Registering a vSphere Replication appliance to vCenter Server Fails
search cancel

Registering a vSphere Replication appliance to vCenter Server Fails

book

Article ID: 316333

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The registration process fails when attempting to deploy and register a vSphere Replication appliance to vCenter Server.  Attempting to register via the command line will produce the following error:
     
vSphere Replication Appliance configuration error:Unable to create solution user.
Details: Failed to create service account
[ msgId: com.vmware.vr.config.unable_to_create_user; value: null; errorStacktrace : com.vmware.vapi.std.errors.InternalServerError: InternalServerError (com.vmware.vapi.std.errors.internal_server_error) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.vapi.authorization.permission.error,
    defaultMessage = Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.,
    args = [com.vmware.vcenter.svcaccountmgmt.service_account.create],
    params = <null>,
    localized = <null>
}],
  • In the /var/log/vmware/sso/svcaccountmgmt.log, following error is observed:
     
YYYY-MM-DDTHH:MM:SS ERROR svcaccountmgmt[68:tomcat-http--21] [CorId=bf909c43-b238-4773-aac8-4e1516d91aaa OpId=] [com.vmware.vapi.authz.impl.AuthorizationFilter] Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.
  • In the /var/log/vmware/vpxd-svcs/vpxd-svcs.log, following error is observed:
     
YYYY-MM-DDTHH:MM:SS [authz-service-1 [] WARN  com.vmware.cis.core.authz.accesscontrol.impl.CheckPrivilegesRouterRiseImpl  opId=33ef3237-3268-4110-b0ea-93a030258d1c IS] User VSPHERE.LOCAL\serviceaccountmgmt-<UUID> does not have privileges [System.View] on object urn%3Aacl%3Aglobal%3Apermissions


Note that the <UUID> will be a unique identifier in your environment.

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

This is caused because a Solution User is not a member of the correct groups.

Resolution

Note: Before applying the steps below, please take a backup or an offline-snapshot (in powered-off state) of the vCenter Server Appliance . If the vCenter is part of a Linked Mode replication setup, please backup/snapshot all replicating nodes as well. Please refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

Follow the below steps to fix the issue:

  • To determine the name of the account, review the /var/log/vmware/vpxd-svcs.log file for the name.  It should look like: VSPHERE.LOCAL\serviceaccountmgmt-<UUID>

Note that the UUID will be a long string unique to your environment.  You will need to copy the correct value from the log.

  • Validate if the account is present in following groups:  ActAsUsers, SolutionUsers, and ReadOnlyUsers
  • This can be validated via the UI or via the command line.  Execute the following commands from the vCenter Server appliance: 
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name ActAsUsers
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name SolutionUsers
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name ReadOnlyUsers

You will be prompted for the SSO Administrator password.  This will list members of each group. 

  • For any group where the account is missing, run the following command to add the account:  
    • /usr/lib/vmware-vmafd/bin/dir-cli group modify --name <GROUPNAME> --add serviceaccountmgmt-<UUID>

Note:  You will need to replace the <GROUPNAME> and <UUID> with the name of the group you are modifying and the UUID for your environment.

  • Restart services vcenter services : service-control --stop --all && service-control --start --all 
  • Registering the vSphere Replication Appliance again.
Powered by Wolken Software