Error "Unable to login because you do not have permissions on any vCenter Server" in vSphere Client while using ADFS
search cancel

Error "Unable to login because you do not have permissions on any vCenter Server" in vSphere Client while using ADFS

book

Article ID: 324585

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • The following error message is displayed after attempting to login to vCenter Server with an ADFS user:
"Unable to login because you do not have permissions on any vCenter Server system connected to this client."

  • Login may be possible with other ADFS users.



Environment

VMware vCenter Server 7.0.x

Cause

  • This issue can occur if permissions are given to a single user in vCenter Server and that user does not have a matching UPN and sAMAccountName in Active Directory. By design, vCenter Server requires this value to match between both parameters for a single user who has been given permissions to access a vCenter Server instance.
  • This issue can also occur if permissions are given to groups in vCenter and the letter case of the domain in groups does not match the letter case of the configured domain in the Identity Source. By design, domain filtering logic for groups in vCenter is case-sensitive.

Resolution

If permissions at vCenter are given for users, ensure that both the UPN and sAMAccountName match in Active Directory for the user or users experiencing this issue.

If permissions at vCenter are given for Active Directory groups, refer the below procedure to validate the letter case of groups.
 

  • Go to Active Directory Users and Computers.
  • Click on Users or the folder that contains the user account.
  • Right click on the affected user account and click Properties.
  • Click Member of tab.
  • Locate the Active Directory group which is used while adding permissions in vCenter
  • Make a note of the letter case in the domain portion

For example, it would be something like VMWARE.COM or VMWARE.com

  • Log in to the vSphere Web Client using an Single Sign On Administrator.
  • Under Menu, select Administration > Configuration > Identity Sources
  • Select the identity source and click edit
  • Review the domain section of Base distinguished name for users and Base distinguished name for groups

For example, it would be something like dc=VMWARE,dc=COM or dc=VMWARE,dc=com

  • If the letter case of the domain in Identity source does not match the letter case of the domain in the group membership, update the identity source with the correct letter case and save the Identity source configuration.

For example, if the group membership in Active directory is VMWARE.com then the identity source should have dc=VMWARE,dc=com for Base distinguished name for users and Base distinguished name for groups

Workaround:
If the UPN and sAMAccountName cannot be configured to be the same, then the following steps can be applied:

  1. Add the user(s) to an AD Group.
  2. Give permissions in vCenter to that AD group instead of the single user.
  3. Ensure the identity source is configured with the correct letter case for the domain

The user should be able to login.