• The root account password of VMware vCenter Server Appliance fails.
• The root account of the vCenter Server Appliance is locked or account is expired.
• The root account password has been lost or forgotten.
• You are unable to login to vCenter Server with root account.

This KB provides the way to recover access to a vCenter Server Appliance with root account.

vCenter Server 8.0
vCenter Server 7.0
vCenter Server 6.7

With the default settings, the vCenter Server Appliance's root user password expires after 90 days.

For more information, see Change the Password and Password Expiration Settings of the Root User

Process to Reset the Root Password in vCenter Server Appliance(VCSA):

To reset the root password for the vCenter Server Appliance:

1. Take a snapshot or backup of the vCenter Server Appliance before proceeding.
   
   • Caution: Do not skip this step
   • Note: If the vCenter Server Appliance is on an ESXi hosts it manages, connect directly to the ESXi host that it is located on to perform these steps.
2. Reboot the vCenter Server Appliance.
3. After the VCSA Photon OS starts, press the e key to enter the GNU GRUB Edit Menu.
4. Locate the line that begins with the word "Linux".
5. Append these entries to the end of the line -
   

   rw init=/bin/bash

   The line should look like the following screenshot:

   

6. Press the F10 key to continue booting.
7. Run the command -
   mount -o remount,rw / 
8. Unlock the 'root' account using below command if it is already locked due to multiple logins with incorrect password.
   pam_tally2 --user=root --reset
   
   For 8.0 U2 onwards:
   /usr/sbin/faillock --user root --reset
   ( Note: pam_tally2 is deprecated in Photon 4, use faillock instead. )
9. In the Command prompt, enter the command passwd and provide a new root password (twice for confirmation):
   passwd
10. Unmount the filesystem by running this command (yes, the unmount command is umount  -  it's not a spelling error):
    umount /
11. Reboot the vCenter Server Appliance by running this command:
    reboot -f
12. Confirm that you can access the vCenter Server Appliance using the new root password.
13. Remove the snapshot taken initially if applicable.
14. You could set the Root password to never expire in order to prevent this issue by running command from vCenter CLI:
    # chage -I -1 -m 0 -M 99999 -E -1 root
    Or, change the Password expiration settings in the VAMI page referring to the document below:
    Change the Password and Password Expiration Settings of the Root User
15. To confirm the changes made and validate the root account details, run the following command from the vCenter SSH session:
    
    root@vc[~]# chage -l root
    
    example:
    
    root@vc [ / ]# chage -l root

Last password change                                    : Aug 20, 2024
Password expires                                        : Nov 18, 2024
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

Additionally, to check the password details for the administrator@vsphere.local (default SSO) account, run the following command from the vCenter SSH session:

root@vc[~]# chage -l sso-user

example:

                root@vc [ / ]# chage -l sso-user
                Last password change                                    : Feb 14, 2023
                Password expires                                        : May 15, 2023
                Password inactive                                       : May 15, 2023
                Account expires                                         : never
                Minimum number of days between password change          : 1
                Maximum number of days between password change          : 90
                Number of days of warning before password expires       : 7

For 7.0 U1 and 6.7 U3j there are a few changes:

1. The root user will be prompted to reset the password when they try to SSH to the machine if expired or expiring.
2. You can also log in to VAMI using the SSO administrator and reset the root password from there.
3. Email notification is sent earlier to prevent from having the root password expired.
4. An alarm will be triggered in vSphere Client to notify the user about the password expiry.

Changes in 8.0 U2 and above versions:

• You will get the below error while executing pam_tally2 in 8.0 U2 or above versions, as this utility was deprecated in Photon 4 and 8.0 U2 is using Photon 4 version.
• The alternate utility on Photon 4 is "/usr/sbin/faillock" to unlock the accounts.
• "-bash: pam_tally2: command not found"

For more information, see -

• Change the Password and Password Expiration Settings of the Root User

vCenter Server Appliance 7.x / 8.x の root パスワードのリセット