vCenter SSO password login fails with error "User account is locked. Please contact your administrator"
Article ID: 326186
Updated On:
Products
Issue/Introduction
- If vCenter SSO password was entered incorrectly three times ,you see the error: "
User account is locked. Please contact your administrator"
- This is seen for default user "
[email protected]" in vCenter Server
Environment
- VMware vCenter Server 6.x
- VMware vCenter Server 7.x
- VMware vCenter Server 8.x
- VMware vCenter Server Appliance 6.x
Resolution
You must unlock and reset the vCenter Single Sign-On (SSO) password in the vCenter Server if you have entered an incorrect password three times. Below are the steps
Table of Contents
Process to Unlock SSO Password
Process to Reset SSO Password
On the Platform Services Controller or vCenter Server with Embedded Platform Services Controller Appliance
On a Windows Platform Services Controller or vCenter Server with Embedded Platform Services Controller
Process to Unlock SSO Password
To unlock an account using another session or using another user account with SSO administrator privileges:
- Click Home.
- Click Administration.
- Click Single Sign-On > Users and Groups.
- Click the Users tab.
- Right-click the affected user account and click Unlock.
In emergency situations or if the default policies are changed, you can also reset the password to unlock the account.
Process to Reset SSO Password
On the Platform Services Controller or vCenter Server with Embedded Platform Services Controller Appliance
- Log in to vCenter Server Appliance using SSH as the root user.
- Run this command to enable access the Bash shell:
shell.set --enabled true
- Type shell and press Enter.
- Run /usr/lib/vmware-vmdir/bin/vdcadmintool
Note: This utility is available only on External PSC node or vCenter Server with Embedded PSC, executing the command on Management node will fail with "No such file or directory" error.
This console loads:
- Press 3 to enter the Reset account password option.
- When prompted for the Account UPN, enter:
User@vSphere_Domain_Name.local (Example - [email protected])
A new password is generated.
Note: If your vSphere Domain name is customized, provide the customized domain name.
- Use the generated password to log in to the User@vSphere_Domain_Name.local account.
- After the password is regenerated, log in to the vSphere Web Client and change the password.
On a Windows Platform Services Controller or vCenter Server with Embedded Platform Services Controller
- Log in to vCenter Server with a domain administrator account. If the Platform Services Controller is installed separate from vCenter Server, log in to the Platform Services Controller server.
- Open an elevated command prompt ( Run command prompt as administrator )
- Run c:\> "%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe".
- Press 3 to enter the Reset account password option.
- When prompted for the Account UPN, enter:
User@vSphere_Domain_Name.local (Example - [email protected])
Type the new password
Notes:
-
- If you customized your vSphere Domain name, provide the customized domain name.
- If the preceding steps fail with an error "VmDirForceResetPassword failed (5)", use the Built-In Local Administrator Account to login to the vCenter Server (through RDP or Console) and retry the operation by executing vdcadmintool.
- Non-ASCII characters
- Ampersand (&)
- Semicolon ( ; )
- Double quotation mark ( " )
- Single quotation mark ( ' )
- Circumflex ( ^ )
- Backslash ( \ )
- Percentage (%)
- Angle brackets ( < , > )
If generated password has such characters it need to be re-generated. You may need to generate the password several times until the password contains all supported characters. Otherwise, some operations, such as replacing certificates, may not work.
Additional Information
VMware Skyline Health Diagnostics for vSphere - FAQ
Read the article in different language here:
如何在 vSphere 6.x 中解锁并重置 SSO 密码
Feedback
