• When logging into ESXi using root account, receive the error "remote access local user account locked after failed login attempts".
• Customer recently changed root password for ESXi.
• Cannot use root account to SSH to host, nor access the ESXi host web UI.
• Can use root account to log into host when going through DCUI
• Running the command "pam_tally --user root" shows failed login attempts from a remote server (this may show an IP address or Unknown).

VMware ESXi 7.0

VMware ESXi 8.0

When changing the root login credentials for ESXi, any remote server that accesses it with root (for example a backup appliance accessing the host directly) will still use the old credentials and will fail to log in. After too many failed attempts to log in remotely with user root, ESXi will temporarily lock the account as it seen as a security risk. This is working as intended.

1. Navigate to the DCUI using the appropriate out of band management console (iLO, iDRAC, KVM, etc).
2. Press F2 to log in, and enter root credentials.
3. Navigate to Troubleshooting Options, and enable ESXi shell.
4. Switch to the shell by pressing Alt + F1, and log in with root again (shell may have been left logged in, in which case login is it not needed).
5. Run the command "pam_tally --user root" to confirm failed login count.
6. Run the command "pam_tally --user root --reset" to clear the failed login counter, which will unlock root for remote login.
7. Log into the ESX host web UI with root.
8. Navigate to Monitor, then Events.
9. Under the Events tab you will see the IP addresses that attempted to log in. This will include the login attempts you just made.

Once the IP addresses for the remote servers are identified, customer will need to track them down and reconfigure them to use the correct root password. Alternatively, the customer can block those remote servers on the network or firewall from being able to connect to the ESXi host.