For users in the single sign-on (SSO) domain's internal identity source, the password policy for accessing various Web interfaces that you use to perform SDDC tasks in your Cloud Foundation installation is governed by the vCenter Single Sign-On password policy. The vCenter Single Sign-On password policy is a set of rules and restrictions on the format and expiration of vCenter Single Sign-On user passwords.

About this task

The vCenter Single Sign-On password policy applies only to users in the single sign-on (SSO) domain that was created during your installation's bring-up process. If you have configured your installation to use another identity provider, the password policy of that identity provider applies instead. The name of the SSO domain was specified in the bring-up wizard. See VMware Cloud Foundation Overview and Bring-Up Guide for details about the fields in the bring-up wizard.

By default, vCenter Single Sign-On passwords expire after 90 days. You can reset an expired password if you know the old password.


Password policies apply only to user accounts, not to system accounts in the domain.


Verify that you are logged in to the SDDC Manager client as an administrator. You access the internal identity source by launching the vSphere Web Client from the SDDC Manager client.


  1. Open the view of the management domain's vCenter Server resources in the vSphere Web Client.
    1. In the SDDC Manager client, navigate from the Dashboard page to view the management domain details.

      You drill down into the management domain details from the Workload Domains area on the dashboard.

    2. On the General Info page of the management domain's Domain Details screen, locate the vCenter launch link used to open the view of the domain's vCenter Server resources in the vSphere Web Client.

      One way to navigate to the management domain's General Info page from the Workload Domains page is to click List View and click the active link that is the name of the management domain.

    3. Launch the vSphere Web Client by clicking the vCenter launch link.

      The vSphere Web Client appears in a new browser tab, authenticated and accessing the management domain's vCenter Server resources.

  2. Navigate to Administration > Single Sign-On > Configuration > Policies > Password Policies.

    The Password Policies tab displays the current settings. After the bring-up process, the default password policy parameters are:



    Maximum lifetime

    Password must be changed every 90 days

    Restrict re-use

    Users cannot reuse any previous 5 passwords

    Maximum length


    Minimum length


    Character requirements

    • At least 1 special character

    • At least 2 alphabetic characters

    • At least 1 uppercase character

    • At least 1 lowercase character

    • At least 1 numeric character

    • Identical adjacent characters: 3

  3. Click Edit.
  4. Edit the password policy parameters.




    Password policy description.

    Maximum lifetime

    Maximum number of days that a password can exist before the user must change it.

    Restrict reuse

    Number of the user's previous passwords that cannot be selected. For example, if a user cannot reuse any of the last six passwords, type 6.

    Maximum length

    Maximum number of characters that are allowed in the password.

    Minimum length

    Minimum number of characters required in the password. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.

    Character requirements

    Minimum number of different character types that are required in the password. You can specify the number of each type of character:

    • Special characters, such as & # %

    • Alphabetic characters, such as A b c D

    • Uppercase characters, such as A B C

    • Lowercase characters, such as a b c

    • Numeric characters, such as 1 2 3

    The minimum number of alphabetic characters must be no less than the combined uppercase and lowercase requirements.

    Identical adjacent characters

    Maximum number of identical adjacent characters that are allowed in the password. The number must be greater than 0. For example, if you enter 1, the following password is not allowed: p@$$word.

  5. Click OK.