Failing to log in to VMware ESXi can be irritating, particularly if you are certain that the username and password are accurate. One of the typical problems is that when attempting to log in to the vSphere Client or Web Client, although logging in to the ESXi console directly has no problem.

In this guide, we’ll find out why this problem arises and give you a step-by-step solution for fixing it.

Cause for the Login Failure

The root cause of this mistake is that the ESXi root account is locked because multiple unsuccessful login attempts have been made. VMware ESXi has security features that lock accounts in case of excessive failed login attempts so that access via SSH, Web Client, or vSphere Client is blocked but not direct console access.

Solution: Unlocking the ESXi Root Account

Follow these steps to reset the root account lock and regain access to the vSphere Web Client:

Step 1: Access the ESXi Direct Console

  1. Log in to the ESXi console using the root credentials.
  2. Press F2 to enter the System Customization menu.
  3. Navigate to Troubleshooting Options.

Step 2: Enable ESXi Shell Access

  1. In Troubleshooting Options, enable ESXi Shell.
  2. Once enabled, press Esc to return to the main menu.

Step 3: Open the ESXi Shell

  1. Press Ctrl + Alt + F2 to switch to the shell environment.
  2. Log in using the root credentials.

Step 4: Check Failed Login Attempts

  1. Run the following command to check the number of failed login attempts for the root account:

 

pam_tally2 –user root


          This will display the number of failed attempts.

Step 5: Reset the Root Account Lock

  1. To reset the failed login count and unlock the root account, execute:
pam_tally2 –user root –reset

 

Step 6: Verify Login Access

  1. Try logging in again via the vSphere Web Client or ESXi Host Client.
  2. If successful, disable ESXi Shell from the Troubleshooting Options for security purposes.

Best Practices to Prevent Future Lockouts

Best Practices to Prevent Future Lockouts

To not fall into this problem again, try the following best practices:

  1. Use SSH Key Authentication – Rather than using passwords alone, use SSH keys for secure and trustworthy authentication.
  2. Monitor Failed Login Attempts – Check failed login attempts regularly using the pam_tally2 command to identify brute force attacks.
  3. Adjust Account Lockout Policy – Update the ESXi security settings to set a customized lockout time and failure counts.
  4. Ensure Correct Time Synchronization – Inconsistent time settings may result in login failure. Synchronize ESXi with an NTP server to prevent authentication failure.
  5. Utilize a Secondary Admin Account – Prepare a secondary administrator account for emergency access in case the root account becomes locked.

Conclusion

Locked ESXi root accounts are a frequent occurrence due to repeated failed login attempts. Luckily, the issue is easily resolved by turning on ESXi Shell, clearing the failed login count, and unlocking the root account through pam_tally2.

Implementing preventive security can minimize chances of future lockouts and keep ESXi operations running smoothly.

Do you need help in automating login monitoring or ESXi security setting configuration? Contact us now!