During the installation of the VMware vSphere Web Client I had to provide vCenter Single Sign On Information. Since no additional accounts / groups where granted SSO admin privileges (see VMware vSphere 5.1 Documentation Center) the only account that had sufficient privileges was the default SSO admin user admin@System-Domain. The credentials of this account are provided during installation of the vCenter Single Sign On Service.
Unfortunately the password of the default SSO admin account was unknown. In this article I’ll explain how to change the password of the default SSO admin account.
Master password
VMware provides us with a solution to reset the password of the default SSO admin account (KB2034608) but it requires the master password. The master password is set during installation, the password provided for the default SSO admin account is used as master password, but it is not the same password as the default SSO admin account.
Although we can change the password of the default SSO admin account (admin@System-Domain), changing the master password is not possible (or supported). After the password of the default SSO admin account is changed the master password is still unusable. 
Default SSO admin account
The vCenter Single Sign On Service stores all data in a databases, including the principals. The credentials of the default SSO admin account are stored in the IMS_PRINCIPAL table. One of the stored properties is a SSHA-256 (salted) hashed password. Changing the password is as easy as replacing the hash (also known as pass the hash) from a clean vCenter SSO service installation.
Schubis wrote a (german) article how to generate a new hash and how to replace it in your existing vCenter SSO setup. Unfortunately this requires you to built a lab environment with a SQL server and vCenter Single Sign On service, which is time consuming. Since you can change the password afterwards, I might as well provide you with some pre-created hashes:
Passw0rd!
{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg==
VMware1234!
{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA==
Recover access
If you need to recover access of the default SSO admin account please follow the following three steps:
1. Reset password to temporary password
Connect to the SQL database (default is RSA) and execute the statement below to reset the password of the default SSO admin account to Password!
UPDATE
[Dbo]. [IMS_PRINCIPAL]
SET
[PASSWORD] = '{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg=='
WHERE
LOGINUID = 'admin'
AND
PRINCIPAL_IS_DESCRIPTION = 'admin'
2. Restart vCenter SSO service
Restart the service “vCenter Single Sign On” to apply the changes.
3. Change the password the default SSO Admin account
Connect to the VMware vSphere Web Client and authenticate with the new default SSO credentials (username : admin@System-Domain and password : Passw0rd! ).
Navigate to Home > Administration > SSO Users and Groups
Select the default SSO admin account > Action > Edit User
Change the password of the default SSO admin account to your preferred password
Please avoid the use of special characters in your SSO administrator password like (^ * $ ; ” ’ ) < > & | \ _”), non-ASCII characters and trailing “ “ space as the vCenter SSO service cant’ handle it (KB2035820)!
Lessons learned
To avoid this situation in the future I wrote down some lessons I learned. Although their very obvious, it’s good to keep them in mind.
- Always store the master password in a safe location
- Grant additional users / groups administrative SSO admin privileges
- Preferably add an Active Directory integrated group in __Administrators__
- Database administrators (DBA) can get access to your VMware vCenter by replacing a simple hash
.
English 
Nederlands
Hi Ingmar,
I am trying your query vs our VMVSSO DB, but I got warning:unable to determine if the windows firewall is blocking remote debugging.
Thanks
Tan
Hi Tan,
Are you using the SQL Management Studio software to connect to your SQL server?
You might want to check out this thread: http://forums.asp.net/t/1517293.aspx
Cheers
Ingmar
Is it Password! or Passw0rd! ?
Hi Eric. It’s supposed to be “Passw0rd!”, doesn’t that work? Did you restart the server for it to take effect?
Thank you for the article. Helped me out greatly in re-installing the web client.
This just doesnt seem to work, still get “Provided credentials are not valid” I even checked the hash code and it matched, what else could stop
Did you restart the service (or better, the server)?
Same experience as Travis above – confirmed that the password hash changed in the db and restarted the service but still getting “Provided credentials are not valid.”
We’re about to upgrade to 5.5 – looks like that sets up a separate domain within the SSO database – [email protected]? That being the case, do I need to recover admin@system-domain?
Hi Thom. Did you restart the entire server?
And what version are you currently using?
Hi, did you get the answer to your question — did you need the SSO password for 5.1 when you upgraded to 5.5??
I am using 5.1, I changed the hash , restart the server, still get the information “Provided credentials are not valid”.
I guess it is because of different salt.
I am getting the same issues.. provided creds not valid and I have restarted the VC and the SQL server … 🙁
Anyone have an update on this?
Reset SSO password.. rebooted. Version 5.1 running but still not working for credentials.
I tried this and was still getting the same error. When I looked in the vm_ssoreg.log in the temp directory it stated that the credentials had expired.
I then used this to reset the password:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2035864
For the old password I used what I set it to from the hash above and then entered a new password and everything worked.
Thanks Ingmar for this article. However, like others have posted, the invalid credentials error persisted though. Thanks to Mike for the KB link, save me BIG TIME!!!
*The hash trick is necessary before proceeding with the KB.
Thak you Ingmar and Mike!!
I had both problems, didn´t know the SSO admin password and it was expired (The default policie is the password expires after 365 days) and following your instructions and links, everything worked perfectly!
Best Regards!!!
OMG,, you just saved my @55 big time! THANK YOU~!!!
I tried this but it doesnt work. I updated the hash in SQL, restarted SSO service. I can login as admin@system-domain
but when i try to install or update my version of vcenter 5.1, it asks for the master password and it is not working.
I did a complte reinstall of vcenter 5.1
Actually i get 0 rows affected when i run it. why is that?
I can’t get the SQL query to work. I get this:
Msg 208, Level 16, State 1, Line 1
Invalid object name ‘ dbo . IMS_PRINCIPAL ‘.
Try looking for the password in “C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties”
this was the best solution for me. worked perefectly.
This worked perfectly for me! Thanks for putting your time in to document this.
It worked fine.. Thank you very much for posting this..
its really good article.
After updating the hash in DB I am able to log into webclient with new password so why do I need to restart SSO service?
Also usig following command I can update the SSO password
ssopass -d https://localhost:7444/lookupservice/sdk admin
and I see it updates the hash in Database but when I try following I still get error
c:\Program Files\VMware\Infrastructure\SSOServer\utils>ssocli manage-secrets -a listallkeys
Enter Master password: ************
Error: Invalid password, failed to decrypt system key
Root cause: javax.crypto.BadPaddingException: Given final block not properly padded
c:\Program Files\VMware\Infrastructure\SSOServer\utils>