If a user attempts to log in with incorrect credentials, a vCenter Single Sign-On lockout policy specifies when the user's vCenter Single Sign-On account is locked. Administrators can edit the lockout policy.

If a user logs in to vsphere.local multiple times with the wrong password, the user is locked out. The lockout policy allows administrators to specify the maximum number of failed login attempts, and set the time interval between failures. The policy also specifies how much time must elapse before the account is automatically unlocked.
Note: The lockout policy applies only to user accounts, not to system accounts such as administrator@vsphere.local.


  1. Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Select Lockout Policy and click Edit.
  5. Edit the parameters.
    Option Description
    Description Optional description of the lockout policy.
    Maximum number of failed login attempts Maximum number of failed login attempts that are allowed before the account is locked.
    Time interval between failures Time period in which failed login attempts must occur to trigger a lockout.
    Unlock time Amount of time that the account remains locked. If you enter 0, the administrator must unlock the account explicitly.
  6. Click Save.