• The root account password of VMware vCenter Appliance fails.
• The root account of the vCenter Appliance is locked or account is expired.
• The root account password has been lost or forgotten.
• Unable to login to vCenter Server with root account.
• Can't login with root password.
• Password/login issues.

This KB provides the way to recover access to a vCenter Appliance for the root account.

VMware vCenter 9.x

VMware vCenter Server 8.x

Note: Resetting the vCSA password can be done without a reboot as long as the SSO administrator account is known, refer Reset vCenter Server Appliance root password without reboot (6.7u1 / 7.x / 8.x)

Change the vCenter root password for the vCenter Appliance, using the steps here: Change the Password and Password Expiration Settings of the Root User

Reset the vCenter root password for the vCenter Appliance using GRUB:

Note:

Before proceeding with the steps below, take a backup and a snapshot of the vCenter Appliance. If the vCenter is part of a Enhanced Linked Mode (ELM) replication setup, also take a backup or offline (powered off) snapshot of all replicating vCenter ELM nodes.

If the vCenter Appliance is on an ESXi hosts it manages, connect directly to the ESXi host that it is located on to perform these steps.

1. Reboot the vCenter Appliance.
2. After the VCSA Photon OS starts, press the e key to enter the GNU GRUB Edit Menu.
3. Locate the line that begins with the word "linux".
4. Append these entries to the end of the line -
   

   rw init=/bin/bash

   The line should look like the following screenshot:

   

5. Press the F10 key to continue booting.
6. Run the following command to remount the root filesystem with read-write permissions:
    
   mount -o remount,rw / 
   
   
7. Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password.
   
pam_tally2 --user=root --reset
   
   For 8.0 U2 onwards pam_tally2 is deprecated in Photon 4, use faillock instead: 
   
   /usr/sbin/faillock --user root --reset
   
   
8. At the shell prompt, enter the command: 
   
   passwd
   
   
9. Provide a new root password (twice for confirmation) 
10. Unmount the filesystem by running this command: 
    
umount /
    
    
11. Reboot the vCenter Appliance by running this command:
    
reboot -f
    
    
12. Verify access the vCenter Appliance using the new root password.

Optional: 

1. Set the Root password to never expire in order to prevent this issue by running command from vCenter CLI:
   chage -I -1 -m 0 -M 99999 -E -1 root
   Or, change the Password expiration settings in the VAMI page referring to the document below:
   Change the Password and Password Expiration Settings of the Root User
2. To confirm the changes made and validate the root account details, run the following command from the vCenter SSH session:
   chage -l root
   
   example:
   chage -l root

Last password change                                    : [example date]
Password expires                                        : [example date]
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

Additionally, to check the password details for the [email protected] (default SSO) account, run the following command from the vCenter SSH session:

chage -l sso-user

example:
chage -l sso-user

            Last password change                                    : [example date]
            Password expires                                        : [example date]
            Password inactive                                       : [example date]
            Account expires                                         : never
            Minimum number of days between password change          : 1
            Maximum number of days between password change          : 90
            Number of days of warning before password expires       : 7