vCenter Single Sign-On policies enforce the security rules for local accounts and tokens in general. You can view and edit the default vCenter Single Sign-On password policy, lockout policy, and token policy.

Edit the vCenter Single Sign-On Password Policy

The vCenter Single Sign-On password policy determines the password format and password expiration. Password policy applies only to users in the vCenter Single Sign-On domain (vsphere.local).

By default, vCenter Single Sign-On built-in user account passwords expire after 90 days. The vSphere Client reminds you when your password is about to expire.

See Change Your vCenter Single Sign-On Password.
Note: The administrator account (administrator@vsphere.local) does not get locked out nor does its password expire. Proper security practice is to audit logins from this account and rotate the password regularly.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Click the Local Accounts tab.
  5. Click Edit for the Password Policy row.
  6. Edit the password policy.
    Option Description
    Description Password policy description.
    Maximum lifetime Maximum number of days that a password is valid before the user must change it. The maximum number of days you can enter is 999999999. A value of zero (0) means that the password never expires.
    Restrict reuse Number of previous passwords that cannot be reused. For example, if you enter 6, the user cannot reuse any of the last six passwords.
    Maximum length Maximum number of characters that are allowed in the password.
    Minimum length Minimum number of characters required in the password. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Character requirements
    Minimum number of different character types that are required in the password. You can specify the number of each type of character, as follows:
    • Special: & # %
    • Alphabetic: A b c D
    • Uppercase: A B C
    • Lowercase: a b c
    • Numeric: 1 2 3
    • Identical Adjacent: The number must be greater than 0. For example, if you enter 1, the following password is not allowed: p@$$word.

    The minimum number of alphabetic characters must be no less than the combined uppercase and lowercase characters.

    Non-ASCII characters are supported in passwords. In earlier versions of vCenter Single Sign-On, limitations on supported characters exist.

    Note: The password policy picks up the maximum length value only if the minimum length is greater than 20 characters. The behavior of the password policy is undefined or could result in failure of services when the minimum length value is greater than 20 characters and the maximum length is set to any value. To avoid a potential problem, leave the minimum length set to the default value of 8 characters, or no greater than 20 characters.
  7. Click Save.

Edit the vCenter Single Sign-On Lockout Policy

If a user attempts to log in with incorrect credentials, a vCenter Single Sign-On lockout policy specifies when the user's vCenter Single Sign-On account is locked. Administrators can edit the lockout policy.

If a user logs in to vsphere.local multiple times with the wrong password, the user is locked out. The lockout policy allows administrators to specify the maximum number of failed login attempts, and set the time interval between failures. The policy also specifies how much time must elapse before the account is automatically unlocked.
Note: The lockout policy applies only to user accounts, not to system accounts such as administrator@vsphere.local.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Click the Local Accounts tab.
  5. Click Edit for the Lockout Policy row.
    You might need to scroll down to see the Lockout Policy row.
  6. Edit the parameters.
    Option Description
    Description Optional description of the lockout policy.
    Maximum number of failed login attempts Maximum number of failed login attempts that are allowed before the account is locked.
    Time interval between failures Time period in which failed login attempts must occur to trigger a lockout.
    Unlock time Amount of time that the account remains locked. If you enter 0, the administrator must unlock the account explicitly.
  7. Click Save.

Edit the vCenter Single Sign-On Token Policy

The vCenter Single Sign-On token policy specifies token properties such as the clock tolerance and renewal count. You can edit the token policy to ensure that the token specification conforms to security standards in your corporation.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Click the Local Accounts tab.
  5. Click Edit for the Token Trustworthiness row.
    You might need to scroll down to see the Token Trustworthiness row.
  6. Edit the token policy configuration parameters.
    Option Description
    Clock Tolerance Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid.
    Maximum Token Renewal Count Maximum number of times that a token can be renewed. After the maximum number of renewal attempts, a new security token is required.
    Maximum Token Delegation Count Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principal that provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a solution token or a reference to a solution token. This value specifies how many times a single holder-of-key token can be delegated.
    Maximum Bearer Token Lifetime Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.
    Maximum Holder-of-Key Token Lifetime Holder-of-key tokens provide authentication based on security artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server system obtains delegated tokens on a user's behalf and uses those tokens to perform operations.

    This value determines the lifetime of a holder-of-key token before the token is marked invalid.

  7. Click Save.

Edit Password Expiration Notification for Active Directory (Integrated Windows Authentication) Users

The Active Directory password expiration notification is separate from the vCenter Server SSO password expiration. The default password expiration notification for an Active Directory user is 30 days but the actual password expiration depends on your Active Directory system. The vSphere Client controls the expiration notification. You can change the default expiration notification to meet the security standards in your corporation.

Prerequisites

Procedure

  1. Log in to the vCenter Server shell as a user with administrator privileges.
    The default user with the super administrator role is root.
  2. Change directory to the location of the vSphere Client webclient.properties file.
    cd /etc/vmware/vsphere-ui
  3. Open the webclient.properties file with a text editor.
  4. Edit the following variable.
    sso.pending.password.expiration.notification.days = 30
  5. Restart the vSphere Client.
    service-control --stop vsphere-ui
    service-control --start vsphere-ui