Resetting the vCenter SSO Master Password


Yes, it happened to me too: I forgot my vCenter SSO master password, the one that used for the admin@System-Domain account. VMware KB 2034608 clearly says that “The master password is stored in the database and can only be changed by re-installing vCenter Single Sign-On 5.1 with a fresh back-end database”. It did not give me extra optimism in resolving the issue, but Ingmar Verheij gave me a hope. His article, which  you can find here, describes in full details how to reset the SSO master password. My text is just an instruction, so I strongly recommend to read Ingmar’s page first.

The main idea of this method is to replace a password’s hash in database with the hash of known password. Once reset, the password can be changed, so Ingmar provided a couple of hashes and I use one of them.

Caution and Disclaimer: Even though this procedure may work for different versions of vSphere, I tested it for v5.1 only. VMware does not support this way of resetting password, so you are doing it at your own risk

1. Open MS SQL Server Management Studio and connect to the vCenter database server

2. Take a full backup of RSA database. It would be not a bad idea to take backups of all your vCenter databases

3. In SSMS run this command

      SELECT * FROM rsa.dbo.ims_principal WHERE loginuid=’admin’

4. Find the PASSWORD field and copy it value. This is a hash for existing but unknown password, so keep it for now

5. Run this command

      UPDATE rsa.dbo.ims_principal
      SET password = ‘{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg==
      WHERE loginuid = ‘admin’ AND principal_is_description = ‘admin’

The most important part is password’s hash. This hash

     {SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg==

is for the password Passw0rd!

Thanks again, Ingmar!

6. Run this command again to confirm that the new hash is in place

SELECT * FROM rsa.dbo.ims_principal WHERE loginuid=’admin’

7. Restart vCenter server

8. Change the SSO admin password as described in the VMware KB

  • Open an elevated command prompt and run the command:

SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

  • Navigate to the ssolscli directory

c:\>cd C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli

  • Run the following command:

ssopass -d https://FQDN_of_SSO_server:7444/lookupservice/sdk admin

Type Passw0rd! as your current password (Remember, it has been just reset)
Type the new password, and then type it again to confirm.

9. Try to log into web-client with the admin@System-Domain name and the new password you have just set up

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: