VMware Cloud Community
bezarghazi
Contributor
Contributor
‎12-13-2012 02:29 AM

vCenter Single Sign On master password

Hi guys

i do not remember admin@system-domain password

i wondring how to reset admin's account password

i tried to reset password by rsautil command line but i dont remember master password.

Anyway to reset password? can i find Master password in DB tables? or add new user admin user in DB?

Br

Bezar

Reply
68 Replies
grasshopper
Virtuoso
Virtuoso
‎04-19-2013 03:45 AM

Thanks for sharing.  Keep in mind that to use that reset util requires that you already know the admin@system-domain password.  If you know it, then you can reset it easily.  That process is well documented in the official VMware KB.  Most folks here simply don't know the original password so cannot reset it like that.

As such, the only real fix thus far has been performing the DB hash technique. 

The original article discussing this is in german and is located at:
http://www.die-schubis.de/doku.php?id=vmware:vsphere&&_sm_au_=iVVqjkrsQ0sLqFW6

The Google Translate version (German to English) of the original article:
http://translate.google.ie/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%...

Unrelated Note:  Please be advised that my original concern from earlier in the thread about the admin@system-domain password being in plain text was incorrect.  I think the only plain text password stored is that of the RSA_User which does not help in recovery unless all passwords were set exactly the same at install time.  The location of that plain text password  (which was originally "intentionally deleted" by me) is "C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties".  Again, this likely won't help anyone who has forgotten the admin@system-domain password, and the fix is still to perform the DB hash technique noted from the shubis blog in germany.

Reply
0 Kudos
oldschoola41
Enthusiast
Enthusiast
‎04-19-2013 06:43 AM

hey so I think i know my admin master password because when it asks me for it it gets me to the point to ask me for the administrators name, is this suppose to be admin@System-Domain or admin@system-down or just admin?

When i type in just admin or admin@System-Domain it asks me to enter new administrators password and verify. i do that but then i get the ERROR: Failed to decrypt field com.rsa.db.user

what the heck?

also i dont remember setting too many different passwords while installing the SSO. if it lets me get past to the point of asking me the admin account with the passwrod im typing in, why cant i continue the web client install with that same password?

thanks in advance

Reply
0 Kudos
grasshopper
Virtuoso
Virtuoso
‎04-19-2013 07:25 AM

admin@system-domain is the one you will need for the web client install.  Are you able to login with that?  In general, once you can login with admin@system-domain then you can create/manage those other IDs.  First step though will be getting the web client installed.  Also ensure you right click and run as administrator when doing the install of course.

Reply
0 Kudos
oldschoola41
Enthusiast
Enthusiast
‎04-19-2013 07:39 AM

no i cannot. i get invalid credentials in that log file.

so from this post i read the only way to reset the pw for the admin@system-domain is to use the rsautil reset-admin-password command.

but you need to know the master password, which i must know because the only password i remember configuring during the SSO install is the one im typing in when prompted for master password.

but then i get that error of faield to decrypt field com.rsa.db.user

Reply
0 Kudos
grasshopper
Virtuoso
Virtuoso
‎04-19-2013 07:49 AM

oldschoola41 wrote:

no i cannot. i get invalid credentials in that log file.

Understood.  Then you're in the right place (i.e. don't know the admin@system-domain password).  That is the subject of this thread and the fixes are noted above (i.e. db hash technique).  I can't tell you why the other ID throws that interesting error but you should probably get the admin@system-domain going first so you can make  progress on your web client install.

Reply
0 Kudos
oldschoola41
Enthusiast
Enthusiast
‎04-19-2013 07:59 AM

trying the db hash technique now.

the pssword that im looking for is the only password that this SSO install asks you for right? the admin@system-domain ?

so i dont know where this "master password" comes from

Reply
0 Kudos
grasshopper
Virtuoso
Virtuoso
‎04-19-2013 08:15 AM

That's correct.  If SSO is already installed successfully then the only password you need is admin@system-domain, which will become a new "known" password upon completion of the db hash technique.  To answer the other question, in addition to allowing you to set a password for admin@system-domain, SSO also prompts you at install time (this is already done in your case) to enter passwords for the database users as well (i.e. RSA_USER and RSA_DBA) but those you do not need to know for your immediate objective.  To complete the webclient install in your case you just need the password for admin@system-domain.

Reply
0 Kudos
oldschoola41
Enthusiast
Enthusiast
‎04-19-2013 08:27 AM

what un/pw do i use to connect the sql mgmt studio to the dummy and prod dbs?

Reply
0 Kudos
oldschoola41
Enthusiast
Enthusiast
‎04-19-2013 08:44 AM

the local admin worked, but that article doenst tell you , you have to use .\VIM_SQLEXP as the sql server name, thats the name of the express instance

Reply
0 Kudos
Dreek
Contributor
Contributor
‎04-19-2013 07:36 PM

Hey there,

Yeah it needs you to know the previous password, thing is, i always knew it yet installation was blocking me from proceeding (in my case with Web Client for vSphere) as admin@SystemDomain, somehow using that precedure helped me reset it and the system was able to recognize it again.

We could say the SSO sometimes confuses its own password.

I hope it helps somebody later on that looks for a solution in a case like this.

Reply
0 Kudos
Andrew_Keller_C
Enthusiast
Enthusiast
‎05-14-2013 09:26 AM

The DB hash technique is a little confusing to me (probably because its translated). How do I set up a new SSO database? Do I use a completely separate Windows installation and install SSO there, or do I just reinstall it on the same computer as my current SSO installation?

Reply
0 Kudos
grasshopper
Virtuoso
Virtuoso
‎05-14-2013 06:27 PM

Andrew_Keller_Ctr wrote:

Do I use a completely separate Windows installation and install SSO there?

Yes.  Create what is referred to as the DummyDB by installing SSO on a completely different VM.  Then use that install to take a copy of the appropriate DB data and inject that into your real enfironment.

Reply
0 Kudos
Andrew_Keller_C
Enthusiast
Enthusiast
‎05-15-2013 11:48 AM

Hmm.. didn't work. I was still able to reset my admin password using the old master password using the "rsautil reset-admin-password" command.

Reply
0 Kudos
JLackman
Enthusiast
Enthusiast
‎05-28-2013 02:53 PM

can you comment on the location of the file?  I'm stuck in this situation right now.

Reply
0 Kudos
citrix3006
Contributor
Contributor
‎05-29-2013 03:22 AM

Hello , i have same issue with this ...it seem i lost & forgotten vmware single sign on master password any one , please help how i can find the masster password send email : david_suwintoro@Yahoo.com

Reply
0 Kudos
Andrew_Keller_C
Enthusiast
Enthusiast
‎05-29-2013 07:43 AM

The link with details and instructions on how to use the rsautil program is here: VMware KB: Unlocking and resetting the vCenter Single Sign On (SSO) administrator password

In short: C:\Program Files\VMware\Infrastructure\SSOServer\utils

Reply
0 Kudos
firmdale
Contributor
Contributor
‎06-06-2013 12:33 AM

Hi

I am stuck with SSO uninstallation, cannot remember wat password was used during installation.

Can you please point me to the unsupported solution.

Thank you

Dawid

Reply
0 Kudos
bezarghazi
Contributor
Contributor
‎06-06-2013 12:36 AM

Hi

the easiest way is reinstall SSO,

Br

Bezar

Reply
0 Kudos
firmdale
Contributor
Contributor
‎06-06-2013 12:44 AM

I cannot reinstall as it's asking me for a Master password.

Reply
0 Kudos
JLackman
Enthusiast
Enthusiast
‎06-06-2013 06:01 AM

The unsupported "build a new database and copy the hash" process is discussed in this thread; http://communities.vmware.com/message/2230313

Read the post by Grasshopper.

Basically, it goes like this;

  1. Install a unconnected, totally seperate, new vCenter and SSO install, and have it use a new database. This is all temporary, so just put it on a standalone server or something.
  2. When doing this new install, record and write down that NEW Master password.
  3. When this new install is complete, pull up the database tables and look for the hash for the "admin" SSO password. This is the hashed password for the new install. This is described in the Grasshopper links.
  4. Copy that hash from the NEW install.
  5. Paste that hash into the database on your OLD, Production SSO database.
  6. The database table and field locations are mentioned in the post and links from Grasshopper
  7. Now the hold, production database will have the password you set in the new install.
  8. There are some other steps about stopping services, etc., so read those posts.

Disclaimer; I'm sure this processes has the ability to totally mess up your cluster, or your production SSO database. It's also unsupported by VMware, but several folks have used it successfully. I've used it with success on other similar databases, but not SSO specifically.

This really is a "last resort" process.

Reply
0 Kudos