vSAN Witness Appliance 7.0u3c (Build 19193900) password issue after first reboot

The vSAN witness appliance is the only case of nested ESXi officially supported for production environments by VMware, and it is essential to the functioning of vSAN ROBO/stretched clusters.

I noticed an issue with the latest release of the vSAN witness appliance OVA i.e. "VMware-VirtualSAN-Witness-7.0U3c-19193900.ova". Let's take a quick look at the issue, and the immediate workaround.

The OVA deploy asks for us to enter the root password, which we will need later on for managing the witness appliance:

After powering on the appliance, the firstboot scripts configures the appliance as per the OVF parameters entered. We can start using the appliance, once these configurations are completed. The root password entered during the OVA deploy works perfectly after this firstboot of the appliance:

However, the same password does not work after rebooting the appliance for the first time:

One immediate workaround, that seems to work, is to set the password again after the first boot of the appliance. You can set the same password as done initially during the OVA deploy. This can be done using the appliance console DCUI screen or by using a PowerCLI script.

If you set the same password, as previously set during the OVA deploy, you will see the following warning, that is ok, just press enter:

Now, the password persists across reboots.

Let's take a look at the PowerCLI commands to achieve this:

Connect-VIServer -Server "<enter your appliance IP\FQDN>" -User "root" -Password "<enter root pass set during ovf deploy>" |Out-Null
Set-VMHostAccount -UserAccount "root" -Password "<enter root pass set during ovf deploy>" |Out-Null
Disconnect-VIServer * -Confirm: $false| Out-Null

Note: All other parameters set during the OVF deploy persist across reboots.