VMware Cloud Community
bezarghazi
Contributor
Contributor

vCenter Single Sign On master password

Hi guys

i do not remember admin@system-domain password

i wondring how to reset admin's account password

i tried to reset password by rsautil command line but i dont remember master password.

Anyway to reset password? can i find Master password in DB tables? or add new user admin user in DB?

Br

Bezar

68 Replies
bezarghazi
Contributor
Contributor

Hi firmdale

Do not type anything in password just click on Next you will get Message " Provided password is wrong or empty. However, you can proceed the uninstallation but vCenter Single Sign In database will be left out after uninstallation" just click OK and continue the uninstall process.

You have to remove database manually

/Bezar Ghazi

Reply
0 Kudos
gunthans
Contributor
Contributor

Could some post a HASH for a password like "Temp1234." so that everyone won't have to reinstall SSO, but rather copy this HASH into their DB, and then use Temp1234. as their admin@System-Domain password????  We are all going to change it right after anyways.  It would save everyone lots of steps.

Reply
0 Kudos
memaad
Virtuoso
Virtuoso

HI ,

I have just left note in private message which has script to reset the password of admin@system-Domain.

Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
spravtek
Expert
Expert

I have this one from helping someone out before... It worked then, so ... Hope it helps some folks.


the password is "P@ssw0rd" (without the quotes)

the hash: {SSHA256}qguSTmcPLof/kca9rCmHTksmvZpqZVlBW2NP+8OWYgo37SbXiw==


memaad
Virtuoso
Virtuoso

Hi ,

For wider audience here is script

if SSO password ( admini@system-domain ) needs to be reset, please execute below query on RSA database:

UPDATE

[dbo].[IMS_PRINCIPAL]

SET

[PASSWORD] = '{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA=='

WHERE

LOGINUID = 'admin'

AND

PRINCIPAL_IS_DESCRIPTION = 'Admin';

This will reset the password to "VMware1234!", after which you login and change the password as needed.


Note: Take backup of RSA database before executing this


Regards

Mohammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
gunthans
Contributor
Contributor

Thank you!

Reply
0 Kudos
gunthans
Contributor
Contributor

Thank you!!!  worked like a charm!!!!!

Reply
0 Kudos
spravtek
Expert
Expert

Sorry for the late reply... But you're welcome Smiley Wink

Reply
0 Kudos
pktmobrien
Contributor
Contributor

Does this hash update for the SQL Database modify the the Admin@System-Domain password or does it also change the Master password as well?

I ask because I am recently hired at this company and given an environment with no documentation. I was originally unable to install the web client until I ran this hash query in my database. I was then able to install the Web Client, log into the web client and also change my password for the admin@system-domain account.

However, I'm trying to update my current environment from 5.1 to 5.1u1 and when I run the installer to update SSO, it tells me I have the wrong password. I know the Admin Password is correct as I can log into the Web Client with it. However the installation fails with the wrong password dialog box. If I try to run the "rsautil reset-admin-password" and use my admin password, it tells me that I have the wrong password. So my guess is that this only changes the admin password and not the master.

If my guess is correct and this has only updates the admin and not the master, it seems extremely silly to me that the only way to reset the master password is to uninstall SSO and reinstall it from scratch.

Or is there something else going on in my environment?

Is my only choice to reinstall SSO?

Reply
0 Kudos
spravtek
Expert
Expert

This hash and the procedure resets your master password ... So maybe something else is going on?

Reply
0 Kudos
JLackman
Enthusiast
Enthusiast

Read the post earlier in this thread by memaad.... He outlines a process to reset it in the DB.

Reply
0 Kudos
memaad
Virtuoso
Virtuoso

Hi,

Above mention hash in my post will reset the password only for admin@system-domain. Once you know this password then you can reset the master password.

Regards

MOhammed

Mohammed | Mark it as helpful or correct if my suggestion is useful.
Reply
0 Kudos
nschlabitz
Contributor
Contributor

Could you let me know what the directory and files are that I need to have a look at for this please. One of my engineers set this up and has since left the company. So I have no way of getting the system-domain password. I would IM you, but do not have any points......

Thanks

Reply
0 Kudos
xarg
Contributor
Contributor

Worked for me!

Reply
0 Kudos
vspheretester
Contributor
Contributor

Sehr geehrte Damen und Herren,

vielen Dank für Ihre Nachricht. Ich bin ab dem 19.08.2013 wieder im Büro für Sie zu erreichen. Wenn Ihr Anliegen eine kurzfristige Bearbeitung erfordert, sind Ihnen meine Kollegen/Kolleginnen vom Service & Support Team gerne behilflich: (Mail: support@acs-europe.de<mailto:support@acs-europe.de> und Tel.: +49 341 355913 20).

Vielen Dank für Ihr Verständnis.

Mit freundlichen Grüßen / Best regards

Maik Schoepe

Teamleiter IT Infrastructure / Field Service

ACS Solutions GmbH

Maximilianallee 2

04129 Leipzig

Phone: +49 341 355913 23

Fax: +49 341 355913 11

www.acs-europe.de

Amtsgericht Leipzig: HRB21111

USt-IdNr: DE814217083

Geschäftsführung: Thomas Lindner

Reply
0 Kudos
hedman
Contributor
Contributor

Hi,

How do I reset the master password after I've a working password for the admin@system-domain? I found this http://vcdxorbust.com/2013/05/30/vcentre-5-1-sso-changing-the-master-password-the-right-way-and-the-... but it warns that it will break my SSO setup.

Reply
0 Kudos
ifsdd
Enthusiast
Enthusiast

@hedman

Quote from Charles Gillanders: The only way that actually works is to change the master password using the current master password. Trying to change it using the current admin user doesn’t work and will break your SSO installation.


The only working unsupported way is from my colleague: http://www.die-schubis.de/doku.php?id=vmware:vsphere

Reply
0 Kudos
hedman
Contributor
Contributor

I did that and it only changed my admin@system-domain password, if I try to change the master password after the hash trick it gives me: "Error: Invalid password, failed to decrypt system key Root cause: javax.crypto.BadPaddingException: Given final block not properly padded" after rsautil manage-secrets -a change command. Same thing if I try to update vcenter to latest and it asks for master password. I guess I have the same problem as

Reply
0 Kudos
pktmobrien
Contributor
Contributor

I wanted to do the right thing and post how I solved my error/problem. Be warned, it is not pretty and you need to understand that it is absolutely necessary that you backup your vsphere server before doing this procedure. This procedure was issued to me from VMware Tech Support as my only option.

To recap on what happened in my scenario. I was a new hire and given a current installation of VMware Vsphere 5.1. I had no documentation but I was given the default Admin Passwords that were used in most instances in the network. After many unsuccessful attempts to upgrade from SSO 5.1 to 5.1u1 because of an invalid password during upgrade, I went to the forums and VMware Tech Support. The method suggested to fix this was to do a database query on the SQL instance using the supplied hash which would restore the MASTER and ADMIN@SYSTEM-DOMAIN password to the given value for the hash.

This did work, PARTIALLY. I say this in that I was able to finally login into the VMware Vsphere webportal and client using my admin@system-domain account using the new HASHED password. However, the problem that was still present was that I still could not upgrade SSO 5.1 to 5.1u1 because of a bad password. So...wait for it...... Corrupt RSA database!!! The confusing part is that everything still functions perfectly. I can use my admin@system-domain password to navigate my VMware environment, but I was unable to upgrade certain instances of VMware because of this issue.

I'M GOING TO BE VERY CLEAR ABOUT THIS! WHAT I'M PROVIDING YOU IS NOT INSTRUCTIONS ON HOW TO FIX THIS, BUT RATHER A CHECKLIST TO FOLLOW. I am NOT RESPONSIBLE if you bring down your production servers for not researching this before you attempt this or contacting VMware tech support. I spent an entire week reading and re-reading the procedures before attempting this.

MY VMware environment was in production and unaffected during this procedure. I also have VSA (Virtual Storage Appliance) and it was also unaffected.

Checklist that worked for me.

  1. Read all of these steps!
  2. Don't Forget to do Steps 15 and 16.
  3. Download the Instructions for installing VMware VSphere and read specifically page 223 http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-511-instal...
  4. WATCH this YouTube video form start to finish before even starting. VMware vSphere 5.1 vCenter Upgrade Part 1. Single Sign On Installation - YouTube
  5. WHAT EVER YOU DO, DO NOT install a newer version of SSO during this procedure. I did this and had to revert back to my SNAPSHOT and try again. Again, had I not backed up, I would have been in trouble. Be sure to install the same version of SSO that you are removing. So be sure to reinstall the version you uninstalled and THEN Upgrade SSO to a newer version. I say this because I believe I still had some certificate errors for the web portal after step 16 that were simply fixed when I upgraded SSO to 5.1u1.
  6. Backup your VCenter Server.
  7. Then Backup your VCenter Server and TEST YOUR BACKUP. A backup is only good if you can restore from it.
  8. Then, Take a SNAPSHOT of your VCenter Server if it is virtualized.
  9. Then backup your RSA DB instance in SQL. And don't be doofus and backup your RSA DB to your local C drive of your VCenter Server. If you have to start over, you lost it. Backup to networked drive or external storage.
  10. Then take a Screen Shot of LocalHost\SQL Instance\Security\Logins\Table  (The Idea is to capture all of your security accounts because once you proceed ahead, you might have to add some back after this procedure.)
  11. DrumROLL
  12. Uninstall SSO. (You will receive an error because you do not have the MASTER password to uninstall this instance. This error simply tells you that the database will still exist but SSO will be un-installed.
  13. Delete the RSA database from SQL.
  14. Follow the YouTube Video for the procedure to configure the RSA database and install SSO.
  15. Open CMD as ADMINISTRATOR. Just opening CMD will NOT work. You have to right click on CMD and "Run as Administrator".
  16. Follow all of these procedures. http://kb.vmware.com/kb/2033620
  17. Upgrade your SSO Instance.

Good Luck!

iamxCPx
Enthusiast
Enthusiast

Mohammed,

I'm logged in as admin@system-domain.

How do you reset the master password once you logged in?

Thanks! Smiley Happy

Reply
0 Kudos