1 2 3 Previous Next 67 Replies Latest reply on Sep 1, 2015 2:22 PM by Morevalar

    vCenter Single Sign On master password

    bezarghazi Lurker

      Hi guys

       

      i do not remember admin@system-domain password

       

      i wondring how to reset admin's account password

       

      i tried to reset password by rsautil command line but i dont remember master password.

       

      Anyway to reset password? can i find Master password in DB tables? or add new user admin user in DB?

       

      Br

      Bezar

        • 1. Re: vCenter Single Sign On master password
          spravtek Expert

          I don't think there is a way to reset the master password for SSO, at least I haven't come accross a way to do this yet ...

           

          The master password is the one you set during initial setup, it doesn't change even if you changed later changed the admin password ... If you can't remember it ... I'm afraid there's not much you can do... Maybe someone else has better news?

          1 person found this helpful
          • 2. Re: vCenter Single Sign On master password
            memaad Master

            Hi ,

             

            VMware does not support reseting Master password, However while doing search online I found this link "Unsupported by VMware"

             

            http://translate.google.ie/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.die-schubis.de%2Fdoku.php%3Fid%3Dvmware%3Avsphere%26%26_sm_au_%3DiVVqjkrsQ0sLqFW6&act=url

             

            Regards

            Mohammed

            • 3. Re: vCenter Single Sign On master password
              spravtek Expert

              Nice find memaad ...

               

              Of course it's not supported, but if you're really in need of a fix and don't want to take the recommended way of VMware ... You could go this route.

              • 4. Re: vCenter Single Sign On master password
                grasshopper Virtuoso
                vExpert

                \\Update

                [Jump to the solution later in the thread here]

                 

                Tips:

                - Remember that the admin@system-domain password requires greater strength than most VMware passwords.  As such, if you think you know the password but it's not working, try adding a special character at the end such as !.  It only requires 8 characters but there must be at least one special character.  It will also lock you out after 3 bad attempts.  Try back later after it has reset the lock.

                 

                - Admin is not admin
                The user name is case sensitive.  It should always be admin@system-domain (domain portion not case sensitive).

                 

                Don't even think about upgrading vCenter / SSO without good DB and vCenter backups and/or snaps

                - If you are dealing with a failed SSO upgrade from a previous version, then you should a) Roll back to a snapshot/restore; or b) Reinstall SSO and repoint your vCenter.  Remember to reinstall SSO you _must_ use the same version that was installed.  Also remember that a failed upgrade of SSO can and will stop the SSO service and/or your vCenter service.  From that point on you won't be able to login to an otherwise previously healthy sso.


                admin@system-domain (Not cached in plain text)

                - Despite what's listed below in my original post, the admin@system-domain password is _not_ cached in plain text.  However, the DBA_USER password is.


                DBA_User password (this is cached in plain text):

                "C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties"

                 

                Why is the above useful?  In the rare case where the technician set all passwords the same (or at least the admin@system-domain and the RSA_USER) then and only then could one glean the admin@system-domain password from the above file.  More details and other options in this thread.

                 

                \\original post

                I'm sure this will be fixed eventually, but the answer you seek is (shockingly) available in plain text.

                Browse to the following directory:

                [intentionally deleted by grasshopper]

                In the above directory, locate and open the following file in notepad:

                [intentionally deleted by grasshopper]

                 

                Edit 0.1: As it turns out admin@system-domain is not cached in plain text, only the RSA_USER is.  More details in the Tips section above.

                Edit 0.2: Added quick link to solution by memaad and added additional tips since this post has gotten quite long.  I will try to add more over time.

                 

                Message was edited by: grasshopper

                • 5. Re: vCenter Single Sign On master password
                  spravtek Expert

                  Seriously??? I just checked this, it's true ... The shocking thing is that I looked at that file before and didn't notice that ... Gotta ask myself

                   

                  That's some serious security flaw if you ask me ...

                   

                  Thanks grasshopper... This is exactly why I love this community ... Never stop learning and staying humble!

                  • 6. Re: vCenter Single Sign On master password
                    grasshopper Virtuoso
                    vExpert

                    Never stop learning and staying humble!

                     

                     

                    Yes my friend.  Wise words.  Because sometimes you're on top and sometimes you're on esxtop.

                     

                    -grasshopper

                     

                     

                    PS - please see my previous post.  I removed some detail to protect the innocent.  If anyone gets stuck they can IM me or hit my gmail.

                    • 7. Re: vCenter Single Sign On master password
                      Josh26 Master

                      Mike Nisk wrote:

                       

                       

                       

                      PS - please see my previous post.  I removed some detail to protect the innocent.  If anyone gets stuck they can IM me or hit my gmail.

                       

                      The difficulty with these situations is that:

                      • The malicious people already know this, or if not, will figure it out shortly and use it
                      • Innocent people, with no advisory from VMware, won't know there's an issue
                      • VMware, without an "public exploit", have good odds of doing nothing

                       

                      In short, I would encourage you to take this to a support case, and if you get nowhere, put that post right back.

                      • 8. Re: vCenter Single Sign On master password
                        gkm Novice

                        I'm not sure why you feel that way, Josh26. If anybody finds something they feel is a security vulnerability that hasn't been addressed by a previous VMSA/patch we'd appreciate that you immediately contact security@vmware.com and provide as much detail as possible regarding what you've found (http://www.vmware.com/support/policies/security_response.html). We actively investigate all reports.

                         

                        In this case, while the password is stored in plaintext (and actually can not be stored as a hash due to how it's later used), the file itself has strong protections based on file system ownership and permissions restricting access to Adminstrator.

                        • 10. Re: vCenter Single Sign On master password
                          JohnnyMac2028 Lurker

                            Did you ever get an answer to this, i have the same problem and am in dire need of help recovering the admin@system-domain password; re-install is not an option at this point.   Please help me out, i can't see the plain text location in the post below.

                          • 11. Re: vCenter Single Sign On master password
                            grasshopper Virtuoso
                            vExpert

                            For 2008 R2, you can check the following location and see if the password listed here jarrs your memory:

                            "C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties"

                            Note:  Afterall, I think the above is just the sso db pw but if you set everything the same it could be an instant win.

                             

                            If this was an upgrade to 5.1 and now you can't login, you may consider reviewing the list of valid admins from "vc_admin_users_groups.txt" (if based on your scenario one populated for you).  It would be in the temp directory of the person performing the upgrade (i.e. Start > Run > %tmp%).

                             

                            Folder Location:

                            C:\Users\<xyzuser>\AppData\Local\Temp

                             

                            valid admin list:
                            vc_admin_users_groups.txt

                             

                            Admins that were removed:

                            deleted_vc_users.txt

                             

                            Once you get an ID that you can login into the vSphere C#lient with, go to the permissions tab of the root datacenter for example, and add the appropriate groups that SSO took out (i.e. your server team or whatever).  Then login to the web client / sso related stuff.

                             

                             

                            • 12. Re: vCenter Single Sign On master password
                              sysmgmt Lurker

                              Hello!

                               

                              Is there by now any possibility to reset the SSO master password?

                              I'd like to install the vSphere Webclient but can't remember the password for admin@System-Domain.

                              The password I was sure I used during the upgrade from vSphere 5.0 to 5.1 doesn't match.

                              Maybe I accidentally keyed in a wrong character when I first set the master password, I don't know.

                              I tried already possible variations without success.

                              Please help!

                              • 13. Re: vCenter Single Sign On master password
                                grasshopper Virtuoso
                                vExpert

                                Hello sysmgmt.  Welcome to the communities.  Unfortunately the fix is still the same.  The Supported method is reinstall SSO.  Unsupported fix (confirmed to work) is to stand up a temp SSO db and copy the hash to your prod db.  The link is listed earlier in the thread.

                                • 14. Re: vCenter Single Sign On master password
                                  sysmgmt Lurker

                                  Hi grasshopper!

                                   

                                  Thank you for the very quick reply and the hint with the unsupportetd fix.

                                  I'll maybe try this way first before reinstalling SSO.

                                  1 2 3 Previous Next