When logging into the vCenter Server using either the vSphere Web (Flex) or H5 Client, one of the validation checks that is automatically performed by the server is to check the current users password expiry. If you account expiry is less than the current password expiry configuration, then you will see the yellow notification pop up at the top stating:
Password will expire in X days
This is definitely a helpful feature to have automatically built into the vSphere UI and the default expiry actually depends on the type of user logging into the system. This last part is sometimes confusing as folks mix up the default Single Sign-On User Expiry with the Active Directory user expiry which is completely different.
Single Sign-On Users
For SSO Domain (vsphere.local by default) users, the password expiry AND notification by default is 90 days. This can be configured in the vSphere Web Client under Administration->Single Sign-On->Configuration->Password Policy as shown in the screenshot below. For those wanting to automate this configuration, there is currently not an SSO Admin API, but there are some options, have a look at this blog post here.
Active Directory Users
If you are logging in as an Active Directory user, the password expiry notification by default is 30 days but the actual password expiry will obviously depend on your Active Directory system. If you want to change the expiry notification in case your expiry is not 30 days or you wish to notify sooner or later, this is actually controlled by the vSphere Web and H5 Client.
To change the default, you will need to update the following variable:
sso.pending.password.expiration.notification.days = 30
In either:
Web Client - /etc/vmware/vsphere-client/webclient.properties
H5 Client - /etc/vmware/vsphere-ui/webclient.properties
and then restart the vSphere Web and/or H5 Client for the changes to take affect. This can be done using the vSphere Web/H5 Client itself under the Services or you can perform this via the CLI since you are already logged into the VCSA by running one of the following:
Web Client:
service-control --stop vsphere-client
service-control --start vsphere-client
H5 Client:
service-control --stop vsphere-ui
service-control --start vsphere-ui
Note: This is also applicable to the Windows vCenter Server but I do not have their webclient.properties path handy, you can simply do a search on the filesystem.
Local OS Users
Lastly, to be complete, there are also local OS users such as the root account which also has a default password expiry, which is 365 days. To change the expiry settings, you will need to login to the VAMI UI under the Administration tab. For more information, check out the documentation here.
Fantastic! 🙂