Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts
search cancel

Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts

book

Article ID: 327846

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides information and steps to review and configure vCenter Single Sign On password and lockout policies.

For more information, see the vCenter Server Authentication and User Management section of the vSphere Security Guide.


Symptoms:
  • Cannot log in to the vSphere Web Client using a Single Sign On user account
  • Logging in to the vSphere Web Client as a Single Sign On user fails
  • You see one of these errors:

    • User Account is locked.
    • User Account is disabled.


Environment

VMware vCenter Server 5.1

Resolution

vCenter Single Sign On (SSO), when used as an authentication mechanism, has several configurable security policies and the ability to lockout or disable an account. Usually, the default policies need not be modified. However, you may have to modify them if regulations require different policies or if you are troubleshooting a problem.

Viewing and changing the lockout status of an account

To view the lockout status of an SSO account:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.
  2. In the home page, click Administration > Access > SSO Users and Groups.

    You see a screen similar to:




    Each tab shows information from the identity sources about accounts that are configured on the system.

  3. Click the Users tab. The Locked or Disabled columns display the status of each of the SSO accounts that are configured.

    Note: The Locked Users and Disabled Users tabs show information for the identity sources only. They can also be Locked or Disabled. Therefore, based on the account being used, click the appropriate tab.

  4. Right-click the appropriate account and click either Enable/Disable or Unlock the account.
  5. Click Yes to confirm. The status should now change.

Viewing and changing password policies in SSO

vCenter SSO has many different password policies that can be modified as required to satisfy your organizational requirements.
 
To view or change the default password policies for SSO:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.
  2. In the home page, click Administration > Sign-On and Discovery > Configuration.
  3. Click the Policies tab and then click Password Policies to see the current password policies for SSO.

    You see a screen similar to:



  4. To modify the password policy, click Edit.
  5. Make the required changes and then click OK.

Viewing and changing the lockout policy in SSO

vCenter SSO has a strict lockout policy, which can be modified as required to satisfy your organizational requirements.
 
To view or change the default lockout policy for SSO:
  1. Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.
  2. In the home page, click Administration > Sign-On and Discovery > Configuration.
  3. Click the Policies tab and then click Lockout policy to see the current password policies for SSO.

    You see a screen similar to:



  4. To modify the password policy, click Edit.
  5. Make the required changes and then click OK.