{"id":1462,"date":"2018-03-23T20:34:46","date_gmt":"2018-03-23T12:34:46","guid":{"rendered":"http:\/\/www.eumz.com\/?p=1462"},"modified":"2018-03-23T20:34:46","modified_gmt":"2018-03-23T12:34:46","slug":"vsphere-6-5%e5%af%86%e7%a0%81%e9%87%8d%e7%bd%aevcenter-sso-and-esxi","status":"publish","type":"post","link":"https:\/\/www.wxcn.com\/?p=1462","title":{"rendered":"vSphere 6.5\u5bc6\u7801\u91cd\u7f6e(vCenter, SSO and ESXi)"},"content":{"rendered":"<p>Everyone knows the situation where you can&#8217;t log into a system because you have forgotten the password.\u00a0The following article explains how to reset the password and regain access to VMware vSphere 6.5 core components including vCenter, SSO and ESXi Hosts.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/esxi-cannot-login-due-to-an-incorrect-user-name-or-password-300x42.png\" \/><\/p>\n<ul>\n<li>Reset vCenter Server Appliance 6.5 root password<\/li>\n<li>Reset SSO Administrator Password (vCenter Server Appliance 6.5)<\/li>\n<li>Reset ESXi root password with Host Profiles<\/li>\n<li>Gain Administrative ESXi access with an Active Directory<\/li>\n<li>Reset ESXi root password (Linux Live CD)<\/li>\n<\/ul>\n<h3>Reset vCenter Server Appliance 6.5 root password<\/h3>\n<p>The following method provides steps to recover the vCenter Server Appliance (vCSA) root password. The process is slightly different compared to previous versions as the OS has been changed to PhotonOS. The method is officially supported by VMware and documented in <a href=\"https:\/\/kb.vmware.com\/kb\/2147144\">KB2147144<\/a>.<\/p>\n<ol>\n<li>Take a snapshot of the vCSA to be able to rollback in case of any problems during password recovery.<\/li>\n<li>Connect to the ESXi Host that runs the vCSA and open a remote console.<\/li>\n<li>Reboot the vCSA<\/li>\n<li>Press <strong>e<\/strong> immediately\u00a0after the system starts (When the PhotonOS screen shows up)<\/li>\n<li>Append<strong>\u00a0rw init=\/bin\/bash<\/strong> to the line starting with <strong>linux<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18816 size-full\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-grub.png\" sizes=\"auto, (max-width: 619px) 100vw, 619px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-grub.png 619w, http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-grub-300x83.png 300w\" width=\"619\" height=\"172\" \/><br \/>\n<\/strong><\/li>\n<li>Press <strong>F10<\/strong> to boot<\/li>\n<li>In the command prompt, enter <strong>passwd<\/strong>\u00a0and enter a new root password\u00a0twice<\/li>\n<li>Enter <strong>umount \/<\/strong>\u00a0to unmount the root filesystem<\/li>\n<li>Reboot the vCSA by running the command <strong>reboot -f<\/strong><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-18817 alignnone\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-single-user.png\" sizes=\"auto, (max-width: 380px) 100vw, 380px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-single-user.png 380w, http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-65-password-recovery-single-user-300x91.png 300w\" alt=\"\" width=\"380\" height=\"115\" \/><\/li>\n<li>Verify that you can log in with the new root password and delete the snapshot created in step 1.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3>Reset SSO Administrator\u00a0Password (vCenter Server Appliance 6.5)<\/h3>\n<p>The following method provides steps to recover the SSO administrator password on a vCenter Server Appliance (vCSA). The method is officially supported by VMware and documented in <a href=\"https:\/\/kb.vmware.com\/kb\/2146224\">KB2146224<\/a>.<\/p>\n<ol>\n<li>Log in to the vCSA using SSH as <strong>root<\/strong><\/li>\n<li>Enter <strong>shell<\/strong> to start the bash shell<\/li>\n<li>Identify the SSO Domain Name (Default is vsphere.local)\n<pre># \/usr\/lib\/vmware-vmafd\/bin\/vmafd-cli get-domain-name --server-name localhost<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-18819 size-full\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-identify-sso-domain-name.png\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-identify-sso-domain-name.png 731w, http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-identify-sso-domain-name-300x14.png 300w\" width=\"731\" height=\"35\" \/><\/li>\n<li>Start the vdcadmintool<br \/>\n<strong><br \/>\n<\/strong><\/p>\n<pre># \/usr\/lib\/vmware-vmdir\/bin\/vdcadmintool<\/pre>\n<\/li>\n<li>Press <strong>3 (Reset account password)<\/strong><\/li>\n<li>The tool asks for the Account UPN to reset. Enter Administrator@&lt;DOMAIN&gt; (identified in Step 3)<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18820\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-reset-sso-admin-password.png\" sizes=\"auto, (max-width: 464px) 100vw, 464px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-reset-sso-admin-password.png 464w, http:\/\/www.virten.net\/wp-content\/uploads\/2016\/12\/vcsa-reset-sso-admin-password-300x200.png 300w\" alt=\"\" width=\"464\" height=\"310\" \/><\/li>\n<li>The tool generates and displays a new password.<\/li>\n<li>Use the password\u00a0to log in with the vSphere Web Client and change the password.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3>Reset ESXi root password with Host Profiles<\/h3>\n<p>According to VMware <a href=\"https:\/\/kb.vmware.com\/kb\/1317898\">KB1317898<\/a>, &#8220;reinstalling the ESXi host is the only supported way to reset a password on ESXi&#8221;. However, there is a loophole as you can set the root password with Host Profiles under certain conditions.\u00a0This method has two requirements:<\/p>\n<ul>\n<li>The ESXi hosts needs to be managed by a vCenter<\/li>\n<li>vSphere Enterprise Plus License is required to use Host Profiles<\/li>\n<\/ul>\n<p>The vCenter uses a vpxuser to communicate with ESXi hosts, so it does not depend on the root account. As long as the ESXi host\u00a0is managed by the vCenter, you can change the configuration without knowing the ESXi root password. This method works with all ESXi 5.x and 6.x versions.<\/p>\n<ol>\n<li>Create a Host Profile with the ESXi you want to reset the root password as reference Host<br \/>\n<strong>Web Client &gt; Right-Click the ESXi Host &gt; Host Profiles &gt; Extract Host Profile&#8230;<\/strong><\/li>\n<li>Navigate to the Host Profile and select <strong>Actions &gt; Edit Settings&#8230;<\/strong><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18824\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-edit-profile.png\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-edit-profile.png 516w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-edit-profile-300x165.png 300w\" alt=\"\" width=\"516\" height=\"284\" \/><\/li>\n<li>Navigate to the root User Configuration<br \/>\n<strong>Security and Services &gt; Security Settings &gt; Security &gt; User Configuration &gt; root<\/strong><\/li>\n<li>Set the Password configuration to <strong>Fixed password configuration<\/strong> and enter a new password.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18825\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-set-fixed-password.png\" sizes=\"auto, (max-width: 782px) 100vw, 782px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-set-fixed-password.png 782w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-set-fixed-password-300x172.png 300w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-set-fixed-password-768x441.png 768w\" alt=\"\" width=\"782\" height=\"449\" \/><\/li>\n<li>Click Finish to close the profile configuration<\/li>\n<li>Right-Click the Host Profile and select <strong>Attach\/Detach Hosts and Clusters&#8230;<\/strong><\/li>\n<li>Highlight the ESXi host, Click <strong>Attach &gt;<\/strong> and finish the configuration screen<strong><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18826\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-attach-host-profile.png\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-attach-host-profile.png 658w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/reset-esxi-root-with-host-profiles-attach-host-profile-300x115.png 300w\" alt=\"\" width=\"658\" height=\"252\" \/><br \/>\n<\/strong><\/li>\n<li>Put the ESXi host into maintenance mode<\/li>\n<li>Right-Click the ESXi host and select <strong>Host Profiles &gt; Remediate&#8230;<\/strong><\/li>\n<li>Finish the remediation wizard. The remediation should take less than a minute, no reboot is required.<\/li>\n<li>Use the new root password to login<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3>Gain Administrative ESXi access with an Active Directory<\/h3>\n<p>When you don&#8217;t have the Enterprise Plus license, you can join an Active Directory to regain administrative access to the ESXi host. This method circumvents the limitation that root PW recovery is not supported.<\/p>\n<ol>\n<li>Login to the vCenter with the vSphere Web Client<\/li>\n<li>Navigate to <strong>ESXi &gt;\u00a0Configure &gt; System &gt; Authentication Services<\/strong><\/li>\n<li>Click\u00a0<strong>Join Domain&#8230;<\/strong><\/li>\n<li>Enter the domain name and user credentials<\/li>\n<li>Click OK<\/li>\n<li>In the ESXi configuration, open <strong>System &gt; Advanced System Settings<\/strong><\/li>\n<li>Enter\u00a0<strong>Config.HostAgent.plugins.hostsvc.esxAdminsGroup<\/strong> in the search\u00a0field<\/li>\n<li>Change the settings to match the Administrator group that you want to use in the Active Directory. You can either create a new group in your direcotry or enter an existing group<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h3>Reset ESXi root password (Linux Live CD)<\/h3>\n<p>When you need to recover root access and the methods above are not applicable, the last method explains how to reset the root password with a Linux Live CD. Please be aware that this method is <strong>not supported<\/strong> by VMware as\u00a0<a href=\"https:\/\/kb.vmware.com\/kb\/1317898\">KB1317898<\/a>\u00a0states: &#8220;reinstalling the ESXi host is the only supported way to reset a password on ESXi&#8221;. You can use any current Linux Live CD or installer CD that has a recovery mode. In this example I&#8217;m using <a href=\"http:\/\/www.knopper.net\/knoppix\/index-en.html\">Knoppix<\/a>.<\/p>\n<ol>\n<li>Shutdown the ESXi host<\/li>\n<li>Boot the system with the Linux Live CD<\/li>\n<li>Make sure that you can read the gpt partition table, for example with <strong>parted \/dev\/sda print<br \/>\n<\/strong><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18827\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-parted-print.png\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-parted-print.png 512w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-parted-print-300x144.png 300w\" alt=\"\" width=\"512\" height=\"246\" \/><\/li>\n<li>We are looking for the first fat16 partition with a size of 262MB. IT should be number <strong>5<\/strong>.<\/li>\n<li>Mount the partition\n<pre># mount \/dev\/sda5 \/media\/sda5<\/pre>\n<\/li>\n<li>Verify that there is a current state.tgz in the directory.<\/li>\n<li>\n<pre># ls -l \/media\/sda5\/state.tgz<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18828\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-state-tgz.png\" sizes=\"auto, (max-width: 575px) 100vw, 575px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-state-tgz.png 575w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-state-tgz-300x19.png 300w\" alt=\"\" width=\"575\" height=\"36\" \/><\/li>\n<li>The state.tgz file contains the local.tgz file which contains the configuration. Extract both to a temporary directory.\n<pre># cd \/tmp\/\n# cp \/media\/sda5\/state.tgz \/tmp\/state.tgz\n# tar -xf state.tgz\n# tar -xf local.tgz<\/pre>\n<\/li>\n<li>Edit the shadow file and remove the root password\n<pre># vi etc\/shadow<\/pre>\n<p>Remove the hashed password until the second colon:<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18829\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file.png\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file.png 593w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file-300x78.png 300w\" alt=\"\" width=\"593\" height=\"155\" \/><br \/>\nYou want a file that looks like this:<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18830\" src=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file2.png\" sizes=\"auto, (max-width: 585px) 100vw, 585px\" srcset=\"http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file2.png 585w, http:\/\/www.virten.net\/wp-content\/uploads\/2017\/01\/recover-esxi-root-password-live-cd-shadow-file2-300x64.png 300w\" alt=\"\" width=\"585\" height=\"124\" \/><\/li>\n<li>Save the file and exit the editor (&lt;ESC&gt; :wq\u00a0&lt;ENTER&gt;)<\/li>\n<li>Recreate state.tgz with the changed shadow file\n<pre># tar -czf local.tgz etc\n# tar -czf state.tgz local.tgz<\/pre>\n<\/li>\n<li>Move state.tgz back to ESXi partition and make sure to overwrite the old file\n<pre># mv\u00a0state.tgz \/media\/sda5\/<\/pre>\n<\/li>\n<li>Reboot to ESXi. You should be able to access the DCUI or log in as root without a password.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Everyone knows the situation where you can&#8217;t log  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[31,306,317,321,322,432,582],"class_list":["post-1462","post","type-post","status-publish","format-standard","hentry","category-cloud-computing","tag-6-5","tag-vcenter","tag-vmware-2","tag-vsan","tag-vsphere","tag-432","tag-582"],"_links":{"self":[{"href":"https:\/\/www.wxcn.com\/index.php?rest_route=\/wp\/v2\/posts\/1462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wxcn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wxcn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wxcn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wxcn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1462"}],"version-history":[{"count":0,"href":"https:\/\/www.wxcn.com\/index.php?rest_route=\/wp\/v2\/posts\/1462\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wxcn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wxcn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wxcn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}