For users in the single sign-on (SSO) domain's internal identity source, the password policy for accessing various Web interfaces that you use to perform SDDC tasks in your Cloud Foundation system is governed by the vCenter Single Sign-On password policy. This policy is a set of rules and restrictions on the format and expiration of vCenter Single Sign-On user passwords.

The vCenter Single Sign-On password policy applies only to users in the single sign-on (SSO) domain that was created during your system's bring-up process. If you have configured your system to use another identity provider, the password policy of that identity provider applies instead. The name of the SSO domain was specified in the bring-up wizard. See VMware Cloud Foundation Overview and Bring-Up Guide for details about the fields in the bring-up wizard.

Note: By default, vCenter Single Sign-On passwords expire after 90 days. You can reset an expired password if you know the old password.


Verify that you are logged in to SDDC Manager as an administrator. You access the internal identity source by launching the vSphere Web Client from the SDDC Manager Dashboard.


  1. Open the view of the management domain's vCenter Server resources in the vSphere Web Client.
    1. In the SDDC Manager Dashboard, navigate from the Dashboard page to view the management domain details.
      You drill down into the management domain details from the Workload Domains area on the dashboard.
    2. On the General Info page of the management domain's Domain Details screen, locate the vCenter launch link used to open the view of the domain's vCenter Server resources in the vSphere Web Client.
      One way to navigate to the management domain's General Info page from the Workload Domains page is to click List View and click the active link that is the name of the management domain.
    3. Launch the vSphere Web Client by clicking the vCenter launch link.
      The vSphere Web Client appears in a new browser tab, authenticated and accessing the management domain's vCenter Server resources.
  2. Navigate to Administration > Single Sign-On > Configuration > Policies > Password Policies.
    The Password Policies tab displays the current settings. After the bring-up process, the default password policy parameters are:
    Option Description
    Maximum lifetime Password must be changed every 90 days
    Restrict re-use Users cannot reuse any previous 5 passwords
    Maximum length 20
    Minimum length 8
    Character requirements
    • At least 1 special character
    • At least 2 alphabetic characters
    • At least 1 uppercase character
    • At least 1 lowercase character
    • At least 1 numeric character
    • Identical adjacent characters: 3
  3. Click Edit.
  4. Edit the password policy parameters.
    Option Description
    Description Password policy description.
    Maximum lifetime Maximum number of days that a password can exist before the user must change it.
    Restrict reuse Number of the user's previous passwords that cannot be selected. For example, if a user cannot reuse any of the last six passwords, type 6.
    Maximum length Maximum number of characters that are allowed in the password.
    Minimum length Minimum number of characters required in the password. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Character requirements Minimum number of different character types that are required in the password. You can specify the number of each type of character:
    • Special characters, such as & # %
    • Alphabetic characters, such as A b c D
    • Uppercase characters, such as A B C
    • Lowercase characters, such as a b c
    • Numeric characters, such as 1 2 3

    The minimum number of alphabetic characters must be no less than the combined uppercase and lowercase requirements.

    Identical adjacent characters Maximum number of identical adjacent characters that are allowed in the password. The number must be greater than 0. For example, if you enter 1, the following password is not allowed: p@$$word.
  5. Click OK.