VMware vSphere Web Client - vCenter Single Sign On InformationDuring the installation of the VMware vSphere Web Client I had to provide vCenter Single Sign On Information. Since no additional accounts / groups where granted SSO admin privileges (see VMware vSphere 5.1 Documentation Center)  the only account that had sufficient privileges was the default SSO admin user admin@System-Domain. The credentials of this account are provided during installation of the vCenter Single Sign On Service.

Unfortunately the password of the default SSO admin account was unknown. In this article I’ll explain how to change the password of the default SSO admin account.

Master password

VMware provides us with a solution to reset the password of the default SSO admin account (KB2034608) but it requires the master password. The master password is set during installation, the password provided for the default SSO admin account is used as master password, but it is not the same password as the default SSO admin account.

Although we can change the password of the default SSO admin account (admin@System-Domain), changing the master password is not possible (or supported). After the password of the default SSO admin account is changed the master password is still unusable.


Default SSO admin account

The vCenter Single Sign On Service stores all data in a databases, including the principals. The credentials of the default SSO admin account are stored in the IMS_PRINCIPAL table. One of the stored properties is a SSHA-256 (salted) hashed password. Changing the password is as easy as replacing the hash (also known as pass the hash) from a clean vCenter SSO service installation.

Schubis wrote a (german) article how to generate a new hash and how to replace it in your existing vCenter SSO setup. Unfortunately this requires you to built a lab environment with a SQL server and vCenter Single Sign On service, which is time consuming.  Since you can change the password afterwards, I might as well provide you with some pre-created hashes:

Passw0rd!
{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg==

VMware1234!
{SSHA256}KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA==

 

Recover access

If you need to recover access of the default SSO admin account please follow the following three steps:

1. Reset password to temporary password

Connect to the SQL database (default is RSA) and execute the statement below to reset the password of the default SSO admin account to Password!

 UPDATE
	 [Dbo]. [IMS_PRINCIPAL]
 SET
	 [PASSWORD] = '{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg=='
 WHERE
	 LOGINUID = 'admin'
 AND
	 PRINCIPAL_IS_DESCRIPTION = 'admin'

 

2. Restart vCenter SSO service

Restart the service “vCenter Single Sign On” to apply the changes.

vCenter Single Sign On - Properties

 

3. Change the password the default SSO Admin account

Connect to the VMware vSphere Web Client and authenticate with the new default SSO credentials (username : admin@System-Domain and password : Passw0rd! ).

VMware vSphere Web Client - Authentication


Navigate to Home > Administration > SSO Users and GroupsHome - Administration - SSO Users and Groups


Select the default SSO admin account > Action > Edit UservCenter Single Sign On Users and Groups - admin


Change the password of the default SSO admin account to your preferred password

admin - Edit


Please avoid the use of special characters in your SSO administrator password like (^ * $ ; ” ’ ) < > & | \ _”), non-ASCII characters and trailing “ “ space as the vCenter SSO service cant’ handle it (KB2035820)!

 

Lessons learned

To avoid this situation in the future I wrote down some lessons I learned. Although their very obvious, it’s good to keep them in mind.

  • Always store the master password in a safe location
  • Grant additional users / groups administrative SSO admin privileges
  • Preferably add an Active Directory integrated group in __Administrators__
  • Database administrators (DBA) can get access to your VMware vCenter by replacing a simple hash

 

.

27 Comments

  1. Hi Ingmar,
    I am trying your query vs our VMVSSO DB, but I got warning:unable to determine if the windows firewall is blocking remote debugging.
    Thanks
    Tan

    1. Hi Eric. It’s supposed to be “Passw0rd!”, doesn’t that work? Did you restart the server for it to take effect?

  2. Thank you for the article. Helped me out greatly in re-installing the web client.

  3. This just doesnt seem to work, still get “Provided credentials are not valid” I even checked the hash code and it matched, what else could stop

  4. Same experience as Travis above – confirmed that the password hash changed in the db and restarted the service but still getting “Provided credentials are not valid.”

    We’re about to upgrade to 5.5 – looks like that sets up a separate domain within the SSO database – [email protected]? That being the case, do I need to recover admin@system-domain?

    1. Hi, did you get the answer to your question — did you need the SSO password for 5.1 when you upgraded to 5.5??

  5. I am using 5.1, I changed the hash , restart the server, still get the information “Provided credentials are not valid”.
    I guess it is because of different salt.

  6. I am getting the same issues.. provided creds not valid and I have restarted the VC and the SQL server … 🙁

  7. Anyone have an update on this?

    Reset SSO password.. rebooted. Version 5.1 running but still not working for credentials.

    1. Thanks Ingmar for this article. However, like others have posted, the invalid credentials error persisted though. Thanks to Mike for the KB link, save me BIG TIME!!!

      *The hash trick is necessary before proceeding with the KB.

    2. Thak you Ingmar and Mike!!

      I had both problems, didn´t know the SSO admin password and it was expired (The default policie is the password expires after 365 days) and following your instructions and links, everything worked perfectly!

      Best Regards!!!

  8. I tried this but it doesnt work. I updated the hash in SQL, restarted SSO service. I can login as admin@system-domain

    but when i try to install or update my version of vcenter 5.1, it asks for the master password and it is not working.

    I did a complte reinstall of vcenter 5.1

  9. I can’t get the SQL query to work. I get this:

    Msg 208, Level 16, State 1, Line 1
    Invalid object name ‘ dbo . IMS_PRINCIPAL ‘.

  10. Try looking for the password in “C:\Program Files\VMware\Infrastructure\SSOServer\webapps\lookupservice\WEB-INF\classes\config.properties”

  11. its really good article.
    After updating the hash in DB I am able to log into webclient with new password so why do I need to restart SSO service?
    Also usig following command I can update the SSO password
    ssopass -d https://localhost:7444/lookupservice/sdk admin
    and I see it updates the hash in Database but when I try following I still get error
    c:\Program Files\VMware\Infrastructure\SSOServer\utils>ssocli manage-secrets -a listallkeys
    Enter Master password: ************

    Error: Invalid password, failed to decrypt system key
    Root cause: javax.crypto.BadPaddingException: Given final block not properly padded

    c:\Program Files\VMware\Infrastructure\SSOServer\utils>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish