The default Single Sign On password policy specifies that passwords expire after one year. The vSphere Web Client does not provide a warning when a password is about to expire. If the administrator password for the Single Sign On system expires and you are unable to log in to the vSphere Web Client, a user with Single Sign On administrator privileges must reset it.

The password for the vCenter Single Sign On administrator user expired and the administrator is unable to log in to the vSphere Web Client to change the password.

Change the password in the vSphere Web Client.


Log in to the vSphere Web Client as the system root user.

On Linux systems, the root account is always a Single Sign-On administrator. You can update the password of any Single Sign On user by logging in to the vSphere Web Client using the credentials of the root user.


Navigate to Administration > Access > SSO Users and Groups and click the Users tab.


Right-click the user and select Edit User.


Enter the new password and confirm it.


Click OK.

Change the password at the command line.


Open a terminal window and navigate to the /usr/lib/vmware-sso/bin directory.


Run the following command.

./ssopass username


Enter the current password for the user, even if it has expired.


Enter the new password and enter it again for confirmation.

The administrator password is reset and the user can log in to the vSphere Web Client with the new credentials.

ssopass [-d lookup-service] [-t thumbprint] username [password] [new-password]



-d, --ls-url arg

(Optional) Address of the Lookup Service (typically https://SSO server URL:7444/lookupservice/sdk). If you do not specify the address, the server attempts to contact a Single Sign On server running on the local system.

-t, --thumbprint arg

(Optional) Thumbprint used to verify the Lookup Service SSL certificate.


User name of the administrator whose password has expired.


Current password of the administrator, even if it has expired.


New password for the administrator.