resolution

To resolve this issue, increase the MAX_LIFE_SEC column in the dbo.IMS_AUTHN_PASSWORD_POLICY table.

To increase the MAX_LIFE_SEC column:

Stop the vCenter Single Sign-on service (SSO).
Log in to SQL Management Studio.
Go to the RSA database.
Expand Tables and highlight the dbo.IMS_AUTHN_PASSWORD_POLICY table.
Right-click and select Edit Top 200 Rows.
Scroll over to the MAX_LIFE_SEC column. The default setting is 31536000 seconds (365 days).

Note: Select the policy that contains Password Policy for SSO system users within the NOTES field.
Increase this value (for example: 47304000 seconds = 546.5 days, 63072000 seconds = 730 days, 90000000 seconds = 1041days).
Restart the vCenter Single Sign-on service.
Log in to the vSphere Web Client to vCenter Server with admin@system-domain:default URL:

https://vCenter-server-fqdn:9443
Navigate to Administration > Configuration.
Click the Policies tab.
Click Edit.
Change maximum lifetime to 0 (never expire) or enter the approximate number of days corresponding to the value you set in the database, MAX_LIFE_SEC field above.
Save your changes and exit the edit.

Note: Instead of steps 6 and 7, you can scroll to the column named PERIODIC_EXPIRE, and set that value to 0. This prevents password expiration. You should only do this if your security policy allows non-expiring passwords.

Note: An alternative method can be found at Resetting an expired password in vCenter Single Sign-On (SSO) (2035864).

Additional Information

Note: There are 86400 seconds in a day. You can multiply this times the number of days you want to get the number of seconds to enter into the RSA DB.

Note: The number of seconds/days entered must be greater than the number of seconds/days elapsed since the installation. You may have to use values corresponding to 2 or 3 years or more. Remember to add the number of days you wish the login to be good for:

Number of days since installation + number of days the login should remain good = Number of days to enter in Administration > Configuration > Policies tab > Edit > maximum lifetime (Step 13)
Number of days to enter * 86400 = number of seconds to enter in the MAX_LIFE_SEC column (Step 7)

Note: For more information on resetting the SSO password, see Unlocking and resetting the vCenter Single Sign-On administrator password (2034608).

Resetting the vCenter SSO administrator password
Resetting an expired password in vCenter Single Sign-On (SSO)
Understanding vCenter Single Sign-On (SSO) command line options
vSphere Web Client にログインすると「関連ユーザーのパスワードが有効期限切れです (Associated users password is expired)」エラーが発生する
登录到 vSphere Web Client 时出现“关联用户密码已过期 (Associated users password is expired)”错误
Falha ao fazer login no vSphere Web Client usando admin@system-domain com um erro de senha expirada do usuário associado
No se puede iniciar sesión en vSphere Web Client mediante admin@system-domain; se produce un mensaje de error que indica que caducó la contraseña de los usuarios asociados