• The root password for NSX manager appliance has expired.
• Direct SSH connections request a new password be set.
• When trying to switch from admin to root shell the following message may appear.

nsx-mngr-01> st en
% Cannot enter the root shell if the root user's password has expired, invoke the following command to change root's password:
set user root password

Password expiration (90 day by default) was introduced in NSX-T 2.4.0, because of security requirements. By default, password expiration is configured for 90 days.
Since 2.4.0 Password Policy Enhancements: Enforces minimum password length of 12 characters for default passwords. Introduces ability to set password expiration times and generates alarms when password is about to expire. For more details, please refer VMware NSX-T Data Center 2.4 Release Notes

• The password for root can be set from the admin shell by using "set user root password <new password>" if the admin login is accessible and the root password is known.
• If the admin login is unavailable but the root password is known, direct connection (SSH) to the manager as root will trigger a reset where password can be reset.
• If the root password and admin password are unknown then to reset the root password of NSX manager, you need to follow the steps described in the document below, you can reset it by editing the GRUB boot menu after rebooting NSX manager appliance.
  • Resetting the Passwords of an Appliance
• Root password expiry can also be changed from nsxcli via the below command. To have password expire to a maximum of 9999 days. Example below:
            nsx-mngr-01> set user root password-expiration
             <password-expiration> Number of days password valid after change (1 - 9999)
          nsx-mngr-01> set user root password-expiration 9999