Users or groups are unable to log in to vCenter Server after restarting the VMware VirtualCenter Server service
search cancel

Users or groups are unable to log in to vCenter Server after restarting the VMware VirtualCenter Server service

book

Article ID: 308836

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction


Symptoms:
  • Users or groups are unable to login to vCenter Server after restarting the VMware VirtualCenter Server service.
  • The VPX_ACCESS table within the vCenter Server database is empty or does not contain entries for users or groups for a configured identity source.
  • The vpxd.log file, located at C:\ProgramData\VMware\VMware VirtualCenter\Logs\ on vCenter Server, may contain errors similar to:

    [7FFFF3B09700 error 'Default'] Removing invalid permission 8001: user Domain\user not found
    [7FFFF3B09700 warning 'Default'] Removing permission for entity "group-d1", user "Domain\user", role -2. Reason: User or group not found


Environment

VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vCenter Server 5.0.x

Cause

During startup, vCenter Server validates all permissions objects within the VPX_ACCESS table of the vCenter Server database. If vCenter Server is unable to find the user or group associated with a permission object, all permissions objects are deleted. This issue can occur if vSphere Single Sign-On is unable to contact an identity source when the VMware VirtualCenter service is starting.

This behavior is modified to stop removing permission objects during startup in these versions of vCenter Server:

  • vCenter Server 5.0 Update 3 and later
  • vCenter Server 5.1 Update 2 and later
  • vCenter Server 5.5 GA and later
To update this behavior, upgrade to the latest version of:
For more information, see the:

Note: This change only impacts the startup behavior of vCenter Server. A validation check of all permission objects still occur every 24 hours and vCenter Server removes any permission objects in which a user or group is not found.

Resolution

To resolve this issue, restore vCenter Server permissions from a previous backup of the vCenter Server Database.

Notes:

  • It is possible to restore the vCenter Server permissions if a backup of the vCenter Server database is available before the permission objects were removed from the VPX_ACCESS table. This process involves the use of these databases:

    • vCenterDB – The current, running version of the vCenter Server database
    • vCenterBackupDB – A restored backup of the vCenter Server database before the permission objects were removed
    • TempvCenterDB – A temporary database used for recovery that gets destroyed after the recovery process

  • The steps reference the generic names provided for each database type and use commands in Microsoft SQL Management Studio. The names and commands may vary based upon the configuration of your environment. It is highly recommended to engage your Database Administrator before proceeding.

To restore vCenter Server permission from a previous backup of the vCenter Server database:

  1. Stop the VMware VirtualCenter Server service.

    For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).

  2. Restore a backup of the vCenter Server database to a temporary database:

    1. Open a Microsoft SQL Management Studio connection to the SQL Server instance in which the vCenter Server database resides.
    2. Right-click the location to which the database backup must be stored and click Restore Database.
    3. In the To Database field, enter TempvCenterDB.
    4. In the From Database field, select the name of your vCenter Server database.

      Note: In this case, the vCenter Server database is vCenterDB.

    5. Select the backup file to restore ensuring that it was created before the permission objects were removed.
    6. Click OK to begin the restore process.

  3. Strip all data from the VPX_ACCESS table in the original vCenter Server database:

    1. Open a Microsoft SQL Management Studio connection to the SQL Server instance in which the vCenter Server database resides.
    2. Select New Query and enter this query:

      USE vCenterDB
      GO
      TRUNCATE TABLE vpx_access


    3. Click Execute.

  4. Drop the VPX_ACCESS constraints:

    1. In Microsoft SQL Management Studio, select New Query and enter this query:

      USE vCenterDB
      GO
      IF EXISTS (SELECT * FROM sys.foreign_keys WHERE object_id = OBJECT_ID(N'[dbo].[FK_VPX_ACCE_REF_VPX_ENTI]') AND parent_object_id = OBJECT_ID(N'[dbo].[VPX_ACCESS]'))
      ALTER TABLE [dbo].[VPX_ACCESS] DROP CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI]
      GO

    2. Click Execute.

  5. Import the old VPX_ACCESS data from the temporary database:

    1. In Microsoft SQL Management Studio, select New Query and enter this query:

      INSERT INTO vCenterDB.[dbo].[VPX_ACCESS]
      SELECT * FROM TempvCenterDB.[dbo].[VPX_ACCESS]


    2. Click Execute.

  6. Recreate the VPX_ACCESS constraints:

    1. In Microsoft SQL Management Studio, select New Query and enter this query:

      USE vCenterDB
      GO
      ALTER TABLE [dbo].[VPX_ACCESS] WITH CHECK ADD CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI] FOREIGN KEY([ENTITY_ID])
      REFERENCES [dbo].[VPX_ENTITY] ([ID])
      ON DELETE CASCADE
      GO

      ALTER TABLE [dbo].[VPX_ACCESS] CHECK CONSTRAINT [FK_VPX_ACCE_REF_VPX_ENTI]
      GO


    2. Click Execute.

  7. Start the VMware VirtualCenter Server service.

    For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).


Additional Information

vCenter Server also deletes any permission objects for users that it cannot validate in Active Directory every 24 hours. This behavior remains unchanged in vCenter Server 5.0 Update 3 and vCenter Server 5.1 Update 2.

To disable Active Directory validation in the vSphere Client:
  1. Connect to each vCenter Server using the vSphere Client.
  2. Select Administration > vCenter Server Settings.
  3. Select Active Directory.
  4. Deselect the Enable Validation option.
  5. Click OK to save the changes.
To disable Active Directory validation in the vSphere Web Client:
  1. Connect to each vCenter Server using the vSphere Web Client.
  2. Click the Manage tab,
  3. Click the Settings tab and click Edit.
  4. Select the User Directory on the left pane.
  5. Deselect the Validation option.

How to stop, start, or restart vCenter Server services
VMware VirtualCenter Server サービスを再起動すると、ユーザまたはグループが vCenter Server にログインできなくなる