VMware NSX-T has a preconfigured password expiration policy of 90 days. When the password expiration day is near, a notification is displayed in the Web interface. There are 3 preconfigured local users: admin, audit, and root. All passwords have to be changed after 90 days. This article explains how to remove the password expiration.
The password for local user 'admin' will expire in [x] days.
The password for local user 'root' will expire in [x] days.
The password for local user 'audit' will expire in [x] days.
Please keep in mind that not only the password for NSX-T Manager expires, but also for Edge Transport Nodes (Edge VMs). When the password has expired, some functions (API / Web-Interface Login) is no longer possible, so make sure you either change the password regularly or remove the expiration policy.
The following commands can be used to remove the password expiration policy. If you have multiple manager appliances, the commands only need to be executed on one node.
- Connect to the NSX-T Manager with SSH
- Login as admin
- Run clear user [username] password-expiration
nsx-mgt1> clear user admin password-expiration nsx-mgt1> clear user root password-expiration nsx-mgt1> clear user audit password-expiration
- Verify password expiration with get user [username] password-expiration
nsx-mgt1> get user admin password-expiration Password expiration not configured for this user
Don't forget your Edge VMs. You can remove the policy with the same commands.
Do NOT do this in a VCF environment! Please do more research or place more details on your post before giving advice. Your SDDC upgrade prechecks will fail as it thinks you are expired because it is not configured.
Change it to 9999 for vcf
Thanks for the warning, but this is even described in the official documentation, without mentioning VCF. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/installation/GUID-89E9BD91-6FD4-481A-A76F-7A20DB5B916C.html
That is part of the point. You are assuming all NSX deployments are the same and are not familiar with VCF. That link is under NSX-T and NOT under VCF. I did not say VMware knew all their stuff, because I went through VCF deploys for 6months and re-deployed 3 times and fixed it outside of direct VMware help/SR. I would make a note on your blog that says it was only tested outside of VCF/SDDC then. Or you will have people following this and having SDDC pre-checks fail constantly. If you are simply just copy and pasting vmware KB's, I would just stick to that
What version of VCF do you have this issue with? I have not seen this issue with updates in the 3.9 and 3.10 versions of VCF.
What version of VCF are you running? I have password expiration disabled in nsx-t and have done a few updates in the VCF 3.9 and 3.10 range without issue.
Relevant KBs for anyone stumbling upon this.
https://kb.vmware.com/s/article/84190 - Precheck fails when no expiration or unsupported expiration duration.
https://kb.vmware.com/s/article/83855 - SDDC Manager falsely showing expiration of passwords when set to not expire. Resolved in VCF 4.3.0