Search the VMware Knowledge Base (KB)
View by Article ID

Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts (2033823)

  • 17 Ratings

Symptoms

  • Cannot log in to the vSphere Web Client using a Single Sign On user account
  • Logging in to the vSphere Web Client as a Single Sign On user fails
  • You see one of these errors:

    • User Account is locked.
    • User Account is disabled.

Purpose

This article provides information and steps to review and configure vCenter Single Sign On password and lockout policies.

For more information, see the vCenter Server Authentication and User Management section of the vSphere Security Guide.

Resolution

vCenter Single Sign On (SSO), when used as an authentication mechanism, has several configurable security policies and the ability to lockout or disable an account. Usually, the default policies need not be modified. However, you may have to modify them if regulations require different policies or if you are troubleshooting a problem.

Viewing and changing the lockout status of an account

To view the lockout status of an SSO account:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.
  2. In the home page, click Administration > Access > SSO Users and Groups.

    You see a screen similar to:




    Each tab shows information from the identity sources about accounts that are configured on the system.

  3. Click the Users tab. The Locked or Disabled columns display the status of each of the SSO accounts that are configured.

    Note: The Locked Users and Disabled Users tabs show information for the identity sources only. They can also be Locked or Disabled. Therefore, based on the account being used, click the appropriate tab.

  4. Right-click the appropriate account and click either Enable/Disable or Unlock the account.
  5. Click Yes to confirm. The status should now change.

Viewing and changing password policies in SSO

vCenter SSO has many different password policies that can be modified as required to satisfy your organizational requirements.
 
To view or change the default password policies for SSO:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain. 
  2. In the home page, click Administration > Sign-On and Discovery > Configuration.
  3. Click the Policies tab and then click Password Policies to see the current password policies for SSO.

    You see a screen similar to:



  4. To modify the password policy, click Edit.
  5. Make the required changes and then click OK.

Viewing and changing the lockout policy in SSO

vCenter SSO has a strict lockout policy, which can be modified as required to satisfy your organizational requirements.
 
To view or change the default lockout policy for SSO:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.
  2. In the home page, click Administration > Sign-On and Discovery > Configuration.
  3. Click the Policies tab and then click Lockout policy to see the current password policies for SSO.

    You see a screen similar to:



  4. To modify the password policy, click Edit.
  5. Make the required changes and then click OK.

Additional Information

For details on unlocking and resetting the SSO administrator password, see Unlocking and Resetting the SSO administrator password (2034608).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 17 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 17 Ratings
Actions
KB: