Sometimes you just can’t catch a break, for example after returning from a vacation and not remembering your password for the built-in Administrator account in the vsphere.local domain for vCenter. Changing it can be a bit round-about at times, so I decided to do a small guide since I had to figure it out myself recently.
Step 1 – Read what VMware says you should do
Don’t take a ‘random dude on the Internet’s advice without confirming it first!
Here’s the link to the different guides for different versions of vCenter, they are all ever so slightly different. I’ll focus on the vCenter 6.0 appliance, but the methods are quite similar.
Step 2 – Enable SSH and Shell on the vCenter Appliance
Open up the console on the vCenter Appliance (Hint: ESXi Host Web Client) and log in as the root user (Press F2 on the splash screen). Then select F2 again to access the screen where you can enable SSH and shell access. Enable both, you’ll need them!
Step 3 – SSH into the vCenter Appliance
Next you’ll need to SSH in using the same root account as earlier. Type “shell” to access the bash shell.
Step 4 – Reset the password
Type the following in:
Which gets you:
================== Please select: 0. exit 1. Test LDAP connectivity 2. Force start replication cycle 3. Reset account password 4. Set log level and mask 5. Set vmdir state ==================
Select option 3
Please enter account UPN :
This is one of the problems with the 6.X guide, it doesn’t tell you explicitly that you need to type the following.
After that you should get a new password that you can use to log in. Some of the KBs from VMware state that you should rerun the command if you get an exclamation point (!) in your password, so redo it in that case. This password can then be used to access the WebGUI of the appliance and there you can set your email@example.com password back to something more reasonable.
Step 4 – IT DIDN’T WORK!
Yes, this is the second pitfall, and this took me some time to figure out. Your shell probably displays something along these lines after you’ve entered the account name:
VmDirForceResetPassword failed (9106)
This is not a documented “feature” by VMware, but after some digging around, I found that people recommend running the command su before the vdcadmintool.
So, type su into the shell, retype you root password, and you’ll get thrown back to the start splash. Type shell again, and rerun vdcadmintool. This time you should get a password instead of an error. Another thing you could try if this doesn’t work is to start the shell with this command:
Which should launch an elevated root shell instead of whatever is launched when just using shell. I’ve not tried this myself, so no guarantees (as if any of my advice comes with a warranty), but you might find it helpful.
Thank you so much really save our time
You’re welcome mate, that’s why I do these guides, to save some other poor soul’s time! 🙂
Hi, unfortunately that didn’t work for me. I get the “9106” error whether I try with su or not 😦 I’ve only just installed the VCSA 6.5 U1 appliance, so the reason I’m trying to reset the firstname.lastname@example.org sso password is not because I forgot it, It’s because the web-console won’t let me logon with this account, so I googled “how to reset the defualt sso account” and came across your article. Any help would be appreciated, thanks.
the same. cannot reset in any way.
Hi again, I decided to delete and re-install the VCSA 6.5 and now I can logon to it as email@example.com 🙂
Excellent! Thanks a lot really helped a lot to get the firstname.lastname@example.org password reset.
Cheers mate, glad it helped! 🙂
Saved my life tonight, or shall I say it saved my night 😉
The password in email format did the trick for me.
Cheers mate, glad it helped you! 🙂
How I can check my localhost domain in case of Windows vCenter? Like in case of Appliance it can be checked through 1 command after logging through root. The insight of the question is I am trying to login to vCenter through administrator@vSphere.local but getting error “you do not have permission to any of vCenter”. I doubt the localhost domain is different. In my case vCenter is Windows based and version 6.5.
It should be listed in the following file (I can’t check it since I don’t have a Windows based vCenter handy)
Keep in mind that the vSphere domain is different to the domain that the Windows server might or might not be added to.
Just a note on the error: VmDirForceResetPassword failed (9106)
you will also receive that same error if your UPN is incorrect. we had one oddball in our enterprise, forgot. no level of su or pi shell would fix it.
after entering the correct UPN, worked fine w/o su
“VmDirForceResetPassword failed (9106)” experienced during email@example.com password reset attempt in vcsa 6.7 with no resolution in vmware’s password reset article.
your “su” tip solved the problem