Error "Unable to login because you do not have permissions on any vCenter Server" in vSphere Client while using ADFS
search cancel

Error "Unable to login because you do not have permissions on any vCenter Server" in vSphere Client while using ADFS

book

Article ID: 324585

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • The following error message is displayed after you login to vCenter Server with an ADFS user:
"Unable to login because you do not have permissions on any vCenter Server system connected to this client."
error.png
  • You may still be able to login successfully with some other ADFS users.


Environment

VMware vCenter Server 7.0.x

Cause

  • This issue can occur if you give permissions to a single user in vCenter Server and that user does not have a matching UPN and sAMAccountName in Active Directory. By design, vCenter Server requires this value to match between both parameters for a single user who has been given permissions to access a vCenter Server instance.
  • This issue can also occur if permissions are given to groups in vCenter and the case of domain in groups does not match the case of the configured domain in the Identity Source. By design, domain filtering logic for groups in vCenter is case-sensitive.

Resolution

If permissions at vCenter are given for users, Make sure that both the UPN and sAMAccountName match in Active Directory for the user or users experiencing this issue.

If permissions at vCenter are given for Active Directory groups, refer the below procedure to validate the case of groups.
 
  • Go to Active Directory Users and Computers.
  • Click on Users or the folder that contains the user account.
  • Right click on the affected user account and click Properties.
  • Click Member of tab.
  • Locate the Active Directory group which is used while adding permissions in vCenter
  • Make a note of the case in the domain portion
For example, it would be something like VMWARE.COM or VMWARE.com
  • Log in to the vSphere Web Client using an Single Sign On Administrator.
  • Under Menu, select Administration > Configuration > Identity Sources
  • Select the identity source and click edit
  • Review the domain section of Base distinguished name for users and Base distinguished name for groups
For example, it would be something like dc=VMWARE,dc=COM or dc=VMWARE,dc=com
  • If the case of the domain in Identity source does not match the case of the domain in the group membership, update the identity source with the correct case and save the Identity source configuration.
For example, if the group membership in Active directory is VMWARE.com then the identity source should have dc=VMWARE,dc=com for Base distinguished name for users and Base distinguished name for groups

Workaround:
If you cannot set the UPN and sAMAccountName to be the same, then alternatively you could:
  1. Add the user(s) to an AD Group.
  2. Give permissions in vCenter to that AD group instead of the single user.
  3. Ensure the identity source is configured with the correct case for domain
Your user would be able to login correctly.

Powered by Wolken Software