Recover master password VMware vSphere 5.1 Single SignOn

Update: VMware provides a procedure in unlocking and resetting the account. This procedure can be found here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034608.

I recently was at a customer for a Symantec Backup Exec installation. The customer Active Directory domain was configured as 2 child domains and one parent domain. The parent domain is used in their main site(s), the child domains are used for the remote branches (EMEA / US). On each location a VMware environment is installed with a dedicated Virtual Center server. As authentications are required for users within each domain, several LDAP strings are defined in SSO (https://vcenter:9443).

These LDAP queries are pointed to a set of servers (the Domain Controllers). When a domain controller is demoted or deleted, the LDAP queries are non-functional… And that’s what happened here! So the LDAP configuration needed to be altered. Quickly I discovered this is only possible by using a local SSO account! The default SSO account (admin@System-Domain) has some kind of master password that needs to be entered when reconfiguring the software component. It’s extremely important this password is written down and stored in a safe location as alternation of the password is impossible (cfr. VMware support).


Eventually after some Google Searches, I came across the following blog and tried the defined procedure: .

When you are not aware of the location of the SSO database (databasename: RSA), you can figure it out in the following logfile: D:\Program Files\VMware\Infrastructure\SSOServer\logs\config.txt.
Example:
[2012-12-05 15:28:19,073 INFO StaticDataReporter com.vmware.vim.ssoconfig] Properties from D:\Program Files\VMware\Infrastructure\SSOServer\webapps\ims\web-inf\classes\jndi.properties
{com.rsa.appserver.hostname=vcenter.example.local
com.rsa.appserver.port=7444
com.rsa.appserver.protocol=https
com.rsa.db.domain=
com.rsa.db.hostname=vcenter.example.local
com.rsa.db.instance=RSA
com.rsa.db.port=1433
com.rsa.db.type=MSSQL
com.rsa.instanceName=vcenter
com.rsa.ssl.ca.alias=root-ca
com.rsa.ssl.ca.store.path=D:\Program Files\VMware\Infrastructure\SSOServer\root-ca.jks
java.naming.provider.url=https://vcenter.example.local:7444/ims/CommandServer}

The procedure below is unsupported by VMware support, but worked in my case! Make sure prior to your changes, you take a dump of the database as mentioned in the procedure below.

  1. Open a SQL Management Studio and connect to the instance with administrative privileges
  2. Once logged in, execute the following query to see the configuration of the password for the admin@System-Domain user:
    use RSA;
    select loginuid,PASSWORD from ims_principal where LOGINUID='admin';

    Drop the where statement if you want to see all users defined in SSO (maybe there is a backup user?!?)
  3. Halt the SSO service and preferable also the vcenter services on the vcenter server.
  4. Dump the RSA database by using the SQL Management Studio as a backup.
  5. Execute the following query USE RSA;
    UPDATE IMS_PRINCIPAL set PASSWORD='{SSHA256}qguSTmcPLof/kca9rCmHTksmvZpqZVlBW2NP+8OWYgo37SbXiw==' where loginuid='admin';
    .
  6. Restart the vCenter server so all services are started in a proper order. You can also do this manually, but I prefer a server reboot.
  7. Now try to logon with the user admin@System-Domain with password P@ssw0rd.
  8. By using the web interface change the password to one of your own choice!
  9. Preferably add backup SSO accounts to avoid the situation in the future.

Other SSHA Hashes:
– P@ssw0rd: {SSHA256}qguSTmcPLof/kca9rCmHTksmvZpqZVlBW2NP+8OWYgo37SbXiw==
– G8Nx-8i#:{SSHA256}XNATeHNfvp2Hq3vi3Xlzz4P3rjT5MxQG/qOdy9p3oQbg8KLrcg==

Leave a Reply