Thursday, June 25, 2015

Unlocking and resetting the VMware vCenter Single Sign-On administrator password (vCenter 5.1, 5.5, 6.0)

I ran across this KB article from VMware to resolve this issue caused by a locked SSO password.  I am going to describe the solution specifically for vCenter 6.0 SSO.  For vCenter 5.1 or 5.1, you can go to the KB article link at the bottom of this page to review the other options.


Symptoms

  • You are unable to log in to the VMware vSphere Web Client using your single sign-on (SSO) administrator credentials.
  • Logging in to the vSphere Web Client using your SSO administrator credentials fails.
  • The password is incorrectly entered three times (by default).
  • You see the error:

    User account is locked. Please contact your administrator.
     

Cause

The SSO Administrator account is automatically locked after too many failed attempts, default is three.


Resolution

For VMware Platform Services Controller 6.0
  • Wait for 5 minutes. By default, the account lockout policy is set to unlock after 15 minutes. For more information on account lockout policies for the Platform Services Controller (PSC), see vCenter Server Password Requirements and Lockout Behavior in the vSphere Security Guide.
  • Unlock the account using another session that is still logged into the PSC server or using another user account with SSO administrator privileges. 

    To unlock an account using another session or using another user account with SSO administrator privileges:
    1. Click Home.
    2. Click Administration.
    3. Click Single Sign-On > Users and Groups.
    4. Click the Users tab.
    5. Right-click the affected user account, such as administrator@vsphere.local, and click Unlock.
  • In emergency situations or if the default policies are changed, you can also reset the password to unlock the account. 

    To reset the administrator@vsphere.local password on a Windows Platform Services Controller or vCenter Server with Embedded Platform Services Controller:
    1. Log in to the vCenter Server with a domain administrator account. If the Platform Services Controller is installed separate from the vCenter Server, log in to the Platform Services Controller server.
    2. Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
    3. Open the vdcadmintool service tool with this command:c:\> "%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe"
      This console loads:

      ===============================
      Please select:
      0. exit
      1. Test LDAP connectivity
      2. Force start replication cycle
      3. Reset account password
      4. Set log level and mask
      5. Set vmdir state
      ===============================
    4. Press 3 to enter the Reset account password option. 
    5. When prompted for the Account UPN, enter:
      Administrator@vSphere_Domain_Name.local

      By default, this is:

      Administrator@vSphere.local

      A new password is generated.
      Note: if you customized your vSphere Domain name, provide the customized domain name.
    6. Use the generated password to log in to the administrator@vSphere.local account.
    7. After the password is regenerated, log in to the vSphere Web Client and change the password.
To reset the administrator@vsphere.local password on the Platform Services Controller or vCenter Server with Embedded Platform Services Controller Appliance:
    1. Log in to the vCenter Server Appliance via SSH.
    2. Run this command to enable access the Bash shell:

      shell.set --enabled true
    3. Type shell and press Enter.
    4. Open the vdcadmintool service tool with this command:
      /usr/lib/vmware-vmdir/bin/vdcadmintoolThis console loads:
      ================================
      Please select:
      0. exit
      1. Test LDAP connectivity
      2. Force start replication cycle
      3. Reset account password
      4. Set log level and mask
      5. Set vmdir state
      ================================
    5. Press 3 to enter the Reset account password option.
    6. When prompted for the Account UPN, enter:
      Administrator@vSphere_Domain_Name.local

      By default, this is:

      Administrator@vSphere.local


      A new password is generated.

      Note
      : if you customized your vSphere Domain name, provide the customized domain name.
    7. Use the generated password to log in to the administrator@vSphere.local account.
    8. After the password is regenerated, log in to the vSphere Web Client and change the password.


KB 2034608: http://kb.vmware.com/kb/2034608

2 comments:

  1. My vcenter install doesn't appear to come with this tool at all. That directory is empty save for a single DLL. Is there some step I need to complete to install this utility?

    ReplyDelete
  2. Don't know if could be of any help, but I've struggled because the reset was failing everytime I tried, came out that you can only do the operation n° 3 (reset) with the built in Administrator otherwise it will not work, in Vcenter 6.0

    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144902



    ReplyDelete

Thanks for your comment!