Troubleshooting permissions errors when connecting to an ESXi/ESX host with the vSphere Client

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps on troubleshooting permission problems when attempting to log in to an ESXi/ESX host. Outlining steps to test and resolve authentication issues.

Note: For more information on restarting the mgmt-vmware service before attempting any procedures in this article, see Restarting the Management agents on an ESXi or ESX host (1003490).

Symptoms:

Logging in to an ESXi/ESX host fails.
You are attempting to log in using a vSphere Client.
You cannot log in to an ESXi/ESX host with a vSphere Client.
You see error messages similar to:
- VMware Infrastructure Client could not establish a connection with server "<server>".
  
  Details: You do not have permission to login to the server: <server>.
- vSphere Client could not connect to "<server>"
  
  Details: You do not have permission to login to the server: <server>.

Environment

VMware vSphere ESXi 6.0
VMware ESXi 3.5.x Embedded
VMware ESX 4.1.x
VMware ESXi 4.1.x Embedded
VMware ESX Server 3.5.x
VMware ESX 4.0.x
VMware ESXi 4.1.x Installable
VMware ESXi 4.0.x Embedded
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.1
VMware ESXi 4.0.x Installable
VMware ESX Server 3.0.x
VMware ESXi 3.5.x Installable

Cause

This issue occurs when your Linux user account does not have permission to any object in the Inventory. When your Linux user account does not have permissions to log in to an ESXi/ESX host. By default, the root user on an ESXi/ESX host is the only group with permissions to login to the server with a vSphere Client. If you try to log in as a user who does not have assigned permissions (either directly or indirectly through a group), the login fails.

Resolution

Validate each troubleshooting step is true for your environment. Each step provides instructions or a link to a document, eliminating possible causes and outlining corrective action as necessary.

These steps are ordered in the most appropriate sequence to isolate the issue and identify a resolution. Do not skip a step:

Verify if the behavior is specific to the user, which has been added by attempting to log in to an ESXi/ESX host with another Linux user account.
If the behavior is specific to the user that has been added, add the appropriate permissions for the user that cannot login:
1. Log in with the local root account on an ESX/ESXi host.
2. To add the permissions for the user select an object from the inventory and click the Permissions tab.
3. On the permissions tab Right-click and select Add Permission.
  
  Notes:

- - In ESX Server 3i and above has Lockdown Mode, an enhanced security configuration when using vCenter Server/VirtualCenter.
  - When configured, Lockdown Mode prevents root from logging directly in to the ESXi host with the vSphere/Virtual Infrastructure Client.
    
    Confirm if Lockdown Mode is enabled and disable it:

Log in to vCenter Server/VirtualCenter as an administrator from the vSphere/Virtual Infrastructure Client.

Click the ESX/ESXi host from the inventory.

Click Configuration Tab > Security Profile link > Edit.

If Lockdown mode is enabled, uncheck Enable Lockdown Mode.

Click OK.

For more information, see Enabling or disabling Lockdown mode on an ESXi host (1008077).

Note: If your problem persists when you have attempted the steps in this article:

Gather the VMware Support Data. For more information, see Collecting diagnostic information for VMware ESXi.

File a support request with VMware Support and note this KB Article ID in the problem description. For more information, see How to Submit a Support Request.

Additional Information

Restarting the Management agents in ESXi
Collecting diagnostic information for VMware ESXi
Enabling or disabling Lockdown mode on an ESXi host
How to increase vSphere Clustering Service (vCLS) deployment timeouts for the ESX Agent Manager service