Registering a vSphere Replication appliance to vCenter Server Fails
search cancel

Registering a vSphere Replication appliance to vCenter Server Fails

book

Article ID: 316333

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The registration process fails when attempting to deploy and register a vSphere Replication appliance to vCenter Server.  Attempting to register via the command line will produce the following error:
     
  • The hms.log file for the vSphere Replication appliance is located at /opt/vmware/hms/logs/hms-configtool.log        

YYYY-MM-DDTHH:MM:SS ERROR com.vmware.hms.config.cli.App [main] (..jvsl.util.LoggingErrorStream) [] | vSphere Replication Appliance configuration error:Unable to create solution user.
YYYY-MM-DDTHH:MM:SS ERROR com.vmware.hms.config.cli.App [main] (..jvsl.util.LoggingErrorStream) [] | Details: Failed to create service account
YYYY-MM-DDTHH:MM:SS ERROR com.vmware.hms.config.cli.App [main] (..jvsl.util.LoggingErrorStream) [] | null
com.vmware.hms.config.error.VrConfigException: Failed to create service account
        at com.vmware.hms.config.helper.ServiceAccountHelper.createServiceAccount(ServiceAccountHelper.java:130) ~[vr-config-9.0.2.jar:?]
        at com.vmware.hms.config.VrConfig.createServiceAccount(VrConfig.java:552) ~[vr-config-9.0.2.jar:?]
        at com.vmware.hms.config.VrConfig.reconfigVr(VrConfig.java:505) ~[vr-config-9.0.2.jar:?]
        at com.vmware.hms.config.VrConfig.expressSetup(VrConfig.java:345) ~[vr-config-9.0.2.jar:?]
        at com.vmware.hms.config.cli.command.ExpressSetup.run(ExpressSetup.java:59) ~[vr-config-tool-9.0.2.jar:?]
        at com.vmware.hms.config.cli.command.CommandBase.run(CommandBase.java:347) ~[vr-config-tool-9.0.2.jar:?]
        at com.vmware.hms.config.cli.App.run(App.java:146) [vr-config-tool-9.0.2.jar:?]
        at com.vmware.hms.config.cli.App.main(App.java:206) [vr-config-tool-9.0.2.jar:?]
Caused by: com.vmware.vapi.std.errors.InternalServerError: InternalServerError (com.vmware.vapi.std.errors.internal_server_error) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.vapi.authorization.permission.error,
    defaultMessage = Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.,
    args = [com.vmware.vcenter.svcaccountmgmt.service_account.create],
    params = <null>,
    localized = <null>
}],
    data = <null>,
    errorType = INTERNAL_SERVER_ERROR
}
  • In the /var/log/vmware/sso/svcaccountmgmt.log, following error is observed:
     
YYYY-MM-DDTHH:MM:SS ERROR svcaccountmgmt[68:tomcat-http--21] [CorId=bf909c43-b238-4773-aac8-4e1516d91aaa OpId=] [com.vmware.vapi.authz.impl.AuthorizationFilter] Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.
  • In the /var/log/vmware/vpxd-svcs/vpxd-svcs.log, following error is observed:
     
YYYY-MM-DDTHH:MM:SS [authz-service-1 [] WARN  com.vmware.cis.core.authz.accesscontrol.impl.CheckPrivilegesRouterRiseImpl  opId=33ef3237-3268-4110-b0ea-93a030258d1c IS] User VSPHERE.LOCAL\serviceaccountmgmt-<UUID> does not have privileges [System.View] on object urn%3Aacl%3Aglobal%3Apermissions


Note that the <UUID> will be a unique identifier in your environment.

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

This is caused because a Solution User is not a member of the correct groups.

Resolution

Note: Before applying the steps below, please take a backup or an offline-snapshot (in powered-off state) of the vCenter Server Appliance . If the vCenter is part of a Linked Mode replication setup, please backup/snapshot all replicating nodes as well. Please refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

Follow the below steps to fix the issue:

  • To determine the name of the account, review the /var/log/vmware/vpxd-svcs/vpxd-svcs.log file for the name.  It should look like: VSPHERE.LOCAL\serviceaccountmgmt-<UUID>

Note that the UUID will be a long string unique to your environment.  You will need to copy the correct value from the log.

  • Validate if the account is present in following groups:  ActAsUsers, SolutionUsers, and ReadOnlyUsers
  • This can be validated via the UI or via the command line.  Execute the following commands from the vCenter Server appliance: 
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name ActAsUsers
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name SolutionUsers
    • /usr/lib/vmware-vmafd/bin/dir-cli group list --name ReadOnlyUsers

You will be prompted for the SSO Administrator password.  This will list members of each group. 

  • For any group where the account is missing, run the following command to add the account:  
    • /usr/lib/vmware-vmafd/bin/dir-cli group modify --name <GROUPNAME> --add serviceaccountmgmt-<UUID>

Note:  You will need to replace the <GROUPNAME> and <UUID> with the name of the group you are modifying and the UUID for your environment.

  • Restart services vcenter services : service-control --stop --all && service-control --start --all 
  • Registering the vSphere Replication Appliance again.

Additional Information

Note: If the vCenter's are in Enhanced linked mode.

We should have multiple serviceaccountmgmt-<UUID> under groups ActAsUsers, SolutionUsers, and ReadOnlyUsers  

The solution user serviceaccountmgmt-<UUID> is expected to be part of all the following groups.

dn: CN=SolutionUsers,DC=vsphere,DC=local


dn: CN=ActAsUsers,DC=vsphere,DC=local


dn: CN=ReadOnlyUsers,DC=vsphere,DC=local

Powered by Wolken Software