After successfully upgrading vCenter from 6.7 to 7.0U2, when attempting to access the vSphere Client, the login screen displays "[500] An error occurred while fetching identity providers. Try again. If problem persists, contact your administrator."

 "[500] An error occurred while fetching identity providers. Try again, if problem persists, contact your administrator"

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

yyyy-MM-DDTHH:MM:SS [ERROR] http-nio-5090-exec-5    70000017 100003 ###### com.vmware.vsphere.client.security.oauth2.LoginRequestHandler     An error occurred while fetching providers com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
id = com.vmware.vapi.authorization.permission.denied,
defaultMessage = Permission to perform this operation was denied.

/var/log/vmware/trustmanagement/trustmanagement-svcs.log

yyyy-MM-DDTHH:MM:SSZ [tomcat-exec-26  WARN  com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase  opId=] Asynchronous execution requested but no Executor configured. The request will be executed as synchronous one.
yyyy-MM-DDTHH:MM:SSZ [tomcat-exec-26  ERROR com.vmware.vcenter.trustmanagement.vapi.impl.setup.AuthzPermissionValidator  opId=] User vsphere.local\vsphere-webclient-4c0050c8-4bd7-4d33-94f6-a2589323dfdf who belongs to groups [vsphere.local\SolutionUsers, vsphere.local\Everyone, vsphere.local\ActAsUsers, vsphere.local\Administrators, vsphere.local\vSphereClientSolutionUsers, vsphere.local\LicenseService.Administrators, vsphere.local\SystemConfiguration.Administrators] has no required privileges [VcIdentityProviders.Manage, VcIdentityProviders.Read] to invoke API com.vmware.vcenter.identity.providers.list

To provide the correct role and privileges to the vSphere Client solution user, follow the below steps.

1. Take an appropriate powered-off snapshot of the vCenter. If in ELM, you must take powered-off snapshots of all vCenters in the SSO domain.
2. Connect to JXplorer.
   • Reference How to export VMDir information from vCenter Server using the JXplorer utility
3. Once connected to JXplorer, navigate to the following location in the left-hand side panel.
   • World > local > vsphere > Services > VmwAuthz > AclModel
4. Review the two following components:

• VSPHERE.LOCAL%5CvSphereClientSolutionUsers@true@urn%3Aacl%3Aglobal%3Apermissions
• VSPHERE.LOCAL%5Cvsphere-webclient-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx@false@urn%3Aacl%3Aglobal%3Apermissions 
  • Note: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx will be a unique string to the vCenter.

1. On the right-hand side, click on "Table Editor."
2. Review and record the entry for attribute type "vmwAuthzPermissionRoleId."
3. The value of vmwAuthzPermissionRoleId for the two above components should be '1003." If the value differs, for example: 475886254, the role will be deleted in below steps.

5. Review and confirm RoleID 1003 exists by navigating to:
   1. World > local > vsphere > Services > VmwAuthz > RoleModel
6. Confirm RoleID 1003 has the following privileges per the screenshot.

7. If the two components mentioned in Step 4 does not have vmwAuthzPermissionRoleId = 1003, update the value for both components as needed.
   1. Navigate back to World > local > vsphere > Services > VmwAuthz > AclModel.
   2. In the Table Editor view, select the current vmwAuthzPermissionRoleID value, for example, 475886254, and replace it with 1003.
   3. Click Submit at the bottom to save.
8.  Delete the stale roleID entry of 475886254 under World > local > vsphere > Services > VmwAuthz > RoleModel.

9. Restart the vCenter Server services.