Post vCenter Upgrade to 8.0U2, SPS service account does not belong to Administrators group.
search cancel

Post vCenter Upgrade to 8.0U2, SPS service account does not belong to Administrators group.

book

Article ID: 311935

calendar_today

Updated On: 03-13-2025

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

This article will help users when this issue occurs, users failed to perform vCenter operations until SPS service account belongs to Administrators group.

Symptoms: User unable to perform OVA/OVF deployment and other vCenter operations.

sps.log : /storage/log/vmware/vmware-sps/sps.log

Failure since SPS service account does not belong to Administrators group.

YYYY-MM-DDTHH:MM:SS [main] ERROR opId=sps-Main-565273-239 com.vmware.vim.storage.common.serviceclient.vpxd.impl.VpxdClientImpl - Failed to retrieve service content
YYYY-MM-DDTHH:MM:SS [main] ERROR opId=sps-Main-565273-239 com.vmware.vim.storage.common.task.retry.CallableRetryDecorator - Caught exception -
com.vmware.vim.storage.common.serviceclient.vpxd.VpxdException: Error occurred while retrieving service content
        at com.vmware.vim.storage.common.serviceclient.vpxd.VpxdException.fromEx(VpxdException.java:53) ~[storage-commons-1.0.jar:?]
        at com.vmware.vim.storage.common.serviceclient.vpxd.impl.VpxdClientImpl.checkAndLoadServiceInstanceContent(VpxdClientImpl.java:124) ~[storage-commons-1.0.jar:?]
        at com.vmware.vim.storage.common.serviceclient.vpxd.impl.VpxdClientImpl.loginByToken(VpxdClientImpl.java:158) ~[storage-commons-1.0.jar:?]

 

Cause

In an vCenter ELM setup, when the first vCenter is upgraded to the 8.0U2 target (which has the fix) and other vCenter partners in the ELM remain at 7.x release versions (which doesn't have the fix) will encounter this issue.

Resolution

This issue has been resolved in vCenter Server 7.0 U3q. To download go to Broadcom Support Portal

To resolve the issue, follow any one the below options.

Option 1:

To address this issue temporarily, re-add the respective service account to the necessary group. Using the SPS service account as an example, follow these steps:

1. Take offline snapshots of all vCenters in the ELM setup.
2. Access the vCenter in question via SSH with root privileges.
3. Run the following commands to check if SPS user is in all of them: 
  /usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators
  /usr/lib/vmware-vmafd/bin/dir-cli group list --name ServiceProviderUsers
    /usr/lib/vmware-vmafd/bin/dir-cli group list --name ActAsUsers
 
     For example, while running the: /usr/lib/vmware-vmafd/bin/dir-cli group list --name ServiceProviderUsers 
     You will get an output similar to: CN=sps-xx-xx-xx-xx-xx,cn=xyz,dc=vcenter,dc=xyz, Note the "sps-xx-xx-xx-xx-xx" section.
     The SPS user must be missing in the Administrators section.
 
4. Run the following commands to add the SPS service account to the Administrators group:
  /usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add sps-xx-xx-xx-xx-xx
5. Restart the SPS services using: service-control --stop sps && service-control --start sps
 

Option 2:

1. Remove the cache of the sps user account: rm /var/cache/svcaccounts/sps/.sps
2. Restart the sps service:  vmon-cli --restart sps