Translate

26/5/14

Unlocking and resetting the vCenter Single Sign-On administrator passwor


Symptoms


  • You are unable to log in to the vSphere Web Client using your single sign-on (SSO) administrator credentials
  • Logging in to the vSphere Web Client using your SSO administrator credentials fails 
  • The password has been incorrectly entered three times (by default)
  • You see the error:

    User account is locked. Please contact your administrator.

Cause

For security purposes, the administrator account is automatically locked out if there are too many failed login attempts. By default, vCenter SSO allows for three failed login attempts before an account is locked out.

Resolution


To resolve this issue, you must unlock/reset the administrator account. To reset the password, you must know the original password.
To unlock/reset the administrator account, use one of these methods:

For vCenter Single Sign-On 5.1

  1. Click Home.
  2. Click Administration.
  3. Click SSO Users and Groups.
  4. Right-click the affected user account, such as admin, and click Unlock.

  • In emergency situations or if the default policies have been changed, you can also reset the password to unlock the account.

    Note: Resetting the password does not change the master password for vCenter Single Sign-On 5.1. The master password is stored in the database and can only be changed by re-installing vCenter Single Sign-On 5.1 with a fresh back-end database. The following procedure only generates a secondary password for the admin@system-domain to utilize. The master password continues to remain the same.

    To reset the     admin@system-domain password on a Windows server:
  1. Login as an administrator to the vCenter SSO server.
  2. Click Start > Run, type cmd, and click OK. The Command Prompt window opens.
  3. Navigate to the directory SSOInstallDirectory\utils. By default, the installation directory is C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils.
  4. Run this command:

    rsautil reset-admin-password
  5. Enter the master password when prompted.

    Note: This is the password selected for the SSO administrator during the SSO installation. If you have changed your SSO administrator password later, the master password is still the original one chosen.

    If the command fails to prompt for the master password, use this command that includes all switches:

    rsautil reset-admin-password --master-pwd master_password --admin-name admin --admin-pwd new_password
  6. Enter the SSO administrator name for which you want to reset the password. For example, admin.
  7. Enter the new password for the user and then confirm it a second time. Ensure that the new password is compliant with VMware's list of unsupported character. For more information, see vSphere 5.1 Single Sign On (SSO) installation fails with error: Error 29133. Administrator login error. (2035820).

    You should see the message: Password reset successfully.

To reset the admin@system-domain password on the vCenter Server Appliance:
  1. Log in as root to the vCenter server Appliance. 
  2. From the command line, navigate to /usr/lib/vmware-sso/utils directory. 
  3. Run this command:

    ./rsautil reset-admin-password
  4. Enter the master password when prompted.

    Note: By default, this is the root password.
  5. Enter the SSO administrator name for which you want to reset the password. For example, admin.
  6. Enter the new password for the user and then confirm it a second time. Ensure that the new password is compliant with VMware's list of unsupported character. For more information, see vSphere 5.1 Single Sign On (SSO) installation fails with error: Error 29133. Administrator login error. (2035820).

    You should see the message Password reset successfully.

For vCenter Single Sign-On 5.5

  • Wait for 15 minutes. By default, the account lockout policy is set to unlock after 15 minutes. For more information on account lockout policies for vCenter SSO, see Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts (2033823).
  • Unlock the account using another session that is still logged into the SSO server or using another user account with SSO administrator privileges. 

    To unlock an account using another session or using another user account with SSO administrator privileges:
    1. Click Home.
    2. Click Administration.
    3. Click Single Sign-On > Users and Groups.
    4. Click on the Users tab
    5. Right-click the affected user account, such as administrator@vsphere.local, and click Unlock.
  • In emergency situations or if the default policies have been changed, you can also reset the password to unlock the account. 

    To reset the administrator@vsphere.local password on a Windows server:
    1. Log in to the vCenter Server with a domain administrator account. If vCenter Single Sign-On is installed separate from the vCenter Server, log into the vCenter Single Sign-On server.
    2. Open an elevated command prompt. For more information, see Opening a command or shell prompt (1003892).
    3. Navigate to the vmdird directory with this command:
      c:\>cd Program Files\VMware\Infrastructure\VMware\CIS\vmdird
    4. Open the vdcadmintool service tool with this command:c:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird>vdcadmintool.exeThis console loads:
      ===============================
      Please select:
      0. exit
      1. Test LDAP connectivity
      2. Force start replication cycle
      3. Reset account password
      4. Set log level and mask
      5. Set vmdir state
      ===============================
    5. Press 3 to enter the Reset account password option. 
    6. When prompted for the Account DN, enter:
      cn=Administrator,cn=users,dc=vSphere,dc=localA new password is now generated.
      7.
    7. Use the newly generated password to log in to the administrator@vSphere.local account.

      Note: If the generated password contains an exclamation mark (!), perform the regeneration process a second time.
    8. After the password is regenerated, log in to the vSphere Web Client and change the password to be compliant with VMware's list of unsupported character. For more information, see vSphere 5.5 Single Sign-On administrator@vsphere.local password issues (2060637).
To reset the administrator@vsphere.local password on the vCenter Server Appliance:
    1. Connect to the vCenter Server Appliance via SSH. For more information, see Enable or Disable SSH Administrator Login on the VMware vCenter Server Appliance section in the vCenter Server and Host Management Guide.
    2. Open the vdcadmintool service tool with this command:
      /usr/lib/vmware-vmdir/bin/vdcadmintoolThis console loads:
      ================================
      Please select:
      0. exit
      1. Test LDAP connectivity
      2. Force start replication cycle
      3. Reset account password
      4. Set log level and mask
      5. Set vmdir state
      ================================
    3. Press 3 to enter the Reset account password option.
    4. When prompted for the Account DN, enter:
      cn=Administrator,cn=users,dc=vSphere,dc=local

      A new password is generated.
    5. Use the generated password to log in to the administrator@vSphere.local account.

      Note: If the generated password contains an exclamation mark (!), perform the regeneration process a second time.
    6. After the password is regenerated, log in to the vSphere Web Client and change the password to be compliant with VMware's list of unsupported character. For more information, see vSphere 5.5 Single Sign-On administrator@vsphere.local password issues (2060637).
Fuente: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034608
Jorge D.
en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)