VMware: Recover vCenter Single Sign On (SSO) master password

Written by Ingmar Verheij on September 27th, 2013. Posted in VMware

VMware vSphere Web Client - vCenter Single Sign On InformationDuring the installation of the VMware vSphere Web Client I had to provide vCenter Single Sign On Information. Since no additional accounts / groups where granted SSO admin privileges (see VMware vSphere 5.1 Documentation Center)  the only account that had sufficient privileges was the default SSO admin user [email protected]. The credentials of this account are provided during installation of the vCenter Single Sign On Service.

Unfortunately the password of the default SSO admin account was unknown. In this article I’ll explain how to change the password of the default SSO admin account.

Master password

VMware provides us with a solution to reset the password of the default SSO admin account (KB2034608) but it requires the master password. The master password is set during installation, the password provided for the default SSO admin account is used as master password, but it is not the same password as the default SSO admin account.

Although we can change the password of the default SSO admin account ([email protected]), changing the master password is not possible (or supported). After the password of the default SSO admin account is changed the master password is still unusable.


Default SSO admin account

The vCenter Single Sign On Service stores all data in a databases, including the principals. The credentials of the default SSO admin account are stored in the IMS_PRINCIPAL table. One of the stored properties is a SSHA-256 (salted) hashed password. Changing the password is as easy as replacing the hash (also known as pass the hash) from a clean vCenter SSO service installation.

Schubis wrote a (german) article how to generate a new hash and how to replace it in your existing vCenter SSO setup. Unfortunately this requires you to built a lab environment with a SQL server and vCenter Single Sign On service, which is time consuming.  Since you can change the password afterwards, I might as well provide you with some pre-created hashes:

 

Recover access

If you need to recover access of the default SSO admin account please follow the following three steps:

1. Reset password to temporary password

Connect to the SQL database (default is RSA) and execute the statement below to reset the password of the default SSO admin account to Password!

 

2. Restart vCenter SSO service

Restart the service “vCenter Single Sign On” to apply the changes.

vCenter Single Sign On - Properties

 

3. Change the password the default SSO Admin account

Connect to the VMware vSphere Web Client and authenticate with the new default SSO credentials (username : [email protected] and password : Passw0rd! ).

VMware vSphere Web Client - Authentication


Navigate to Home > Administration > SSO Users and GroupsHome - Administration - SSO Users and Groups


Select the default SSO admin account > Action > Edit UservCenter Single Sign On Users and Groups - admin


Change the password of the default SSO admin account to your preferred password

admin - Edit


Please avoid the use of special characters in your SSO administrator password like (^ * $ ; ” ’ ) < > & | \ _”), non-ASCII characters and trailing “ “ space as the vCenter SSO service cant’ handle it (KB2035820)!

 

Lessons learned

To avoid this situation in the future I wrote down some lessons I learned. Although their very obvious, it’s good to keep them in mind.

  • Always store the master password in a safe location
  • Grant additional users / groups administrative SSO admin privileges
  • Preferably add an Active Directory integrated group in __Administrators__
  • Database administrators (DBA) can get access to your VMware vCenter by replacing a simple hash

 

.

Ingmar Verheij

At the time Ingmar wrote this article he worked for PepperByte as a Senior Consultant (up to May 2014). His work consisted of designing, migrating and troubleshooting Microsoft and Citrix infrastructures. He was working with technologies like Microsoft RDS, user environment management and (performance) monitoring. Ingmar is User Group leader of the Dutch Citrix User Group (DuCUG). RES Software named Ingmar RES Software Valued Professional in 2014.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle Plus

Tags: , , ,

Trackback from your site.

Comments (27)

  • Tan Nguyen
    3 October 2013 at 22:19 |

    Hi Ingmar,
    I am trying your query vs our VMVSSO DB, but I got warning:unable to determine if the windows firewall is blocking remote debugging.
    Thanks
    Tan

    • Ingmar Verheij
      4 October 2013 at 09:14 |

      Hi Tan,

      Are you using the SQL Management Studio software to connect to your SQL server?
      You might want to check out this thread: http://forums.asp.net/t/1517293.aspx

      Cheers
      Ingmar

  • Eric Sloof
    10 December 2013 at 09:55 |

    Is it Password! or Passw0rd! ?

    • Ingmar Verheij+
      11 December 2013 at 08:16 |

      Hi Eric. It’s supposed to be “Passw0rd!”, doesn’t that work? Did you restart the server for it to take effect?

  • Gary Stack
    12 February 2014 at 22:24 |

    Thank you for the article. Helped me out greatly in re-installing the web client.

  • Travis
    3 March 2014 at 06:02 |

    This just doesnt seem to work, still get “Provided credentials are not valid” I even checked the hash code and it matched, what else could stop

    • 6 March 2014 at 08:43 |

      Did you restart the service (or better, the server)?

  • Thom
    26 March 2014 at 15:36 |

    Same experience as Travis above – confirmed that the password hash changed in the db and restarted the service but still getting “Provided credentials are not valid.”

    We’re about to upgrade to 5.5 – looks like that sets up a separate domain within the SSO database – [email protected]? That being the case, do I need to recover [email protected]?

    • 27 March 2014 at 17:46 |

      Hi Thom. Did you restart the entire server?
      And what version are you currently using?

    • MC
      19 February 2016 at 15:07 |

      Hi, did you get the answer to your question — did you need the SSO password for 5.1 when you upgraded to 5.5??

  • Qian Hao qiang
    15 May 2014 at 10:22 |

    I am using 5.1, I changed the hash , restart the server, still get the information “Provided credentials are not valid”.
    I guess it is because of different salt.

  • sam
    16 May 2014 at 20:12 |

    I am getting the same issues.. provided creds not valid and I have restarted the VC and the SQL server … 🙁

  • Steve
    23 June 2014 at 17:27 |

    Anyone have an update on this?

    Reset SSO password.. rebooted. Version 5.1 running but still not working for credentials.

  • Mike
    1 July 2014 at 23:06 |

    I tried this and was still getting the same error. When I looked in the vm_ssoreg.log in the temp directory it stated that the credentials had expired.

    I then used this to reset the password:

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2035864

    For the old password I used what I set it to from the hash above and then entered a new password and everything worked.

    • Lino Gomez
      9 September 2014 at 14:47 |

      Thanks Ingmar for this article. However, like others have posted, the invalid credentials error persisted though. Thanks to Mike for the KB link, save me BIG TIME!!!

      *The hash trick is necessary before proceeding with the KB.

    • Eliezer
      18 November 2014 at 16:03 |

      Thak you Ingmar and Mike!!

      I had both problems, didn´t know the SSO admin password and it was expired (The default policie is the password expires after 365 days) and following your instructions and links, everything worked perfectly!

      Best Regards!!!

  • Stan
    2 July 2014 at 04:39 |

    OMG,, you just saved my @55 big time! THANK YOU~!!!

  • Tony
    16 July 2014 at 01:20 |

    I tried this but it doesnt work. I updated the hash in SQL, restarted SSO service. I can login as [email protected]

    but when i try to install or update my version of vcenter 5.1, it asks for the master password and it is not working.

    I did a complte reinstall of vcenter 5.1

    • Tony
      16 July 2014 at 04:20 |

      Actually i get 0 rows affected when i run it. why is that?

  • James
    25 July 2014 at 17:19 |

    I can’t get the SQL query to work. I get this:

    Msg 208, Level 16, State 1, Line 1
    Invalid object name ‘ dbo . IMS_PRINCIPAL ‘.

  • 28 July 2014 at 22:15 |

    Try looking for the password in “C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties”

    • idle
      16 April 2018 at 18:02 |

      this was the best solution for me. worked perefectly.

  • Luis
    22 August 2014 at 15:30 |

    This worked perfectly for me! Thanks for putting your time in to document this.

  • Baiju
    4 January 2016 at 23:46 |

    It worked fine.. Thank you very much for posting this..

  • Jawed Abbasi
    19 October 2016 at 18:20 |

    its really good article.
    After updating the hash in DB I am able to log into webclient with new password so why do I need to restart SSO service?
    Also usig following command I can update the SSO password
    ssopass -d https://localhost:7444/lookupservice/sdk admin
    and I see it updates the hash in Database but when I try following I still get error
    c:\Program Files\VMware\Infrastructure\SSOServer\utils>ssocli manage-secrets -a listallkeys
    Enter Master password: ************

    Error: Invalid password, failed to decrypt system key
    Root cause: javax.crypto.BadPaddingException: Given final block not properly padded

    c:\Program Files\VMware\Infrastructure\SSOServer\utils>

Leave a comment

*

Donate

%d bloggers like this: