Powering on an encrypted virtual machine or a VM with vTPM fails when attempted with a non-Administrator user
Article ID: 326210
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- When trying to power on a virtual machine that is encrypted, for example if it has been configured with a virtual TPM (vTPM), the task fails with an error message:
Permission to perform this operation was denied. NoPermission.message.format
- When trying to open a remote console for the virtual machine, the following error is shown:
KMS Error: Unable to connect to MKS: Permission to perform this operation was denied.
- var/log/vmware/vpxd/vpxd.log shows below events:
YYYY-MM-DDTHH:MM:SS.014-04:00 info vpxd[10301] [Originator@6876 sub-VmProv opID=*********-h5:70448162-c7-01-01-01] Prevoutputs: (vpx.vmprov.Action.Output) [ (vpx.vmprov.Select Destination. Output) { changedDatastore <unset>, newDatastore <unset> -> --> ] } YYYY-MM-DDTHH:MM:SS.014-04:00 error vpxd [10301] [originator@6876 sub-VmProv opID=**********-auto-19867-h5:70448162-c7-01-01-01] Local-VC Host Migrate failed at vpx.vmprov. InvokeCallbacks for poweredoff VM '*******' (vm-******, ds:///vmfs/volume s/**********/*********/*********) on host-****** (xx.xxx.xx.xx) in pool resgroup-27 with ds ds:///vmfs/volumes/*********/ to host-*****(xx.xxx.xx.xx) in pool resgroup-27 with ds ds:///vmfs/volumes/*********/ with migId ********* with fault vim.fault.NoPermission: YYYY-MM-DDTHH:MM:SS.018-04:00 info vpxd [10301] [originator@6876 sub-VmProv opID=**********-2110110-auto-19867-h5:70448162-c7-01-01-01] Undo action vpx.vmprov. ReserveDirectory YYYY-MM-DDTHH:MM:SS.018-04:00 info vpxd [10301] [originator@6876 sub-VmProv opID=**********-2110110-auto-19867-h5:70448162-c7-01-01-01] Done undo action vpx.vmprov. ReserveDirectory with output: YYYY-MM-DDTHH:MM:SS.021-04:00 info vpxd [10301] [originator@6876 sub-VmProv opID=**********-2110110-auto-19867-h5:70448162-c7-01-01-01] Undo action vpx.vmprov.MarkOperationInProgress YYYY-MM-DDTHH:MM:SS.021-04:00 info vpxd [10301] [Originator@6876 sub-VmProv opID=**********-2110110-auto-19867-h5:70448162-c7-01-01-01] Done undo action vpx. vmprov.MarkOperationInProgress with output: -->false -->false -->) YYYY-MM-DDTHH:MM:SS.021-04:00 error vpxd [10301] [Originator@6876 sub=vpxLro opID=*****-2110110-auto-19867-h5:70448162-c7-01-01-01] [VpxLRO] Unexpected Exception: N3Vim5Fault12NoPermission9ExceptionE (Fault cause: vim.fault.NoPermission --> [context]zkq7AVECAQAAAOIFCWEjdnB4ZAAAAto3bGlidm1hY29yzs5zbwAAmXksABdtLQAf6jIBgfBxdnB4ZAABkuONT7FHQGBWQYfAYFKXDIBgcVfMgGBOZI 3AYFCTTUBgVChNAGBzb80AYHrXTQBgfUEaQGBNgZPAYFkFwkBgcdCaAGB1]ptoAYHZDZMBAX00+wHG0vsBtdP7gem1XwGB9QRPAYE2BmkBgwQVaQGBX0JOAYGS7GgBA YYYY-MM-DDTHH:MM:SS.025-04:00 info vpxd [10301] [Originator@6876 sub-vpxLro opID=******-2110110-auto-19867-h5:70448162-c7-01-01-01] [VpxLRO] -- FINISH 1ro-474762600 YYYY-MM-DDTHH:MM:SS.025-04:00 info vpxd [10301] [originator@6876 sub-Default opID=*****-2110110-auto-19867-h5:70448162-c7-01-01-01] [VpXLRO] --ERROR 1ro-474762600 OdJIWB1nyMAWGU3Aod/AGXpYnB0aHJlYWQuc28uMAADvzYPbGliYy5zby42AA==[/context] Result: (vim.fault.NoPermission) { faultCause = (vmod].MethodFault) null, faultMessage = <unset>, object = 'vim. VirtualMachine: 299f5af7-764f-433f-a371-5f49d84ab469: vm-*******', privilegeId = "Cryptographer.Migrate", missingPrivileges = <unset> msg = --> } -->Args:
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
This issue occurs when the user who initiated the power-on task does not have the required permissions to access encrypted VMs respectively read the encryption keys used to encrypt the VM. For these operations, "Cryptographic operations" privileges are required.
Resolution
To prevent this problem, ensure that the role for the user includes the following privileges:
- Cryptographic operations > Direct Access
- Cryptographic operations > Read KMS information
- Cryptographic operations > Migrate
Feedback
Yes
No
Powered by
