Change or Reset the root account password in vCenter Appliance

Products

VMware vCenter Server

Issue/Introduction

The root account password of VMware vCenter Appliance fails.
The root account of the vCenter Appliance is locked, or the account has expired.
The root account password has been lost or forgotten.
Unable to log in to vCenter Server with the root account.
Can't log in with the root password.
Password/login issues.

This KB provides instructions for regaining access to the root account on a vCenter Appliance.

Environment

VMware vCenter 9.x
VMware vCenter 8.x

Cause

By default, the vCenter Appliance root password expires every 90 days.

Resolution

Note: Resetting the vCSA password can be done without a reboot, provided the SSO administrator account is known. Refer to Reset vCenter Server Appliance root password without reboot (6.7u1 / 7.x / 8.x)

Change the vCenter root password for the vCenter Appliance, using the steps here: Change the Password and Password Expiration Settings of the Root User

Reset the vCenter root password for the vCenter Appliance using GRUB:

Note:

Before proceeding with the steps below, take a backup and a snapshot of the vCenter Appliance. If the vCenter is part of an Enhanced Linked Mode (ELM) replication setup, also take a backup or an offline (powered-off) snapshot of all replicating vCenter ELM nodes.

If the vCenter Appliance is on an ESXi host, it manages and connects directly to that host to perform these steps.

Reboot the vCenter Appliance.
After the VCSA Photon OS starts, press the e key to enter the GNU GRUB Edit Menu.
Locate the line that begins with the word "Linux".
Append these entries to the end of the line -rw init=/bin/bash
The line should look like the following screenshot:
Press the F10 key to continue booting.
Run the following command to remount the root filesystem with read-write permissions:
mount -o remount,rw /
Unlock the 'root' account using the command below if it is already locked due to multiple failed login attempts.
pam_tally2 --user=root --reset

For 8.0 U2 onwards, pam_tally2 is deprecated in Photon 4, use faillock instead:
/usr/sbin/faillock --user root --reset
At the shell prompt, enter the command:
passwd
Provide a new root password (twice for confirmation)
Unmount the filesystem by running this command:
umount /
Reboot the vCenter Appliance by running this command:
reboot -f
Verify access to the vCenter Appliance using the new root password.

Optional:

Set the Root password to never expire in order to prevent this issue by running the command from vCenter CLI:
chage -I -1 -m 0 -M 99999 -E -1 root

Or, change the Password expiration settings in the VAMI page, referring to the document below:
Change the Password and Password Expiration Settings of the Root User
To confirm the changes made and validate the root account details, run the following command from the vCenter SSH session:
chage -l root

example:
chage -l root

Last password change : [example date]
Password expires : [example date]
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

Additional Information

Additionally, to check the password details for the [email protected] (default SSO) account, run the following command from the vCenter SSH session:

chage -l sso-user

example:
chage -l sso-user

Last password change : [example date]
Password expires : [example date]
Password inactive : [example date]
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7