Search the VMware Knowledge Base (KB)
View by Article ID

"Associated users password is expired" error when logging in to the vSphere Web Client (2060150)

  • 29 Ratings
Language Editions

Symptoms

  • Logging in to the vSphere Web Client using admin@system-domain fails with the error:

    associated users password is expired

  • The C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli\ssopass command fails.
  • You see a certificate error similar to:

    sslhandshakefailed

  • Installing the vSphere Web Client after the SSO user account for admin@system-domain has expired fails with the error:

The provided credentials are not valid. Please check VM_ssoreg.log in system temporary folder for details

Purpose

Increasing the MAX_LIFE_SEC column in the dbo.IMS_AUTHN_PASSWORD_POLICY table resolves the issue.

Cause

This issue occurs when the Admin@system-domain password has expired; the default is 365 days.

Resolution

To resolve this issue, increase the MAX_LIFE_SEC column in the dbo.IMS_AUTHN_PASSWORD_POLICY table.
 
To increase the MAX_LIFE_SEC column:
  1. Stop the vCenter Single Sign-on service (SSO).
  2. Log in to SQL Management Studio.
  3. Go to the RSA database.
  4. Expand Tables and highlight the dbo.IMS_AUTHN_PASSWORD_POLICY table.
  5. Right-click and select Edit Top 200 Rows.
  6. Scroll over to the MAX_LIFE_SEC column. The default setting is 31536000 seconds (365 days).

    Note: Select the policy that contains Password Policy for SSO system users within the NOTES field.

  7. Increase this value (for example: 47304000 seconds = 546.5 days, 63072000 seconds = 730 days, 90000000 seconds = 1041days).
  8. Restart the vCenter Single Sign-on service.
  9. Log in to the vSphere Web Client to vCenter Server with admin@system-domain:default URL:

    https://vCenter-server-fqdn:9443

  10. Navigate to Administration > Configuration.
  11. Click the Policies tab.
  12. Click Edit.
  13. Change maximum lifetime to 0 (never expire) or enter the approximate number of days corresponding to the value you set in the database, MAX_LIFE_SEC field above.
  14. Save your changes and exit the edit.

Note: Instead of steps 6 and 7, you can scroll to the column named PERIODIC_EXPIRE, and set that value to 0. This prevents password expiration. You should only do this if your security policy allows non-expiring passwords.

Note: An alternative method can be found at Resetting an expired password in vCenter Single Sign-On (SSO) (2035864).

Additional Information

Note: There are 86400 seconds in a day. You can multiply this times the number of days you want to get the number of seconds to enter into the RSA DB.

Note: The number of seconds/days entered must be greater than the number of seconds/days elapsed since the installation. You may have to use values corresponding to 2 or 3 years or more. Remember to add the number of days you wish the login to be good for:
  • Number of days since installation + number of days the login should remain good = Number of days to enter in Administration > Configuration > Policies tab > Edit > maximum lifetime (Step 13)
  • Number of days to enter * 86400 = number of seconds to enter in the MAX_LIFE_SEC column (Step 7)

Note: For more information on resetting the SSO password, see Unlocking and resetting the vCenter Single Sign-On administrator password (2034608).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 29 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 29 Ratings
Actions
KB: