Searching for inventory in vCenter Server fails with the error: (403) Forbidden
search cancel

Searching for inventory in vCenter Server fails with the error: (403) Forbidden

book

Article ID: 313019

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Cannot perform an inventory search in vCenter Server after selecting the Use Windows Credentials option in the thick Client.
  • Searching for inventory in vCenter Server fails
  • You see the error:

    Login to the query service failed. Server could not interpret the communication to the client [remote server returned an error; (403) forbidden.
     
  • The user account has the required permissions to search vCenter Server for inventory
  • This issue does not occur when using the vSphere Web Client
  • This issue does not occur when you log in using the domain credentials or if the user account is granted the permissions individually, rather than as part of an AD group
  • In the DS.log file located in the vCenter Server virtual machine you see entries similar to:

    YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Computing permissions for Domain/Username
    [YYYY-DD-MM TIME,098 http-nio-/0.0.0.0-10443-exec-5 ERROR com.vmware.vim.vcauthorization.impl.PrincipalContextImpl] Failed to get group memembership
    com.vmware.vim.jwinauth.GroupNotFoundException:
    at com.vmware.vim.jwinauth.SSPI.IsGroupMember(Native Method)
    at com.vmware.vim.jwinauth.SSPIContext.isGroupMember(SSPIContext.java:117)
    at com.vmware.vim.vcauthorization.impl.PrincipalContextImpl.isMemberOfGroup(PrincipalContextImpl.java:49)
    at com.vmware.vim.vcauthorization.impl.AbstractPrincipal.matches(AbstractPrincipal.java:68)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.getPermissionsForPrincipal(AuthorizationManagerImpl.java:709)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.computePermissionTree(AuthorizationManagerImpl.java:646)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.createUserData(AuthorizationManagerImpl.java:619)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.getUserData(AuthorizationManagerImpl.java:552)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.getUserDataAndIncrementUsage(AuthorizationManagerImpl.java:539)
    at com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl.notifyAdd(AuthorizationManagerImpl.java:469)
    at com.vmware.vim.vcauthorization.impl.UserSessionManagerImpl.addConnection(UserSessionManagerImpl.java:51)
    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.addConnection(AuthenticationHelper.java:785)
    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.addConnectionForSSPISession(AuthenticationHelper.java:741)
    at com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper.loginBySSPI(AuthenticationHelper.java:306)
    at com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet.loginBySSPI(AuthenticationServlet.java:233)

    at com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet.processRequest(AuthenticationServlet.java:120)
    at com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet.doGet(AuthenticationServlet.java:93)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at com.vmware.vim.vmomi.server.http.impl.VlsiSslValve.invoke(VlsiSslValve.java:49)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1571)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)
    [YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after add]: SW\pss282 is 1
    [YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] User has no privileges.
    [YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Removed user data for: Domain/User
    [YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after remove]: Domain/User
    [YYYY-DD-MM TIME http-nio-/0.0.0.0-10443-exec-5 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet] Sending security error because of exception : com.vmware.vim.vcauthenticate.exception.NoPrivilegesException

    [YYYY-DD-MM TIME OOB-3,vCenter INFO com.vmware.vim.query.server.query.impl.ServiceImpl] Sending terminate response for message:845


Cause

This issue occurs if there are group names with special characters while searching for inventory. The Inventory Service does not accept group names with special characters.

Resolution

This a known issue, affecting vCenter Server.
 
This issue is resolved in vCenter Server 5.1 Update, available at VMware Downloads.


Additional Information

To examine the ds.log:

vCenter Windows version:

  1. Connect to the vCenter Server virtual machine via console or Windows Remote Desktop Connection.
  2. Browse the file manager to find the log files at the following location:

    C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs


  3. Open ds.log using a text editor.

vCenter Appliance version:

  1. Connect to the vCenter Server virtual machine via console or SSH Connection.
  2. Run the following command:

    # cat /storage/log/vmware/vpx/inventoryservice/ds.log |less

A similar issue is seen on vCenter Server 5.5. For more information, see After enabling Virtual Flash, VMware vCenter Server 5.5 consumes most of the CPU, memory, or disk I/O (2072392).After enabling Virtual Flash, VMware vCenter Server 5.5 consumes most of the CPU, memory, or disk I/O