VMware Cloud on AWS troubleshooting Hybrid Linked Mode permission issues
book
Article ID: 329929
calendar_today
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
The purpose of this article is to troubleshoot Hybrid Linked Mode related permission issues in VMware Cloud on AWS, after the SSO domain linking is successfully configured.
Symptoms:
On-Prem vCenter is missing from VMware Cloud on AWS HTML5 vSphere client inventory, even when the Linked Domains status is Domain linked
Inconsistent behavior in workflows related to HLM.
Example:
Unable to proceed with cold migration with the console error:
“The object 'vim.ResourcePool:resgroup-55' has already been deleted or has not been completely created”
Cause
This issue occurs for these reasons:
The domain user account (or the domain group the user is part of) used to login to the cloud vCenter does not have proper permissions on the on-prem vCenter.
SSO group membership based permissions in the on-prem vCenter does not work with HLM.
HLM may no longer work if the current solution users are removed.
Solution users from previous linking attempts were not removed properly.
Resolution
To resolve this issue, complete the following steps that are applicable:
Login directly to the on-prem vCenter to confirm the user privileges. If the issue is due to improper permissions for the logged in user, provide appropriate permissions:
Login to the on-prem vSphere client
Navigate to Administration > Access Control > Global Permissions
Add users to one of the groups present already with correct roles assigned, or add new group with appropriate roles
Assign the domain group with proper roles as in step1, even if the user is already part of SSO groups such as Administrators. Cloud vCenter does not recognize permissions provided through the SSO group membership.
Note: Do not remove these solution users used by HLM from the vCenter:
hvc-<machine-id-of-vmc> (solution user, same name as the one HVC service uses on the cloud)
vsphere-webclient-<machine-id-of-vmc> (solution user, same name as the one H5 client uses on the cloud)
The machine-id can be confirmed from cloud vSphere H5 client – Global Permissions, where the id is appended to these mentioned user names.
Unlinking the linked domain cleans up the related entries including the solution users. However, the user accounts are left behind in certain cases such as deleting SDDC without unlinking the domain first.
Ensure to unlink HLM before deleting a SDDC:
Cloud H5 client > Administration > Hybrid Cloud > Link Domains > Click the unlink button
Caution: Removing incorrect solution users might result in issues.
If there are old solution users and web client users in the on-prem vCenter left behind by previous un-successful HLM configuration:
Login to the on-prem vSphere client > Navigate to Administration > Access Control > Global Permissions.
Delete any permissions you see for hvc-<unrecognizable machine id> and vsphere-webclient-< unrecognizable machine id
Navigate to Administration > Single Sign On > Users and Groups > Solution Users
Delete the old solution user
Navigate to Administration > Single Sign On > Users and Groups > Users
Delete the old sync user syncservice-<unrecognizable machine id>
Additional Information
Impact/Risks: Removing incorrect solution users might result in issues, affecting other services