VMware NSX-T has a preconfigured password expiration policy of 90 days. When the password expiration day is near, a notification is displayed in the Web interface. There are 3 preconfigured local users: admin, audit, and root. All passwords have to be changed after 90 days. This article explains how to remove the password expiration.
The password for local user 'admin' will expire in [x] days.
The password for local user 'root' will expire in [x] days.
The password for local user 'audit' will expire in [x] days.
The password for local user 'guestuser1' will expire in [x] days.
The password for local user 'guestuser2' will expire in [x] days.
Please keep in mind that not only the password for NSX-T Manager expires, but also for Edge Transport Nodes (Edge VMs). When the password has expired, some functions (API / Web-Interface Login) are no longer possible, so make sure you either change the password regularly or remove the expiration policy.
Set admin / root / audit Password Expiration
The following commands can be used to remove the password expiration policy. If you have multiple manager appliances, the commands only need to be executed on one node.
- Connect to the NSX-T Manager with SSH
- Login as admin
- Run clear user [username] password-expiration
nsx-mgt1> clear user admin password-expiration nsx-mgt1> clear user root password-expiration nsx-mgt1> clear user audit password-expiration
- Verify password expiration with get user [username] password-expiration
nsx-mgt1> get user admin password-expiration Password expiration not configured for this user
Don't forget your Edge VMs. You can remove the policy with the same commands.
Set guestuser1 / guestuser2 Password Expiration
In NSX-T 3.1.1, two additional local users have been added: guestuser1 and guestuser2. Both users are disabled by default, but if you want to use them, the password expires after 90 days. Currently, there is no nsxcli command to change the password expiry. If you try to change the policy with the "chage" command (# chage -M 9999 guestuser1), the policy is restored after a couple of minutes.
If you want to change the password expiry for guestuser1 and guestuser2, you have to use the REST API.
# Remove Password Expiration for guestuser1 curl -v -k -u 'admin:[PASSWORD]' -X PUT -H 'Content-Type: application/json' https://localhost/api/v1/node/users/10003 --data-binary '{ "password_change_frequency": 0 }' # Remove Password Expiration for guestuser2 curl -v -k -u 'admin:[PASSWORD]' -X PUT -H 'Content-Type: application/json' https://localhost/api/v1/node/users/10004 --data-binary '{ "password_change_frequency": 0 }'
Note: guestuser1 has userid 10003, guestuser2 has userid 10004. You can change the username using NSX-T UI, but the ID will stay the same.
vCloud Foundation
When you are using vCloud Foundation, the removal of password expiration might lead to upgrade issues. See KB84190 and KB83855 for more information. If you are using VCF, you can alternatively set the password expiration to 9999.
nsx-mgt1> set user admin password-expiration 9999 nsx-mgt1> set user root password-expiration 9999 nsx-mgt1> set user audit password-expiration 9999
[Update 11/2021: Added "guestuser" expiration information and vCloud Foundation warnings]
Do NOT do this in a VCF environment! Please do more research or place more details on your post before giving advice. Your SDDC upgrade prechecks will fail as it thinks you are expired because it is not configured.
Change it to 9999 for vcf
Thanks for the warning, but this is even described in the official documentation, without mentioning VCF. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-89E9BD91-6FD4-481A-A76F-7A20DB5B916C.html
That is part of the point. You are assuming all NSX deployments are the same and are not familiar with VCF. That link is under NSX-T and NOT under VCF. I did not say VMware knew all their stuff, because I went through VCF deploys for 6months and re-deployed 3 times and fixed it outside of direct VMware help/SR. I would make a note on your blog that says it was only tested outside of VCF/SDDC then. Or you will have people following this and having SDDC pre-checks fail constantly. If you are simply just copy and pasting vmware KB's, I would just stick to that
What version of VCF do you have this issue with? I have not seen this issue with updates in the 3.9 and 3.10 versions of VCF.
What version of VCF are you running? I have password expiration disabled in nsx-t and have done a few updates in the VCF 3.9 and 3.10 range without issue.
Relevant KBs for anyone stumbling upon this.
https://kb.vmware.com/s/article/84190 - Precheck fails when no expiration or unsupported expiration duration.
https://kb.vmware.com/s/article/83855 - SDDC Manager falsely showing expiration of passwords when set to not expire. Resolved in VCF 4.3.0
What is the Rest API command to get the current data for the password expiration guestuser1 / guestuser2 Password Expiration?