We are unable to subscribe vCenter Server to cloud console.
Error: A general system error occurred subscribing VC: VC_FQDN
/var/log/vmware/aap/agents/multi-vc-context-vsphere-entitlement-agent-5a4d5e1e1912:
[2023-05-17 07:33:10.008 GMT] [vsphere-entitlement-agent] [vcId='813b9995-429b-4bb0-8dfe-79dd07ab3267' imageId='5a4d5e1e1912' dockerHost='fcc25d125b2b'] [priority='ERROR' thread='scheduled-task-thread24' trace='00000000-0000-0000-8838-c9
e96eba5314'] com.vmware.vsphere.cloud.entitlement.scheduling.VcAgentScheduler@286 - Unexpected error occurred in agent task 'pollForSubscriptionTasks' for VC '813b9995-429b-4bb0-8dfe-79dd07ab3267' in 490 milliseconds.
java.lang.IllegalStateException: There are failed VC subscription tasks
Caused by: com.vmware.vsphere.cloud.entitlement.subscription.SubscriptionConfigurationUpdateException: Assignment.update_Task() failed with VAPI Error:
Caused by: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
id = com.vmware.vapi.authorization.permission.denied,
defaultMessage = Permission to perform this operation was denied.,
args = [],
params = <null>,
localized = <null>
}],
data = <null>,
errorType = UNAUTHORIZED
VC log: /var/log/vmware/sso/ssoAdminServer.log
2023-05-17T07:37:11.054Z INFO ssoAdminServer[109:pool-2-thread-10] [OpId=f59e0e3c-9fcf-4224-8145-6fbea5f4b081] [com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: machine-8624ee33-4194-47b9-8b42-5f9fb8b99d74, Domain: vsphere.local} with role 'Administrator' is authorized formethod call 'PrincipalDiscoveryService.findNestedParentGroups'
2023-05-17T07:37:11.054Z INFO ssoAdminServer[100:pool-2-thread-3] [OpId=f59e0e3c-9fcf-4224-8145-6fbea5f4b081] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] [User {Name: machine-8624ee33-4194-47b9-8b42-5f9fb8b99d74, Domain: vsphere.local} with role 'Administrator'] Find nested parent groups foruser {Name: CloudServicesGateway_license-service-admin_1edefa3c-526b-67bf-a78f-81ccad127c69_813b9995-429b-4bb0-8dfe-79dd07ab3267, Domain: VSPHERE.LOCAL}
2023-05-17T07:37:11.057Z INFO ssoAdminServer[100:pool-2-thread-3] [OpId=f59e0e3c-9fcf-4224-8145-6fbea5f4b081] [com.vmware.identity.admin.vlsi.PrincipalDiscoveryServiceImpl] Vmodl method PrincipalDiscoveryService.findNestedParentGroups returnvalue is [(sso.admin.Group) {\n dynamicType = null,\n dynamicProperty = null,\n id = (sso.PrincipalId) {\n dynamicType = null,\n dynamicProperty = null,\n name = Everyone,\n domain = vsphere.local\n },\n alias = null,\n details = (sso.admin.GroupDetails) {\n dynamicType = null,\n dynamicProperty = null,\n description = \n }\n}]
SSO admin server logs show that the GW license service admin user for vCenter Server (VC ID: 813b9995-429b-4bb0-8dfe-79dd07ab3267) is not part of the License Service Administrators group (LicenseService.Administrators)
VMware Engineering is working on this issue to provide further updates.
We need to add "CloudServicesGateway_license-service-admin_1edefa3c-526b-67bf-a78f-81ccad127c69_813b9995-429b-4bb0-8dfe-79dd07ab3267" user back to the License Service Administrators group on the VC.
Steps:
1. Login to vCenter Server.
2. Navigate to : Administration > Users and Groups > Groups
3. Select License Service Administrators Group and add user: CloudServicesGateway_license-service-admin_1edefa3c-526b-67bf-a78f-81ccad127c69_813b9995-429b-4bb0-8dfe-79dd07ab3267.
4. Retry the subscription.
vCenter Server subscription to vSphere+ fails.