HowTo: reset vCenter 7 VCSA password or unlock account

Step 1

Take a snapshot of the VM and proceed with forcing a reboot. Once the photon OS splash screen is showing, quickly press “e” to reveal the Grub boot menu.

Move the cursor to the end of the line starting with “linux” and ending with “$systemd_cmdline”

Enter “rw init=/bin/bash” at the end of the line like the below picture:

Then enter: “F10”

Step 2

Now that you are dropped into the system enter the ‘passwd’ command to reset the root user account.

mount -o remount,rw / 
passwd

Step 3

User accounts can be unlocked using the pam_tally2 command with switches –user and –reset.

pam_tally2 -–user=root --reset

Also, I was still under attack in my case, so I’ve increased the root locked login number to 9999. So I’ve enabled the firewall, and reversed the lock password number back from the VCenter appliance (which is explained in step 5).

chage -I -1 -m 0 -M 99999 -E -1 root

Once completed, the user account will be unlocked, and the account can be used again.

Step 4

Finally, reboot the VCenter VM:

reboot -f

Step 5

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy.

View the values for the lockout policies.

The following lockout policy should be set as follows:

The time interval between failures: 900 seconds

If this lockout policy is not configured as stated, this is a finding.

From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Policies >> Lockout Policy.

Click “Edit”.

Set the “Time interval between failures” to “900” and click “OK”.