Unable to administer vCenter Single Sign-On after adding a User Group and individual users from a Directory Service (OpenLDAP or Active Directory)
search cancel

Unable to administer vCenter Single Sign-On after adding a User Group and individual users from a Directory Service (OpenLDAP or Active Directory)

book

Article ID: 328321

calendar_today

Updated On: 10-15-2024

Products

VMware vCenter Server

Issue/Introduction

After adding a User Group and individual users from the Directory Service configured within vCenter Single Sign-On to any of the SSO Security Groups,  the following symptoms are experienced:
  • Logging in with the user account to the vSphere Web Client, the Single Sign-On > Administration section is unavailable.
  • Logging in with the user account to the vSphere Web Client, the Single Sign-On >System Configuration section is unavailable.
  • Attempting to access the Single Sign-On - System Configuration section, it reports:

    You do not have permissions to view this page. You must be a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On to access System Configuration.
     
  • There is an inability to administer vCenter Single Sign-On even though the Directory Service account is in the SSO Administrators group.
  • When logging in with the administrator@vsphere.local, the Single Sign-On Administrator section is accessible.
Note: The SSO Security Groups include the following groups:
  • Administrators
  • ComponentManager.Administrators
  • SystemConfiguration.Administrators
  • LicenseService.Administrators



Resolution

This issue is resolved. Additionally, see the Additional Information section Active Directory Groups not supported with Group-Based Permissions for caveats surrounding the groups that may be used.
 
To work around this issue, manually assign each user in to the individual Single Sign-On Security Groups in which the user requires access.
 
Notes: Non-SSO directory users (Active Directory users) will need to be added to the individual SSO Security groups. Group permissions will not propagate to sub-groups when adding non-SSO users to SSO Security groups.
 
The use of User Groups is not supported with vCenter Single Sign-On Security Groups. The use of nesting Users within vSphere Groups, such as the vSphere Administrators Group, is not supported. To access the individual vSphere Security Groups, perform one of these methods:
 
For Microsoft Active Directory environments:
  • Assign individual users from Active Directory to the vCenter Single Sign-On Administrators group.

    Note: While using User Groups from Active Directory may work after adding the Groups to the Administrators group within vCenter Single Sign-On, this is currently not supported.
 
For OpenLDAP environments:
  • Assign individual users from OpenLDAP Directory service to the the vCenter Single Sign-On Administrators group.

    Note: For OpenLDAP environments, the use of User Groups is not currently supported when added to the vCenter Single Sign-On Administrators group.



Additional Information

Active Directory Groups not supported with Group-Based Permissions:

The following list contains Active Directory groups that are not supported for use with Group-based permissions within the Single Sign-On Security Groups. Adding any of these groups to any of the Single Sign-On Security Groups will not provide the users the inherent permissions defined by the group.
 
Null Authority
Nobody
World Authority
Everyone
Local Authority
Local
Console Logon
Creator Authority
Creator Owner
Creator Group
Creator Owner Server
Creator Group Server
Non-unique Authority
NT Authority
Dialup
Network
Batch
Interactive
Logon Session
Service
Anonymous
Proxy
Enterprise Domain Controllers
Principal Self
Authenticated Users
Restricted Code
Terminal Server Users
Remote Interactive Logon
This Organization
IIS User
Local System
NT Authority
NT Authority
Enterprise Read-only Domain Controllers
Builtin Administrators
Builtin Users
Builtin Guests
Power Users
Account Operators
Server Operators
Print Operators
Backup Operators
Replicators
NTLM Authentication
SChannel Authentication
Digest Authentication
NT Service
All Services
NT VIRTUAL MACHINE\\Virtual Machines
Untrusted Mandatory Level
Low Mandatory Level
Medium Mandatory Level
Medium Plus Mandatory Level
High Mandatory Level
System Mandatory Level
Protected Process Mandatory Level
Secure Process Mandatory Level
BUILTIN\\Pre-Windows 2000 Compatible Access
BUILTIN\\Remote Desktop Users
BUILTIN\\Network Configuration Operators
BUILTIN\\Incoming Forest Trust Builders
BUILTIN\\Performance Monitor Users
BUILTIN\\Performance Log Users
BUILTIN\\Windows Authorization Access Group
BUILTIN\\Terminal Server License Servers
BUILTIN\\Distributed COM Users
BUILTIN\\Cryptographic Operators
BUILTIN\\Event Log Readers
BUILTIN\\Certificate Service DCOM Access
BUILTIN\\RDS Remote Access Servers
BUILTIN\\RDS Endpoint Servers
BUILTIN\\RDS Management Servers
BUILTIN\\Hyper-V Administrators
BUILTIN\\Access Control Assistance Operators"
BUILTIN\\Remote Management Users
Authentication authority asserted identity
Service asserted identity