diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/LoginWithPasswordCredentials.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/LoginWithPasswordCredentials.java
index 1521c557ce..5909404008 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/LoginWithPasswordCredentials.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/LoginWithPasswordCredentials.java
@@ -18,17 +18,15 @@
  */
 package org.jclouds.cloudstack.functions;
 
-import java.io.File;
-
-import javax.inject.Inject;
-import javax.inject.Singleton;
-
+import com.google.common.base.Function;
 import org.jclouds.cloudstack.domain.LoginResponse;
 import org.jclouds.cloudstack.features.SessionClient;
 import org.jclouds.crypto.CryptoStreams;
 import org.jclouds.domain.Credentials;
 
-import com.google.common.base.Function;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import java.io.File;
 
 @Singleton
 public class LoginWithPasswordCredentials implements Function<Credentials, LoginResponse> {
@@ -42,7 +40,8 @@ public class LoginWithPasswordCredentials implements Function<Credentials, Login
    @Override
    public LoginResponse apply(Credentials input) {
       String username = input.identity;
-      String domain = "ROOT";
+      String domain = "";  // empty = ROOT domain
+
       // domain may be present
       if (username.indexOf('/') != -1) {
          File domainUsername = new File(username);
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/util/ApiKeyPairs.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/util/ApiKeyPairs.java
index 1a525cae15..9f03a1b9a6 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/util/ApiKeyPairs.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/util/ApiKeyPairs.java
@@ -27,7 +27,6 @@ import org.jclouds.cloudstack.domain.ApiKeyPair;
 import org.jclouds.cloudstack.domain.User;
 import org.jclouds.compute.ComputeServiceContext;
 import org.jclouds.compute.ComputeServiceContextFactory;
-import org.jclouds.crypto.CryptoStreams;
 import org.jclouds.rest.RestContextFactory;
 
 import java.util.Properties;
@@ -45,10 +44,14 @@ public class ApiKeyPairs {
    /**
     * Retrieve the API key pair for a given CloudStack user
     *
-    * @param endpoint CloudStack API endpoint (e.g. http://72.52.126.25/client/api/)
-    * @param username User account name
-    * @param password User password
-    * @param domain   Domain name. If empty defaults to ROOT
+    * @param endpoint
+    *          CloudStack API endpoint (e.g. http://72.52.126.25/client/api/)
+    * @param username
+    *          User account name
+    * @param password
+    *          User password
+    * @param domain
+    *          Domain name. If empty defaults to ROOT
     * @return
     */
    public static ApiKeyPair getApiKeyPairForUser(String endpoint, String username, String password, String domain) {
@@ -60,6 +63,7 @@ public class ApiKeyPairs {
          CloudStackClient client = CloudStackClient.class.cast(context.getProviderSpecificContext().getApi());
          Set<Account> listOfAccounts = client.getAccountClient().listAccounts();
 
+         domain = (domain.equals("") || domain.equals("/")) ? "ROOT" : domain;
          for (Account account : listOfAccounts) {
             for (User user : account.getUsers()) {
                if (user.getName().equals(username) && user.getDomain().equals(domain)) {
@@ -91,7 +95,7 @@ public class ApiKeyPairs {
       overrides.put(PROVIDER + ".endpoint", checkNotNull(endpoint, "endpoint"));
       overrides.put(PROVIDER + ".identity",
          String.format("%s/%s", checkNotNull(domain, "domain"), checkNotNull(username, "username")));
-      overrides.put(PROVIDER + ".credential", CryptoStreams.md5Hex(checkNotNull(password, "password")));
+      overrides.put(PROVIDER + ".credential", checkNotNull(password, "password"));
 
       return overrides;
    }
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientExpectTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientExpectTest.java
index c58f3ce0f4..887832b03c 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientExpectTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientExpectTest.java
@@ -18,13 +18,7 @@
  */
 package org.jclouds.cloudstack.features;
 
-import static org.jclouds.crypto.CryptoStreams.md5Hex;
-import static org.testng.Assert.assertEquals;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.URLEncoder;
-
+import com.google.common.collect.ImmutableMultimap;
 import org.jclouds.cloudstack.CloudStackContext;
 import org.jclouds.cloudstack.domain.Account;
 import org.jclouds.cloudstack.domain.LoginResponse;
@@ -32,11 +26,16 @@ import org.jclouds.http.HttpRequest;
 import org.jclouds.http.HttpResponse;
 import org.testng.annotations.Test;
 
-import com.google.common.collect.ImmutableMultimap;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URLEncoder;
+
+import static org.jclouds.crypto.CryptoStreams.md5Hex;
+import static org.testng.Assert.assertEquals;
 
 /**
  * Tests behavior of {@code SessionClient}
- * 
+ *
  * @author Andrei Savu
  */
 @Test(groups = "live", singleThreaded = true, testName = "SessionClientExpectTest")
@@ -44,42 +43,54 @@ public class SessionClientExpectTest extends BaseCloudStackRestClientExpectTest<
 
    @SuppressWarnings("deprecation")
    public void testLoginWhenResponseIs2xxIncludesJSessionId() throws IOException {
-       String domain = "Partners/jCloud";
-       String user = "jcloud";
-       String password = "jcl0ud";
-       String md5password = md5Hex(password);
+      String domain = "Partners/jCloud";
+      String user = "jcloud";
+      String password = "jcl0ud";
+      String md5password = md5Hex(password);
 
       HttpRequest request = HttpRequest.builder()
          .method("GET")
          .endpoint(
             URI.create("http://localhost:8080/client/api?response=json&command=login&" +
-               "username="+user+"&password=" + md5password+ "&domain=" + URLEncoder.encode(domain)))
+               "username=" + user + "&password=" + md5password + "&domain=" + URLEncoder.encode(domain)))
          .headers(
             ImmutableMultimap.<String, String>builder()
                .put("Accept", "application/json")
                .build())
          .build();
 
-       String jSessionId = "90DD65D13AEAA590ECCA312D150B9F6D";
+      String jSessionId = "90DD65D13AEAA590ECCA312D150B9F6D";
       SessionClient client = requestSendsResponse(request,
          HttpResponse.builder()
             .statusCode(200)
-                     .headers(
-            ImmutableMultimap.<String, String>builder()
-               .put("Set-Cookie", "JSESSIONID="+jSessionId+"; Path=/client")
-               .build())
+            .headers(
+               ImmutableMultimap.<String, String>builder()
+                  .put("Set-Cookie", "JSESSIONID=" + jSessionId + "; Path=/client")
+                  .build())
             .payload(payloadFromResource("/loginresponse.json"))
             .build());
 
       assertEquals(client.loginUserInDomainWithHashOfPassword(user, domain, md5password).toString(),
-
-      LoginResponse.builder().timeout(1800).lastName("Kiran").registered(false).username("jcloud").firstName("Vijay")
-               .domainId(11).accountType(Account.Type.DOMAIN_ADMIN).userId(19).sessionKey(
-                        "uYT4/MNiglgAKiZRQkvV8QP8gn0=").jSessionId(jSessionId).accountName("jcloud").build().toString());
+         LoginResponse.builder().timeout(1800).lastName("Kiran").registered(false).username("jcloud").firstName("Vijay")
+            .domainId(11).accountType(Account.Type.DOMAIN_ADMIN).userId(19).sessionKey(
+            "uYT4/MNiglgAKiZRQkvV8QP8gn0=").jSessionId(jSessionId).accountName("jcloud").build().toString());
    }
-   
-   //TODO: logout.
 
+   public void testLogout() throws IOException {
+      HttpRequest request = HttpRequest.builder()
+         .method("GET")
+         .endpoint(
+            URI.create("http://localhost:8080/client/api?response=json&command=logout&sessionkey=dummy-session-key"))
+         .build();
+
+      SessionClient client = requestSendsResponse(request,
+         HttpResponse.builder()
+            .statusCode(200)
+            .payload(payloadFromResource("/logoutresponse.json"))
+            .build());
+
+      client.logoutUser("dummy-session-key");
+   }
 
    @Override
    protected SessionClient clientFrom(CloudStackContext context) {
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
index de80bfd726..77dd15ce6d 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
@@ -19,6 +19,7 @@
 package org.jclouds.cloudstack.features;
 
 import org.jclouds.cloudstack.domain.Account;
+import org.jclouds.cloudstack.domain.LoginResponse;
 import org.jclouds.cloudstack.domain.User;
 import org.jclouds.cloudstack.util.ApiKeyPairs;
 import org.jclouds.crypto.CryptoStreams;
@@ -27,6 +28,7 @@ import org.testng.annotations.Test;
 import static org.jclouds.cloudstack.features.GlobalAccountClientLiveTest.createTestAccount;
 import static org.jclouds.cloudstack.features.GlobalUserClientLiveTest.createTestUser;
 import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNotNull;
 
 /**
  * Tests behavior of {@code SessionClient}
@@ -50,10 +52,12 @@ public class SessionClientLiveTest extends BaseCloudStackClientLiveTest {
          String expectedUsername = prefix + "-user";
          assertEquals(testUser.getName(), expectedUsername);
 
+         checkLoginAsTheNewUser(expectedUsername);
+
          assertEquals(
             globalAdminClient.getUserClient().registerUserKeys(testUser.getId()),
-            ApiKeyPairs.getApiKeyPairForUser(System.getProperty("test.cloudstack.endpoint"),
-               prefix + "-user", CryptoStreams.md5Hex("password"), "/")
+            ApiKeyPairs.getApiKeyPairForUser(
+               System.getProperty("test.cloudstack.endpoint"), prefix + "-user", "password", "")
          );
 
       } finally {
@@ -63,4 +67,15 @@ public class SessionClientLiveTest extends BaseCloudStackClientLiveTest {
             globalAdminClient.getAccountClient().deleteAccount(testAccount.getId());
       }
    }
+
+   private void checkLoginAsTheNewUser(String expectedUsername) {
+      LoginResponse response = globalAdminClient.getSessionClient()
+         .loginUserInDomainWithHashOfPassword(expectedUsername, "", CryptoStreams.md5Hex("password"));
+
+      assertNotNull(response);
+      assertNotNull(response.getSessionKey());
+      assertNotNull(response.getJSessionId());
+
+      client.getSessionClient().logoutUser(response.getSessionKey());
+   }
 }
diff --git a/apis/cloudstack/src/test/resources/logoutresponse.json b/apis/cloudstack/src/test/resources/logoutresponse.json
new file mode 100644
index 0000000000..f88dddd3e7
--- /dev/null
+++ b/apis/cloudstack/src/test/resources/logoutresponse.json
@@ -0,0 +1 @@
+{ "logoutresponse" : { "description" : "success" } }
\ No newline at end of file