{"id":5604,"date":"2013-09-27T10:06:44","date_gmt":"2013-09-27T08:06:44","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=5604"},"modified":"2013-09-27T10:22:09","modified_gmt":"2013-09-27T08:22:09","slug":"vmware-recover-vcenter-single-sign-on-sso-master-password","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/vmware-recover-vcenter-single-sign-on-sso-master-password\/","title":{"rendered":"VMware: Recover vCenter Single Sign On (SSO) master password"},"content":{"rendered":"

\"VMware<\/a>During the installation of the VMware vSphere Web Client I had to provide vCenter Single Sign On Information. Since no additional accounts \/ groups where granted SSO admin privileges (see VMware vSphere 5.1 Documentation Center<\/a>)  the only account that had sufficient privileges was the default SSO admin user admin@System-Domain<\/strong>. The credentials of this account are provided during installation of the vCenter Single Sign On Service.<\/p>\n

Unfortunately the password of the default SSO admin account was unknown. In this article I\u2019ll explain how to change the password of the default SSO admin account.<\/p>\n

<\/p>\n

Master password<\/h2>\n

VMware provides us with a solution to reset the password of the default SSO admin account (KB2034608<\/a>) but it requires the master password. <\/strong>The master password is set during installation, the password provided for the default SSO admin account is used as master password, but it is not the same password as the default SSO admin account. <\/p>\n

Although we can change the password of the default SSO admin account (admin@System-Domain<\/a>), changing the master password is not possible (or supported). After the password of the default SSO admin account is changed the master password is still unusable.
\"\"<\/a>

<\/p>\n

Default SSO admin account<\/h2>\n

The vCenter Single Sign On Service stores all data in a databases, including the principals. The credentials of the default SSO admin account are stored in the IMS_PRINCIPAL <\/strong>table. One of the stored properties is a SSHA-256<\/a> (salted<\/a>) hashed password. Changing the password is as easy as replacing the hash (also known as pass the hash<\/a>) from a clean vCenter SSO service installation.<\/p>\n

Schubis<\/a> wrote a (german) article how to generate a new hash and how to replace it in your existing vCenter SSO setup. Unfortunately this requires you to built a lab environment with a SQL server and vCenter Single Sign On service, which is time consuming.  Since you can change the password afterwards, I might as well provide you with some pre-created hashes:<\/p>\n

Passw0rd!\n{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg==\n\nVMware1234!\n{SSHA256}KGOnPYya2qwhF9w4xK157EZZ\/RqIxParohltZWU7h2T\/VGjNRA==<\/pre>\n
 <\/p>\n
Recover access<\/h3>\n
If you need to recover access of the default SSO admin account please follow the following three steps:
\n  
<\/p>\n
1. Reset password to temporary password<\/h6>\n
Connect to the SQL database (default is RSA) and execute the statement below to reset the password of the default SSO admin account to Password!<\/strong><\/p>\n
 UPDATE\n\t [Dbo]. [IMS_PRINCIPAL]\n SET\n\t [PASSWORD] = '{SSHA256}B6HO7UNHVi5fglh1RpJXX4z1maGJ9lcicTVcy94ztsmzAekseg=='\n WHERE\n\t LOGINUID = 'admin'\n AND\n\t PRINCIPAL_IS_DESCRIPTION = 'admin'<\/pre>\n
<\/p>\n
 <\/p>\n
2. Restart vCenter SSO service<\/h6>\n
Restart the service \u201cvCenter Single Sign On\u201d to apply the changes.<\/font>
\n      
\"vCenter<\/a><\/font><\/p>\n
 <\/p>\n
3. Change the password the default SSO Admin account<\/h6>\n
Connect to the VMware vSphere Web Client and authenticate with the new default SSO credentials (username <\/strong>: <\/font>admin@System-Domain and password<\/strong><\/font> <\/strong>: Passw0rd! ).<\/a><\/p>\n
<\/font><\/p>\n
\"VMware<\/a><\/em><\/a><\/p>\n
  
<\/p>\n
Navigate to Home > Administration > SSO Users and Groups\"Home<\/a><\/p>\n
  
<\/p>\n
Select the default SSO admin account > Action > Edit User\"vCenter<\/a><\/p>\n
  
<\/p>\n
Change the password of the default SSO admin account to your preferred password
\n  
\"admin<\/a><\/p>\n
  
Please avoid the use of special characters in your SSO administrator password like (^ * $ ; \u201d \u2019 ) < > & | \\ _\u201d), non-ASCII characters and trailing \u201c \u201c space as the vCenter SSO service cant\u2019 handle it (KB2035820<\/a>)!<\/em><\/p>\n
 <\/p>\n
Lessons learned<\/h2>\n
To avoid this situation in the future I wrote down some lessons I learned. Although their very obvious, it\u2019s good to keep them in mind.<\/p>\n
    \n
  • Always store the master password in a safe location<\/li>\n
  • Grant additional users \/ groups administrative SSO admin privileges<\/li>\n
  • Preferably add an Active Directory integrated group in __Administrators__<\/em><\/li>\n
  • Database administrators (DBA) can get access to your VMware vCenter by replacing a simple hash<\/li>\n<\/ul>\n
     <\/p>\n
    .<\/p>\n","protected":false},"excerpt":{"rendered":"
    During the installation of the VMware vSphere Web Client I had to provide vCenter Single Sign On Information. Since no additional accounts \/ groups where granted SSO admin privileges (see VMware vSphere 5.1 Documentation Center)  the only account that had sufficient privileges was the default SSO admin user admin@System-Domain. The credentials of this account are […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[592],"tags":[595,594,593,76],"class_list":["post-5604","post","type-post","status-publish","format-standard","hentry","category-vmware-2","tag-password","tag-sso","tag-vcenter","tag-vmware"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=5604"}],"version-history":[{"count":7,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5604\/revisions"}],"predecessor-version":[{"id":5621,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5604\/revisions\/5621"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=5604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=5604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=5604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}