I did that and it only changed my admin@system-domain password, if I try to change the master password after the hash trick it gives me: "Error: Invalid password, failed to decrypt system key Root cause: javax.crypto.BadPaddingException: Given final block not properly padded" after rsautil manage-secrets -a change command. Same thing if I try to update vcenter to latest and it asks for master password. I guess I have the same problem as
Re: vCenter Single Sign On master password
↧
↧
Re: vCenter Single Sign On master password
I wanted to do the right thing and post how I solved my error/problem. Be warned, it is not pretty and you need to understand that it is absolutely necessary that you backup your vsphere server before doing this procedure. This procedure was issued to me from VMware Tech Support as my only option.
To recap on what happened in my scenario. I was a new hire and given a current installation of VMware Vsphere 5.1. I had no documentation but I was given the default Admin Passwords that were used in most instances in the network. After many unsuccessful attempts to upgrade from SSO 5.1 to 5.1u1 because of an invalid password during upgrade, I went to the forums and VMware Tech Support. The method suggested to fix this was to do a database query on the SQL instance using the supplied hash which would restore the MASTER and ADMIN@SYSTEM-DOMAIN password to the given value for the hash.
This did work, PARTIALLY. I say this in that I was able to finally login into the VMware Vsphere webportal and client using my admin@system-domain account using the new HASHED password. However, the problem that was still present was that I still could not upgrade SSO 5.1 to 5.1u1 because of a bad password. So...wait for it...... Corrupt RSA database!!! The confusing part is that everything still functions perfectly. I can use my admin@system-domain password to navigate my VMware environment, but I was unable to upgrade certain instances of VMware because of this issue.
I'M GOING TO BE VERY CLEAR ABOUT THIS! WHAT I'M PROVIDING YOU IS NOT INSTRUCTIONS ON HOW TO FIX THIS, BUT RATHER A CHECKLIST TO FOLLOW. I am NOT RESPONSIBLE if you bring down your production servers for not researching this before you attempt this or contacting VMware tech support. I spent an entire week reading and re-reading the procedures before attempting this.
MY VMware environment was in production and unaffected during this procedure. I also have VSA (Virtual Storage Appliance) and it was also unaffected.
Checklist that worked for me.
- Read all of these steps!
- Don't Forget to do Steps 15 and 16.
- Download the Instructions for installing VMware VSphere and read specifically page 223 http://pubs.vmware.com/vsphere-51/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-511-installation-setup-guide.pdf
- WATCH this YouTube video form start to finish before even starting. VMware vSphere 5.1 vCenter Upgrade Part 1. Single Sign On Installation - YouTube
- WHAT EVER YOU DO, DO NOT install a newer version of SSO during this procedure. I did this and had to revert back to my SNAPSHOT and try again. Again, had I not backed up, I would have been in trouble. Be sure to install the same version of SSO that you are removing. So be sure to reinstall the version you uninstalled and THEN Upgrade SSO to a newer version. I say this because I believe I still had some certificate errors for the web portal after step 16 that were simply fixed when I upgraded SSO to 5.1u1.
- Backup your VCenter Server.
- Then Backup your VCenter Server and TEST YOUR BACKUP. A backup is only good if you can restore from it.
- Then, Take a SNAPSHOT of your VCenter Server if it is virtualized.
- Then backup your RSA DB instance in SQL. And don't be doofus and backup your RSA DB to your local C drive of your VCenter Server. If you have to start over, you lost it. Backup to networked drive or external storage.
- Then take a Screen Shot of LocalHost\SQL Instance\Security\Logins\Table (The Idea is to capture all of your security accounts because once you proceed ahead, you might have to add some back after this procedure.)
- DrumROLL
- Uninstall SSO. (You will receive an error because you do not have the MASTER password to uninstall this instance. This error simply tells you that the database will still exist but SSO will be un-installed.
- Delete the RSA database from SQL.
- Follow the YouTube Video for the procedure to configure the RSA database and install SSO.
- Open CMD as ADMINISTRATOR. Just opening CMD will NOT work. You have to right click on CMD and "Run as Administrator".
- Follow all of these procedures. http://kb.vmware.com/kb/2033620
- Upgrade your SSO Instance.
Good Luck!
↧
Re: vCenter Single Sign On master password
Mohammed,
I'm logged in as admin@system-domain.
How do you reset the master password once you logged in?
Thanks!
↧
Re: vCenter Single Sign On master password
\\Update
[Jump to the solution later in the thread here]
Tips:
- Remember that the admin@system-domain password requires greater strength than most VMware passwords. As such, if you think you know the password but it's not working, try adding a special character at the end such as !. It only requires 8 characters but there must be at least one special character. It will also lock you out after 3 bad attempts. Try back later after it has reset the lock.
- Admin is not admin
The user name is case sensitive. It should always be admin@system-domain (domain portion not case sensitive).
Don't even think about upgrading vCenter / SSO without good DB and vCenter backups and/or snaps
- If you are dealing with a failed SSO upgrade from a previous version, then you should a) Roll back to a snapshot/restore; or b) Reinstall SSO and repoint your vCenter. Remember to reinstall SSO you _must_ use the same version that was installed. Also remember that a failed upgrade of SSO can and will stop the SSO service and/or your vCenter service. From that point on you won't be able to login to an otherwise previously healthy sso.
admin@system-domain (Not cached in plain text)
- Despite what's listed below in my original post, the admin@system-domain password is _not_ cached in plain text. However, the DBA_USER password is.
DBA_User password (this is cached in plain text):
"C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties"
Why is the above useful? In the rare case where the technician set all passwords the same (or at least the admin@system-domain and the RSA_USER) then and only then could one glean the admin@system-domain password from the above file. More details and other options in this thread.
\\original post
I'm sure this will be fixed eventually, but the answer you seek is (shockingly) available in plain text.
Browse to the following directory:
[intentionally deleted by grasshopper]
In the above directory, locate and open the following file in notepad:
[intentionally deleted by grasshopper]
Edit 0.1: As it turns out admin@system-domain is not cached in plain text, only the RSA_USER is. More details in the Tips section above.
Edit 0.2: Added quick link to solution by memaad and added additional tips since this post has gotten quite long. I will try to add more over time.
Message was edited by: grasshopper
↧
Re: vCenter Single Sign On master password
I executed Mohammed's SQL command and it completed successfully but I'm still getting "the provided credential are not valid". Is there a way for me to verify the username?
↧
↧
Re: vCenter Single Sign On master password
My group was facing an issue where we did not remember the password for admin@System-Domain, so we executed the help posted by memaadJun 13, 2013 2:43 PM.
It worked and helped us out tremendously.
Our situation was slightly different in that we did not have the web client installed.
One thing to note is that if you previously attempt username password combinations that fail beyond 3 attempts, even the new password set via memaad's method fails. The Single Sign On (SSO) will lock you out for 15 minutes, so make sure to wait at least 15 minutes.
↧
Re: vCenter Single Sign On master password
Hi Team ,
I used unsupported way to reset the password :
UPDATE
[dbo].[IMS_PRINCIPAL]
SET
[PASSWORD] = '{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA=='
WHERE
LOGINUID = 'admin'
AND
PRINCIPAL_IS_DESCRIPTION = 'Admin';
This will reset the password to "VMware1234!",
It ran successfully but when i am checking the webclient using the username and reset password , It is not working properly.
Please can you make me understand this .
Regards,
Santosh Dalvi
↧
Re: vCenter Single Sign On master password
What version of vCenter are you running (probably 5.1 right?). Have you tried rebooting the vCenter since the fix? Have you waited at least 15 minutes between any failed login attempts (default lockout is 3 bad attempts). Also please make sure you are logging in with admin@system-domain ("admin" must be all lower case). Ensure that the system time is healthy.
If all of the above checks out, then please tell us more about the steps taken prior to resetting the password. Did you attempt to re-install any components (especially interested to know if any installs failed). Keep in mind, this fix is only valid for a perfectly healthy system for which the password was forgotten.
Please review KB2034506. You can also review the Web Client Logs, and other vCenter logs. If the problem persists please provide the error message you get when attempting to login and share any relevant logs by attaching them using the advanced editor on a forum post reply.
↧
Re: vCenter Single Sign On master password
Hi Mike ,
I resolved the issue by using this 2 technotes :
Thanks for your help Mike .
Regards,
Santosh Dalvi
↧
↧
Re: vCenter Single Sign On master password
Excellent! Good job and thanks for sharing!
↧
Re: vCenter Single Sign On master password
We had a similar issue recently. We used the steps to reset the SSO admin password and unlock the account. We can now successfully login via the web client using the admin@system-domain account.
What isn't working for us is the upgrade of vCenter. Starting with upgrading SSO it asks for the admin password which we now have. When I enter that password it gives an error that it's blank or incorrect. Is it really looking for the admin password or something else?
↧
Re: vCenter Single Sign On master password
Hi!
Is it possible to reset master password with "unsupported" method in vSphere 6?
↧
Re: vCenter Single Sign On master password
Try this KB - 2146224 - VMware Knowledge Base
↧
↧
vCenter Single Sign On master password
Hi guys
i do not remember admin@system-domain password
i wondring how to reset admin's account password
i tried to reset password by rsautil command line but i dont remember master password.
Anyway to reset password? can i find Master password in DB tables? or add new user admin user in DB?
Br
Bezar
↧
Re: vCenter Single Sign On master password
I don't think there is a way to reset the master password for SSO, at least I haven't come accross a way to do this yet ...
The master password is the one you set during initial setup, it doesn't change even if you changed later changed the admin password ... If you can't remember it ... I'm afraid there's not much you can do... Maybe someone else has better news?
↧
Re: vCenter Single Sign On master password
Hi ,
VMware does not support reseting Master password, However while doing search online I found this link "Unsupported by VMware"
Regards
Mohammed
↧
Re: vCenter Single Sign On master password
Nice find memaad ...
Of course it's not supported, but if you're really in need of a fix and don't want to take the recommended way of VMware ... You could go this route.
↧
↧
Re: vCenter Single Sign On master password
Seriously??? I just checked this, it's true ... The shocking thing is that I looked at that file before and didn't notice that ... Gotta ask myself
That's some serious security flaw if you ask me ...
Thanks grasshopper... This is exactly why I love this community ... Never stop learning and staying humble!
↧
Re: vCenter Single Sign On master password
Never stop learning and staying humble!
Yes my friend. Wise words. Because sometimes you're on top and sometimes you're on esxtop.
-grasshopper
PS - please see my previous post. I removed some detail to protect the innocent. If anyone gets stuck they can IM me or hit my gmail.
↧
Re: vCenter Single Sign On master password
Mike Nisk wrote:
PS - please see my previous post. I removed some detail to protect the innocent. If anyone gets stuck they can IM me or hit my gmail.
The difficulty with these situations is that:
- The malicious people already know this, or if not, will figure it out shortly and use it
- Innocent people, with no advisory from VMware, won't know there's an issue
- VMware, without an "public exploit", have good odds of doing nothing
In short, I would encourage you to take this to a support case, and if you get nowhere, put that post right back.
↧
More Pages to Explore .....
