i have vCenter Server 5.1.1064983 and I wanted to update to 5.1.0-1235309.
step one - updating SSO. I enter master password and get an error - Provider password is wrong or empty.
I try to login to webclient with admin@system-Domain - your password expires
I try to reset password - C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli\ssopass admin
>Using Lookup Service: https://192.168.3.81:7444/lookupservice/sdk (on the current machine).
> Intializing registration provider...
> Getting SSL certificates for https://192.168.3.81:7444/lookupservice/sdk
> com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certficate assertion not verified and thumbprint not matched
>Return code is: SslHandshakeFailed 1
C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli>ssolscli.cmd listServi
ces https://smart.intranet:7444/lookupservice/sdk
Intializing registration provider...
Getting SSL certificates for https://smart.intranet:7444/lookupservice/sdk
Getting SSL certificates for https://smart.intranet:7444/sso-adminserver/sdk
Anonymous execution
Found 6 services.
Service 1
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:10
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://smart.intranet:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_2012.11.27_142748@System-Domain
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Service 2
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:3
serviceName=The group check interface of the SSO server
type=urn:sso:groupcheck
endpoints={[url=https://smart.intranet:7444/sso-adminserver/sdk,protocol=vmomi]}
version=1.0
description=The group check interface of the SSO server
ownerId=<null>
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Service 3
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:6
serviceName=VMware vSphere Web Client
type=urn:com.vmware.vsphere.client
endpoints={[url=https://smart.cs_ltd.intranet:9443/vsphere-client,protocol=vmomi
]}
version=5.1
description=VMware vSphere Web Client Service
ownerId=WebClient_2012.11.27_141740
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Service 4
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:5
serviceName=VMware Log Browser
type=urn:logbrowser:logbrowser
endpoints={[url=https://smart.cs_ltd.intranet:12443/vmwb/logbrowser,protocol=unk
nown],[url=https://smart.cs_ltd.intranet:12443/authentication/authtoken,protocol
=unknown]}
version=2.1.0.855129
description=Enables browsing vSphere log files within the VMware Web Client
ownerId=WebClient_2012.11.27_141740
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Service 5
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:2
serviceName=The security token service interface of the SSO server
type=urn:sso:sts
endpoints={[url=https://smart.intranet:7444/ims/STSService?wsdl,protocol=wsTrust
]}
version=1.0
description=The security token service interface of the SSO server
ownerId=<null>
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Service 6
-----------
serviceId={B567E535-386A-417F-B21D-60D2F5B7EBB7}:1
serviceName=The administrative interface of the SSO server
type=urn:sso:admin
endpoints={[url=https://smart.intranet:7444/sso-adminserver/sdk,protocol=vmomi]}
version=1.0
description=The administrative interface of the SSO server
ownerId=<null>
productId=<null>
viSite={B567E535-386A-417F-B21D-60D2F5B7EBB7}
Return code is: Success
0
C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli>ssolscli.cmd listServi
ces https://192.168.3.81:7444/lookupservice/sdk
Intializing registration provider...
Getting SSL certificates for https://192.168.3.81:7444/lookupservice/sdk
com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certi
ficate assertion not verified and thumbprint not matched
com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certi
ficate assertion not verified and thumbprint not matched
Return code is: OperationFailed
100
vSphere I update from version 5.0 and all was well.
I love SSO... always been fun. The canned answer is your need to open a ticket with VMware and have them troubleshoot it... which will take a week and more than likely will end with re-install. So you can skip the middle man and reinstall connecting to your old database.
Just my two cents... it never hurts to open a ticket with vmware just in case thou... because if they tell you to reinstall they will support it.
Also make backup's / snapshots before you try it.
Can you try not to mix IP and DNS names? Certificates in a vSphere environment are pretty allergic to that. Not to even mention the hard requirement of forward and reverse DNS for SSO to actually be supported. As all your service endpoints are registered by FQDN use the FQDN in your commands as well
What happens when you try to reset the admin@system-domain password using the following kb?
VMware KB: Unlocking and resetting the vCenter Single Sign On (SSO) administrator password
when I installed SSO i entered FQDN, not IP address. And I updated vSphere many times. Everything was good.
When i try to reset password i get error SslHandshakeFailed. Perhaps because SSO tries to get SSH certificate by IP-address.
C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli>ssolscli.cmd listServices https://192.168.3.81:7444/lookupservice/sdk
That does not look like an FQDN to me
Did the reset using the way from the kb article work?
>That does not look like an FQDN to me
but this i type in cmd
in 3rd time - When i try to reset password i get error SslHandshakeFailed
"vCenter Server 5.1.1064983 and I wanted to update to 5.1.0-1235309."
That may be a typo but I don't think you can down-rev to an older version.
why down-rev? update 5.1.0.1064983 to 5.1.0-1235309.
The problem is solved by Vsphere and sso reinstall
I found this while looking for an answer, and I post to this aged thread so that I may find it easily the next time I or one of my colleagues runs into this problem.
Situation is like the above. what I found was that when I issued the command "ssopass admin" I received the resonse listed. what I noticed was that it was attempting to connect to the lookup service using the ip address. when I changed to command to "ssopass -d https://<<FQDN_Address>>:7444/lookupservice/sdk admin" it performed as it should. The inclusion of the lookup FQDN was what got it to work for me.
For all the people in the same boat still I will stress this:
Try your servers FQDN first!
It has to be a Fully Qualified Domain Name...
<Servername>.<Domain>
<ServerName> will NOT work
<IPAddress> will NOT work
This error is generally directly related to the name on the certificate NOT matching the servers FQDN entered.
Hope this helps!