Forgot vCenter Server Appliance root and SSO administrator password

calendar Feb 18, 2016 · 2 min read · vcsa  ·
Share on: linkedin copy

Loosing the SSO administrator password of vCenter Server Appliance (vCSA) is really bad. Anyhow, this password can be reset, as far as you still have access to the appliance console - this requires the root password. If you also forgot this one, this is really, really, really bad - but also this happens sometimes in labs.

In this case you will need a Linux live CD (like Clonezilla or Knoppix) and a short downtime to fix the issue.

The VM configuration needs to be altered so that it boots from the ISO (mount ISO at boot time, change boot order or access boot menu).

Once the Linux system has started, you will need to mount the third partition of the vCSA hard drive. Depending on the Linux distribution, device names might vary - so make sure to check the output of the lsscsi command.

1# lsscsi
2# mount /dev/sda3 /mnt

Afterwards, a copy of the file /etc/shadow is created - also, display the entry for root in this file:

1# cp /mnt/etc/shadow /mnt/etc/shadow.old
2# grep root /mnt/etc/shadow
3root:$6$**cVgMY7af**$XZSSEKvitiqwUaLFZ4QVKEQ1El/Fra2TUFDHDFk1O8eu4aMQo0WfYrA5tVe7OAB4d2z442OIYkqH5BhGV9Vtr.::0:99999:7:::

The red marked word is the password's hash. Using the following Python command it is possible to generate a new password with this hash:

1$ python -c "import crypt, getpass, pwd; print crypt.crypt('MyPassword', '$6$SALT$')"

In this example:

1$ python -c "import crypt, getpass, pwd; print crypt.crypt('MyPassword', '$6$**cVgMY7af**$')"
2$6$cVgMY7af$3Yzu1Q6Wgl58hmxTtwO/N9INm5NWHRWEjKg7kRcwHYDpWcMPU935vaZSq6pq6DdT2pekU7rQ325vpZI1RIgNw.

This line needs to be copied into the file /etc/shadow:

1root:$6$cVgMY7af$3Yzu1Q6Wgl58hmxTtwO/N9INm5NWHRWEjKg7kRcwHYDpWcMPU935vaZSq6pq6DdT2pekU7rQ325vpZI1RIgNw.::0:99999:7:::

After rebooting the vCSA, access using SSH should be possible again. To reset the password for the SSO administrator, the following commands are sufficient if Platform Services Controller (PSC) is also part of the vCSA:

 1Command> shell.set --enabled True
 2Command> shell
 3    ---------- !!!! WARNING WARNING WARNING !!!! ----------
 4...
 5my-vcsa:~ # /usr/lib/vmware-vmdir/bin/vdcadmintool
 6
 7==================
 8Please select:
 90. exit
101. Test LDAP connectivity
112. Force start replication cycle
123. Reset account password
134. Set log level and mask
145. Set vmdir state
15==================
16
173
18  Please enter account UPN : administrator@vsphere.local
19New password is -
20&/()32I'mDumb48730

Finally, you should change the password and make sure to store the password to avoid trapping into this again...

Translations: