As you might notice, VMware vSphere has now Platform service controller (PSC) with a Single Sign-On (SSO) as a component. It is PSC which allows authentication via vCenter Single Sign-On (SSO). It is not only an authentication broker but also a security token exchange providing a more secure way of accessing your vSphere solutions, so in my honest opinion, it is a key component. In this post, we will learn How to reset Single Sign-On (SSO) password in vSphere.
When you log in to vSphere, you actually pass authentication to the vCenter Single Sign-On server component which can be configured with multiple identity sources like Active Directory and OpenLDAP. After the successful login, your username and password are exchanged for a security token which is then used to access the vSphere components like vCenter Server, vCenter Orchestrator etc. vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired. ThevCenter Single Sign-On server returns the token to the vCenter Server system, leveraging thevCenter Server Authorization Framework to allow user access. It's also called SSO Handshake.
vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired. ThevCenter Single Sign-On server returns the token to the vCenter Server system, leveraging thevCenter Server Authorization Framework to allow user access. It's also called SSO Handshake.
To understand things right. There are 3 different types of password that may be used to access vCenter Server and its components.
- Root password of the Photon OS VCSA 6.5 appliance – In case you're using VCSA. How to reset this password? Check my post on it here.
- SSO Password – default SSO administrator's password – we do this today.
- Domain admin password – which is usually configured when VCSA is joined to Microsoft Windows AD.
Today's post will allow us to reset VMware SSO password via vdcadmintool.
How to reset Single Sign-On (SSO) password in vSphere – The Steps.
So first, Log in to vCenter Server Appliance using SSH as the root user. You can use Putty session for that:
Run this command to enable access the Bash shell:
shell.set --enabled true
press Enter. Then run this:
This console loads a menu like this inviting you to select one of the options:
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
It should look like this…
Press option 3 to enter the Reset account password option.
You'll receive prompt for an “Account UPN”. Enter this:
A new password is generated.
Use this password to login to your vCenter server
Once logged in, go to Administration > Single Sign-ON > Users > Administrator > Modify.
And change the password through the UI there…
That's it. We have just reset a VMware SSO password.
As usually, we have created a short video demonstrating the process. Watch in HD (1080p) and full screen.
It is certainly a handy write up. It can be useful in a situation where we came to the client's installation and don't have either the administrator's SSO password or the root password for VMware VCSA 6.5. Knowing how to reset both passwords is certainly a good step forward to learn further about VMware technology as a whole.
However, we also follow closely other technologies, such as Windows Server 2016 which had some changes in it's licensing. You might want to have a look also on What are the differences between Standard and Datacenter licensing in Windows Server 2016 or between Essentials and Standard.
Check more articles from ESX Virtualization:
- VMware VCSA 6.5 Backup and Restore How-To
- Backup and Restore VMware vCenter Server (VCSA) 6.5 with Veeam
- Patch VMware vCenter Server Appliance (VCSA) from Offline Depot ZIP file
- How to Deploy VMware LogInsight 4 and What's new?