The password restrictions, lockout, and expiration for a user's password in your Cloud Foundation environment depend on the user's domain, on who the user is, and the policy settings.
The vCenter Single Sign-On authentication service manages authentication for all users who log in to the SDDC Manager client and various other SDDC components' Web interfaces that you use to perform administrative tasks in your SDDC, such as the vSphere Web Client and the vRealize Operations Manager Web interfaces.
The passwords for users of the installation's single sign-on (SSO) domain's internal identity source that is created during the software stack's bring-up process must follow the restrictions set by the vCenter Single Sign-On password policy and lockout policy. In the vSphere Web Client, use the Policies tab of Configuration page to view the current settings. These passwords expire 90 days by default, though system administrators can change the expiration as part of the password policy.
Users Provided by Other Identity Sources
For users that are provided to the SSO domain by identity sources such as your joined Active Directory domain, the password restrictions, lockout, and expiration are determined by the domain to which the user can authenticate. In the vSphere Web Client, use the Identity Sources tab of the Configuration page to view the current identity sources. When users log in as a user in one of these domains, they include the domain name in the log in name, such as user@domain. The domain's password parameters apply in this situation.