How to unlock and reset SSO password in vCenter Server using the vdcadmintool

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to unlock and reset the SSO password ([email protected]) in vCenter Server

Note: You must unlock and reset the vCenter Single Sign-On (SSO) password in the vCenter Server if you have entered an incorrect password three times and you see the error:

User account is locked. Please contact your administrator.

This article will explain how to reset the SSO password for the vCenter server appliance and Windows version.

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x

VMware vCenter Server 8.x
VMware vCenter Server Appliance 6.x

Resolution

Process to Unlock SSO Password:

To unlock an account using another session or using another user account with SSO administrator privileges:

Click Home.
Click Administration.
Click Single Sign-On > Users and Groups.
Click the Users tab.
Right-click the affected user account and click Unlock.

Note: Unlock the account using another session that is still logged into the PSC server or using another user account with SSO administrator privileges. Reset the password using below steps, if you do not have any other SSO Admin accounts to unlock the Administrator Account (Reset process will automatically Unlock the account).

In emergency situations or if the default policies are changed, you can also reset the password to unlock the account.

Process to Reset SSO Password:

On the Platform Services Controller or vCenter Server with Embedded Platform Services Controller Appliance

Log in to vCenter Server Appliance using SSH as the root user.
Run this command to enable access the Bash shell:

shell.set --enabled true
Type shell and press Enter.
Run /usr/lib/vmware-vmdir/bin/vdcadmintool
Note: This utility is available only on External PSC node or vCenter Server with Embedded PSC, executing the command on Management node will fail with "No such file or directory" error.
This console loads:

Press 3 to enter the Reset account password option.
When prompted for the Account UPN, enter:

User@vSphere_Domain_Name.local (Example - [email protected])

A new password is generated.

Note: If your vSphere Domain name is customized, provide the customized domain name.
Use the generated password to log in to the User@vSphere_Domain_Name.local account.
After the password is regenerated, log in to the vSphere Web Client and change the password.

- If vdcadmintool fails to execute, please verify the size of the file. It should not be '0 kb' in size. If size is 0 KB, copy the file from another vCenter with similar build. Contact VMware Support if you don't have any other environments to copy the file.
  - vdcadmintool.exe is located at C:\Program Files\VMware\vCenter Server\vmdird\
Use the generated password to log in to the User@vSphere_Domain_Name.local account.
After the password is regenerated, log in to vSphere Web Client and change the user password.

On a Windows Platform Services Controller or vCenter Server with Embedded Platform Services Controller:

Log in to vCenter Server with a domain administrator account. If the Platform Services Controller is installed separate from vCenter Server, log in to the Platform Services Controller server.
Open an elevated command prompt ( Run command prompt as administrator )
Run c:\> "%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe".
Press 3 to enter the Reset account password option.
When prompted for the Account UPN, enter:

User@vSphere_Domain_Name.local (Example - [email protected])

Type the new password

Notes:

- If you customized your vSphere Domain name, provide the customized domain name.
- If the preceding steps fail with an error "VmDirForceResetPassword failed (5)", use the Built-In Local Administrator Account to login to the vCenter Server (through RDP or Console) and retry the operation by executing vdcadmintool.

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ

Read the article in different language here:
如何在 vSphere 6.x 中解锁并重置 SSO 密码