I figured out the problem after reviewing tons of logs and digging deep. It really has nothing to do with the password you are typing in. Hopefully it will help for you as well. All you need to do is disable the local group policy for "system cryptography: Use FIPS compliant algorithms". If it is a must you can enable it again after HB installation.

So go to gpedit.msc expand computer config\windows settings\security settings\local policies\security options

Then in the right pane scroll down and you will see the referenced security setting is more than likely enabled. You need to disable it for the install to complete.

Good luck.

Thanks for the reply. This policy is already disabled on my server. What logs did you look at when you had the problem?

If you are in fact getting "password rest successfully" after using the above rsautil command then I am pretty sure the FIPS GPO on some level that is causing the problem.

Also, you do not have to verify your MP by resetting your admin password all the time, just use the "rsautil manage-secrets -a list" and it will prompt you for the SSO MP in order to display the results. Just in case you get tired of resetting the admin password

I can get you the main logs I went through in the morning but if you can, can you pleae run RSOP from the cmd prompt on the server you are trying to install HB on and when the resulting gp windows appears, scroll down to the FIPS policy I mentioned above and also let me know if it states "not configured" or "disabled there"? I am thinking it may be saying disabled on your local GPO but the domain GPO is actually winning in the policy aspect which you wont necessarily see from your local GP windows for some of the settings.

Thanks. I got not-defined for this policy when viewing RSOP. The default domain policy has this set as not-defined.

ok, I know this sounds redundant but I must verify so I am clear. So both your local gp screen and the rsop screen show not configured?

Also if you try the list rsa cmd above, it shows you the list?

Can you post images here of the screens just so I can see? Of course crop out the info you dont want seen of the rsautil screen.

Then once I see this I can focus on other possibilities.

Thanks.

A reasonable request. Here is the data:

Okay I am working on what logs were most useful to me but as I am doing that, can you tell me the special characters you have in your MP, what position they are in the PW, and the length of it? I am mainly curious as to if the "&" symbol is in your MP and at the end but I have seen issues with other as well. I have also had collegues run into a problem with a certain character in the PW and it not being long enough even though it was for the VC install, in order for HB to install, it required diff criteria. Surprise.....VMware mystery, LOL.

& is the fourth character in my 8 character password. I read a post on Gabe's Virtual World about this. That's what gave me the idea to try to use the MP via the cmd line- which worked, so I thought I was safe. You're saying that the same MP might meet requirements for some VMware apps, but not all VMware apps? Yes that thought has crossed my mind too, that just sounds terrible though...

vCenter Single Sign-On – Part 4: Pre Install Requirements | VMware vSphere Blog - VMware B...

Single Sign-On Requirements

1. During the installation you will be required to set a password for the admin@system-domain admin account. The password cannot include any of the following characters

• ^ (circumflex)
• * (asterisk)
• $ (dollar)
• ; (semicolon)
• ” (double quote)
• ) (right parenthesis)
• < (less than)
• > (greater than)
• & (ampersand)
• | (pipe)
• In some cases a trailing ” ” space will also cause this issue

Okay do me a favor and use the rsautil manage-secrets -m to change your MP (not admin PW) to one like VMware@90 or something because I know this one works. Then verify it took by running another util that requires MP. Then try the HB install.

Uggghhhh.... failing to reset the MP. It's dropping all the characters before the "&." So when I enter the command its coming back with invalid password. As pointed out in the documentation...don't use the "&" character. Its odd that it works for some functions but not for all.

it should actually be dropping the characters after the sign. Try entering the password only with the characters before the &. like if your mp is vmware& try just entering vmware. Let me know. we will get ya going hopefully.

Since this was a dev setup, I re-installed everything using a fully supported master password. Guess what? No problems.

I very much appreciate the help. Troubleshooting certainly exposed some weirdness with the master password.

Good to hear. Just wondering though, did you try the password with just the characters before the &? Just curious for other people who may be having the issue.

Yes I did. That did not work either.

I would love to know how the same password can perform some functions, but fail on others.