ESXi

Hi guys

i do not remember admin@system-domain password

i wondring how to reset admin's account password

i tried to reset password by rsautil command line but i dont remember master password.

Anyway to reset password? can i find Master password in DB tables? or add new user admin user in DB?

Br

Bezar

I don't think there is a way to reset the master password for SSO, at least I haven't come accross a way to do this yet ...

The master password is the one you set during initial setup, it doesn't change even if you changed later changed the admin password ... If you can't remember it ... I'm afraid there's not much you can do... Maybe someone else has better news?

Hi ,

VMware does not support reseting Master password, However while doing search online I found this link "Unsupported by VMware"

http://translate.google.ie/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.die-schubis.de%2Fdoku.php%3Fid%3Dvmware%3Avsphere%26%26_sm_au_%3DiVVqjkrsQ0sLqFW6&act=url

Regards

Mohammed

Nice find memaad ...

Of course it's not supported, but if you're really in need of a fix and don't want to take the recommended way of VMware ... You could go this route.

Could some post a HASH for a password like "Temp1234." so that everyone won't have to reinstall SSO, but rather copy this HASH into their DB, and then use Temp1234. as their admin@System-Domain password????  We are all going to change it right after anyways.  It would save everyone lots of steps.

HI ,

I have just left note in private message which has script to reset the password of admin@system-Domain.

Regards

Mohammed

Hi ,

For wider audience here is script

if SSO password ( admini@system-domain ) needs to be reset, please execute below query on RSA database:

UPDATE

[dbo].[IMS_PRINCIPAL]

SET

[PASSWORD] = '{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA=='

WHERE

LOGINUID = 'admin'

AND

PRINCIPAL_IS_DESCRIPTION = 'Admin';

This will reset the password to "VMware1234!", after which you login and change the password as needed.

Note: Take backup of RSA database before executing this

Regards

Mohammed

Worked for me!

Sehr geehrte Damen und Herren,

vielen Dank für Ihre Nachricht. Ich bin ab dem 19.08.2013 wieder im Büro für Sie zu erreichen. Wenn Ihr Anliegen eine kurzfristige Bearbeitung erfordert, sind Ihnen meine Kollegen/Kolleginnen vom Service & Support Team gerne behilflich: (Mail: support@acs-europe.de<mailto:support@acs-europe.de> und Tel.: +49 341 355913 20).

Vielen Dank für Ihr Verständnis.

Mit freundlichen Grüßen / Best regards

Maik Schoepe

Teamleiter IT Infrastructure / Field Service

ACS Solutions GmbH

Maximilianallee 2

04129 Leipzig

Phone: +49 341 355913 23

Fax: +49 341 355913 11

www.acs-europe.de

Amtsgericht Leipzig: HRB21111

USt-IdNr: DE814217083

Geschäftsführung: Thomas Lindner

I have this one from helping someone out before... It worked then, so ... Hope it helps some folks.

the password is "P@ssw0rd" (without the quotes)

the hash: {SSHA256}qguSTmcPLof/kca9rCmHTksmvZpqZVlBW2NP+8OWYgo37SbXiw==

Thank you!

Thank you!!!  worked like a charm!!!!!

Sorry for the late reply... But you're welcome :smileywink:

\\Update

[Jump to the solution later in the thread here]

Tips:

- Remember that the admin@system-domain password requires greater strength than most VMware passwords.  As such, if you think you know the password but it's not working, try adding a special character at the end such as !.  It only requires 8 characters but there must be at least one special character.  It will also lock you out after 3 bad attempts.  Try back later after it has reset the lock.

- Admin is not admin
The user name is case sensitive.  It should always be admin@system-domain (domain portion not case sensitive).

Don't even think about upgrading vCenter / SSO without good DB and vCenter backups and/or snaps

- If you are dealing with a failed SSO upgrade from a previous version, then you should a) Roll back to a snapshot/restore; or b) Reinstall SSO and repoint your vCenter.  Remember to reinstall SSO you _must_ use the same version that was installed.  Also remember that a failed upgrade of SSO can and will stop the SSO service and/or your vCenter service.  From that point on you won't be able to login to an otherwise previously healthy sso.

admin@system-domain (Not cached in plain text)

- Despite what's listed below in my original post, the admin@system-domain password is _not_ cached in plain text.  However, the DBA_USER password is.

DBA_User password (this is cached in plain text):

"C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties"

Why is the above useful?  In the rare case where the technician set all passwords the same (or at least the admin@system-domain and the RSA_USER) then and only then could one glean the admin@system-domain password from the above file.  More details and other options in this thread.

\\original post

I'm sure this will be fixed eventually, but the answer you seek is (shockingly) available in plain text.

Browse to the following directory:

[intentionally deleted by grasshopper]

In the above directory, locate and open the following file in notepad:

[intentionally deleted by grasshopper]

Edit 0.1: As it turns out admin@system-domain is not cached in plain text, only the RSA_USER is.  More details in the Tips section above.

Edit 0.2: Added quick link to solution by memaad and added additional tips since this post has gotten quite long.  I will try to add more over time.

Message was edited by: grasshopper

Seriously??? I just checked this, it's true ... The shocking thing is that I looked at that file before and didn't notice that ... Gotta ask myself :smileywink:

That's some serious security flaw if you ask me ...

Thanks grasshopper... This is exactly why I love this community ... Never stop learning and staying humble!

Never stop learning and staying humble!

Yes my friend.  Wise words.  Because sometimes you're on top and sometimes you're on esxtop.

-grasshopper

PS - please see my previous post.  I removed some detail to protect the innocent.  If anyone gets stuck they can IM me or hit my gmail.

Mike Nisk wrote:

PS - please see my previous post.  I removed some detail to protect the innocent.  If anyone gets stuck they can IM me or hit my gmail.

The difficulty with these situations is that:

• The malicious people already know this, or if not, will figure it out shortly and use it
  
• Innocent people, with no advisory from VMware, won't know there's an issue
  
• VMware, without an "public exploit", have good odds of doing nothing
  

In short, I would encourage you to take this to a support case, and if you get nowhere, put that post right back.

I'm not sure why you feel that way, Josh26. If anybody finds something they feel is a security vulnerability that hasn't been addressed by a previous VMSA/patch we'd appreciate that you immediately contact security@vmware.com and provide as much detail as possible regarding what you've found (http://www.vmware.com/support/policies/security_response.html). We actively investigate all reports.

In this case, while the password is stored in plaintext (and actually can not be stored as a hash due to how it's later used), the file itself has strong protections based on file system ownership and permissions restricting access to Adminstrator.

One of the advantages of communities is rapid discovery of exploits and their correction.

Storing passwords in plain text has been a bad idea since forever....

The fact that SSO does this practically means that ESXi Management Network, vCenter and SSO would need to be on an "air gap" network to be truly secure. After all, if I could exploit the SSO server filesystem; I could acquire the keys to the kingdom!

Hi Team ,

I used unsupported way to reset the password :

UPDATE

[dbo].[IMS_PRINCIPAL]

SET

[PASSWORD] = '{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA=='

WHERE

LOGINUID = 'admin'

AND

PRINCIPAL_IS_DESCRIPTION = 'Admin';

This will reset the password to "VMware1234!",

It ran successfully but when i am checking the webclient using the username and reset password , It is not working properly.

Please can you make me understand this .

Regards,
Santosh Dalvi

Hi santoshdalviderby,

What version of vCenter are you running (probably 5.1 right?).  Have you tried rebooting the vCenter since the fix?  Have you waited at least 15 minutes between any failed login attempts (default lockout is 3 bad attempts).  Also please make sure you are logging in with admin@system-domain ("admin" must be all lower case).  Ensure that the system time is healthy.

If all of the above checks out, then please tell us more about the steps taken prior to resetting the password.  Did you attempt to re-install any components (especially interested to know if any installs failed).  Keep in mind, this fix is only valid for a perfectly healthy system for which the password was forgotten.

Please review KB2034506.  You can also review the Web Client Logs, and other vCenter logs.  If the problem persists please provide the error message you get when attempting to login and share any relevant logs by attaching them using the advanced editor on a forum post reply.

Hi Mike ,

I resolved the issue by using this 2 technotes :

1] http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034608

2] http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2042464

Thanks for your help Mike .

Regards,
Santosh Dalvi

Excellent!  Good job and thanks for sharing!

can you comment on the location of the file?  I'm stuck in this situation right now.

The link with details and instructions on how to use the rsautil program is here: VMware KB: Unlocking and resetting the vCenter Single Sign On (SSO) administrator password

In short: C:\Program Files\VMware\Infrastructure\SSOServer\utils

Hello , i have same issue with this ...it seem i lost & forgotten vmware single sign on master password any one , please help how i can find the masster password send email : david_suwintoro@Yahoo.com

Could you let me know what the directory and files are that I need to have a look at for this please. One of my engineers set this up and has since left the company. So I have no way of getting the system-domain password. I would IM you, but do not have any points......

Thanks

Thanks All

  Did you ever get an answer to this, i have the same problem and am in dire need of help recovering the admin@system-domain password; re-install is not an option at this point.   Please help me out, i can't see the plain text location in the post below.

For 2008 R2, you can check the following location and see if the password listed here jarrs your memory:

"C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties"

Note:  Afterall, I think the above is just the sso db pw but if you set everything the same it could be an instant win.

If this was an upgrade to 5.1 and now you can't login, you may consider reviewing the list of valid admins from "vc_admin_users_groups.txt" (if based on your scenario one populated for you).  It would be in the temp directory of the person performing the upgrade (i.e. Start > Run > %tmp%).

Folder Location:

C:\Users\<xyzuser>\AppData\Local\Temp

valid admin list:
vc_admin_users_groups.txt

Admins that were removed:

deleted_vc_users.txt

Once you get an ID that you can login into the vSphere C#lient with, go to the permissions tab of the root datacenter for example, and add the appropriate groups that SSO took out (i.e. your server team or whatever).  Then login to the web client / sso related stuff.

Hello!

Is there by now any possibility to reset the SSO master password?

I'd like to install the vSphere Webclient but can't remember the password for admin@System-Domain.

The password I was sure I used during the upgrade from vSphere 5.0 to 5.1 doesn't match.

Maybe I accidentally keyed in a wrong character when I first set the master password, I don't know.

I tried already possible variations without success. :smileysad:

Please help!

Hello sysmgmt.  Welcome to the communities.  Unfortunately the fix is still the same.  The Supported method is reinstall SSO.  Unsupported fix (confirmed to work) is to stand up a temp SSO db and copy the hash to your prod db.  The link is listed earlier in the thread.

Hi grasshopper!

Thank you for the very quick reply and the hint with the unsupportetd fix. :smileyhappy:

I'll maybe try this way first before reinstalling SSO.

Please go through Installation of vCenter Single Sign On high availability or recovery node fails if Master Password and Administrator password are different in the vCenter server 51 release note https://www.vmware.com/support/vsphere5/doc/vsphere-esx-vcenter-server-51-release-notes.html

Hi sysmgt,

I'm not sure if you were able to try the DB Hash fix that grasshopper mentioned but it appears to have worked for me. I was able to get on and install the web client server that we never got around to installing. So far, so good.

Thanks to all who posted!

Hello mryellow!

Yesterday I tried the the unsupported fix which grasshopper suggested and it worked for me too. :smileygrin:

After I've replaced the hash string and restarted vCenter Server, the installation of vSphere Webclient with the new set password finally succeeded.

To all a big thanks, especially to grasshopper... :smileyhappy:

Hello all!

If in any case anyone is still wondering how to reset the admin@SystemDomain password for SSO, i found this:

http://vpowered.blogspot.mx/2012/09/unlocking-and-resetting-vcenter-sso.html

It worked for me, wish you the best!

Thanks for sharing.  Keep in mind that to use that reset util requires that you already know the admin@system-domain password.  If you know it, then you can reset it easily.  That process is well documented in the official VMware KB.  Most folks here simply don't know the original password so cannot reset it like that.

As such, the only real fix thus far has been performing the DB hash technique. 

The original article discussing this is in german and is located at:
http://www.die-schubis.de/doku.php?id=vmware:vsphere&&_sm_au_=iVVqjkrsQ0sLqFW6

The Google Translate version (German to English) of the original article:
http://translate.google.ie/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.die-schubis.de%2Fdoku.php%3Fid%3Dvmware%3Avsphere%26%26_sm_au_%3DiVVqjkrsQ0sLqFW6&act=url

Unrelated Note:  Please be advised that my original concern from earlier in the thread about the admin@system-domain password being in plain text was incorrect.  I think the only plain text password stored is that of the RSA_User which does not help in recovery unless all passwords were set exactly the same at install time.  The location of that plain text password  (which was originally "intentionally deleted" by me) is "C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties".  Again, this likely won't help anyone who has forgotten the admin@system-domain password, and the fix is still to perform the DB hash technique noted from the shubis blog in germany.

hey so I think i know my admin master password because when it asks me for it it gets me to the point to ask me for the administrators name, is this suppose to be admin@System-Domain or admin@system-down or just admin?

When i type in just admin or admin@System-Domain it asks me to enter new administrators password and verify. i do that but then i get the ERROR: Failed to decrypt field com.rsa.db.user

what the heck?

also i dont remember setting too many different passwords while installing the SSO. if it lets me get past to the point of asking me the admin account with the passwrod im typing in, why cant i continue the web client install with that same password?

thanks in advance

admin@system-domain is the one you will need for the web client install.  Are you able to login with that?  In general, once you can login with admin@system-domain then you can create/manage those other IDs.  First step though will be getting the web client installed.  Also ensure you right click and run as administrator when doing the install of course.

no i cannot. i get invalid credentials in that log file.

so from this post i read the only way to reset the pw for the admin@system-domain is to use the rsautil reset-admin-password command.

but you need to know the master password, which i must know because the only password i remember configuring during the SSO install is the one im typing in when prompted for master password.

but then i get that error of faield to decrypt field com.rsa.db.user

oldschoola41 wrote:

no i cannot. i get invalid credentials in that log file.

Understood.  Then you're in the right place (i.e. don't know the admin@system-domain password).  That is the subject of this thread and the fixes are noted above (i.e. db hash technique).  I can't tell you why the other ID throws that interesting error but you should probably get the admin@system-domain going first so you can make  progress on your web client install.

trying the db hash technique now.

the pssword that im looking for is the only password that this SSO install asks you for right? the admin@system-domain ?

so i dont know where this "master password" comes from

That's correct.  If SSO is already installed successfully then the only password you need is admin@system-domain, which will become a new "known" password upon completion of the db hash technique.  To answer the other question, in addition to allowing you to set a password for admin@system-domain, SSO also prompts you at install time (this is already done in your case) to enter passwords for the database users as well (i.e. RSA_USER and RSA_DBA) but those you do not need to know for your immediate objective.  To complete the webclient install in your case you just need the password for admin@system-domain.

what un/pw do i use to connect the sql mgmt studio to the dummy and prod dbs?

the local admin worked, but that article doenst tell you , you have to use .\VIM_SQLEXP as the sql server name, thats the name of the express instance

The DB hash technique is a little confusing to me (probably because its translated). How do I set up a new SSO database? Do I use a completely separate Windows installation and install SSO there, or do I just reinstall it on the same computer as my current SSO installation?

Andrew_Keller_Ctr wrote:

Do I use a completely separate Windows installation and install SSO there?

Yes.  Create what is referred to as the DummyDB by installing SSO on a completely different VM.  Then use that install to take a copy of the appropriate DB data and inject that into your real enfironment.

Hmm.. didn't work. I was still able to reset my admin password using the old master password using the "rsautil reset-admin-password" command.

Hi

I am stuck with SSO uninstallation, cannot remember wat password was used during installation.

Can you please point me to the unsupported solution.

Thank you

Dawid

Hi

the easiest way is reinstall SSO,

Br

Bezar

I cannot reinstall as it's asking me for a Master password.

Hi firmdale

Do not type anything in password just click on Next you will get Message " Provided password is wrong or empty. However, you can proceed the uninstallation but vCenter Single Sign In database will be left out after uninstallation" just click OK and continue the uninstall process.

You have to remove database manually

/Bezar Ghazi

Hey there,

Yeah it needs you to know the previous password, thing is, i always knew it yet installation was blocking me from proceeding (in my case with Web Client for vSphere) as admin@SystemDomain, somehow using that precedure helped me reset it and the system was able to recognize it again.

We could say the SSO sometimes confuses its own password.

I hope it helps somebody later on that looks for a solution in a case like this.

The unsupported "build a new database and copy the hash" process is discussed in this thread; http://communities.vmware.com/message/2230313

Read the post by Grasshopper.

Basically, it goes like this;

1. Install a unconnected, totally seperate, new vCenter and SSO install, and have it use a new database. This is all temporary, so just put it on a standalone server or something.
2. When doing this new install, record and write down that NEW Master password.
3. When this new install is complete, pull up the database tables and look for the hash for the "admin" SSO password. This is the hashed password for the new install. This is described in the Grasshopper links.
4. Copy that hash from the NEW install.
5. Paste that hash into the database on your OLD, Production SSO database.
6. The database table and field locations are mentioned in the post and links from Grasshopper
7. Now the hold, production database will have the password you set in the new install.
8. There are some other steps about stopping services, etc., so read those posts.

Disclaimer; I'm sure this processes has the ability to totally mess up your cluster, or your production SSO database. It's also unsupported by VMware, but several folks have used it successfully. I've used it with success on other similar databases, but not SSO specifically.

This really is a "last resort" process.

Does this hash update for the SQL Database modify the the Admin@System-Domain password or does it also change the Master password as well?

I ask because I am recently hired at this company and given an environment with no documentation. I was originally unable to install the web client until I ran this hash query in my database. I was then able to install the Web Client, log into the web client and also change my password for the admin@system-domain account.

However, I'm trying to update my current environment from 5.1 to 5.1u1 and when I run the installer to update SSO, it tells me I have the wrong password. I know the Admin Password is correct as I can log into the Web Client with it. However the installation fails with the wrong password dialog box. If I try to run the "rsautil reset-admin-password" and use my admin password, it tells me that I have the wrong password. So my guess is that this only changes the admin password and not the master.

If my guess is correct and this has only updates the admin and not the master, it seems extremely silly to me that the only way to reset the master password is to uninstall SSO and reinstall it from scratch.

Or is there something else going on in my environment?

Is my only choice to reinstall SSO?

This hash and the procedure resets your master password ... So maybe something else is going on?

Read the post earlier in this thread by memaad.... He outlines a process to reset it in the DB.

Hi,

Above mention hash in my post will reset the password only for admin@system-domain. Once you know this password then you can reset the master password.

Regards

MOhammed

Hi,

How do I reset the master password after I've a working password for the admin@system-domain? I found this http://vcdxorbust.com/2013/05/30/vcentre-5-1-sso-changing-the-master-password-the-right-way-and-the-wrong-way/ but it warns that it will break my SSO setup.

@hedman

Quote from Charles Gillanders: The only way that actually works is to change the master password using the current master password. Trying to change it using the current admin user doesn’t work and will break your SSO installation.

The only working unsupported way is from my colleague: http://www.die-schubis.de/doku.php?id=vmware:vsphere

I did that and it only changed my admin@system-domain password, if I try to change the master password after the hash trick it gives me: "Error: Invalid password, failed to decrypt system key Root cause: javax.crypto.BadPaddingException: Given final block not properly padded" after rsautil manage-secrets -a change command. Same thing if I try to update vcenter to latest and it asks for master password. I guess I have the same problem as pktmobrien

I wanted to do the right thing and post how I solved my error/problem. Be warned, it is not pretty and you need to understand that it is absolutely necessary that you backup your vsphere server before doing this procedure. This procedure was issued to me from VMware Tech Support as my only option.

To recap on what happened in my scenario. I was a new hire and given a current installation of VMware Vsphere 5.1. I had no documentation but I was given the default Admin Passwords that were used in most instances in the network. After many unsuccessful attempts to upgrade from SSO 5.1 to 5.1u1 because of an invalid password during upgrade, I went to the forums and VMware Tech Support. The method suggested to fix this was to do a database query on the SQL instance using the supplied hash which would restore the MASTER and ADMIN@SYSTEM-DOMAIN password to the given value for the hash.

This did work, PARTIALLY. I say this in that I was able to finally login into the VMware Vsphere webportal and client using my admin@system-domain account using the new HASHED password. However, the problem that was still present was that I still could not upgrade SSO 5.1 to 5.1u1 because of a bad password. So...wait for it...... Corrupt RSA database!!! The confusing part is that everything still functions perfectly. I can use my admin@system-domain password to navigate my VMware environment, but I was unable to upgrade certain instances of VMware because of this issue.

I'M GOING TO BE VERY CLEAR ABOUT THIS! WHAT I'M PROVIDING YOU IS NOT INSTRUCTIONS ON HOW TO FIX THIS, BUT RATHER A CHECKLIST TO FOLLOW. I am NOT RESPONSIBLE if you bring down your production servers for not researching this before you attempt this or contacting VMware tech support. I spent an entire week reading and re-reading the procedures before attempting this.

MY VMware environment was in production and unaffected during this procedure. I also have VSA (Virtual Storage Appliance) and it was also unaffected.

Checklist that worked for me.

1. Read all of these steps!
2. Don't Forget to do Steps 15 and 16.
3. Download the Instructions for installing VMware VSphere and read specifically page 223 http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-511-installation-setup-guide.pdf
4. WATCH this YouTube video form start to finish before even starting. VMware vSphere 5.1 vCenter Upgrade Part 1. Single Sign On Installation - YouTube
5. WHAT EVER YOU DO, DO NOT install a newer version of SSO during this procedure. I did this and had to revert back to my SNAPSHOT and try again. Again, had I not backed up, I would have been in trouble. Be sure to install the same version of SSO that you are removing. So be sure to reinstall the version you uninstalled and THEN Upgrade SSO to a newer version. I say this because I believe I still had some certificate errors for the web portal after step 16 that were simply fixed when I upgraded SSO to 5.1u1.
6. Backup your VCenter Server.
7. Then Backup your VCenter Server and TEST YOUR BACKUP. A backup is only good if you can restore from it.
8. Then, Take a SNAPSHOT of your VCenter Server if it is virtualized.
9. Then backup your RSA DB instance in SQL. And don't be doofus and backup your RSA DB to your local C drive of your VCenter Server. If you have to start over, you lost it. Backup to networked drive or external storage.
10. Then take a Screen Shot of LocalHost\SQL Instance\Security\Logins\Table  (The Idea is to capture all of your security accounts because once you proceed ahead, you might have to add some back after this procedure.)
11. DrumROLL
12. Uninstall SSO. (You will receive an error because you do not have the MASTER password to uninstall this instance. This error simply tells you that the database will still exist but SSO will be un-installed.
13. Delete the RSA database from SQL.
14. Follow the YouTube Video for the procedure to configure the RSA database and install SSO.
15. Open CMD as ADMINISTRATOR. Just opening CMD will NOT work. You have to right click on CMD and "Run as Administrator".
16. Follow all of these procedures. http://kb.vmware.com/kb/2033620
17. Upgrade your SSO Instance.

Good Luck!

Mohammed,

I'm logged in as admin@system-domain.

How do you reset the master password once you logged in?

Thanks! :smileyhappy:

I executed Mohammed's SQL command and it completed successfully but I'm still getting "the provided credential are not valid". Is there a way for me to verify the username?

My group was facing an issue where we did not remember the password for admin@System-Domain, so we executed the help posted by memaad (810 posts since Dec 2, 2009) Jun 13, 2013 2:43 PM.

It worked and helped us out tremendously.

Our situation was slightly different in that we did not have the web client installed.

One thing to note is that if you previously attempt username password combinations that fail beyond 3 attempts, even the new password set via memaad's method fails. The Single Sign On (SSO) will lock you out for 15 minutes, so make sure to wait at least 15 minutes.

We had a similar issue recently. We used the steps to reset the SSO admin password and unlock the account. We can now successfully login via the web client using the admin@system-domain account.

What isn't working for us is the upgrade of vCenter. Starting with upgrading SSO it asks for the admin password which we now have. When I enter that password it gives an error that it's blank or incorrect. Is it really looking for the admin password or something else?

Hi!

Is it possible to reset master password with "unsupported" method in vSphere 6?

Try this KB - 2146224 - VMware Knowledge Base