1. After upgrading vCenter server from a 7.x version to a 8.x version the Update tab in an image based cluster is missing 2 objects. (Image and Hardware Compatibility tabs)
2. You see log entries below: 

var/log/vmware/applmgmt/applmgmt.log:

yyyy-mm-dd [2992]INFO:vmware.appliance.vapi.auth:Authorization request for service_id: com.vmware.vcenter.system_config.feature_state, operation_id: get
yyyy-mm-dd [2992]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:Required privileges = ['ModifyConfiguration']
yyyy-mm-dd [2992]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:User=vsphere.local\vsphere-webclient-####-###-###-####-#####8, groups={'vsphere.local\\Everyone', 'vsphere.local\\SolutionUsers', 'vsphere.local\\ActAsUsers', 'vsphere.local\\Administrators', 'vsphere.local\\LicenseService.Administrators', 'vsphere.local\\vSphereClientSolutionUsers'}
yyyy-mm-dd [2992]DEBUG:root:Validated user privileges in localstore or SSO
yyyy-mm-dd [2992]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:Required privileges = ['ModifyLocalConf']
yyyy-mm-dd [2992]DEBUG:vmware.appliance.extensions.authorization.authorization_sso:User=vsphere.local\vsphere-webclient-####-####-####-###-######8, groups={'vsphere.local\\Everyone', 'vsphere.local\\SolutionUsers', 'vsphere.local\\ActAsUsers', 'vsphere.local\\Administrators', 'vsphere.local\\LicenseService.Administrators', 'vsphere.local\\vSphereClientSolutionUsers'}
yyyy-mm-dd [2992]DEBUG:root:Validated user privileges in localstore or SSO

var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

yyyy-mm-dd [ERROR] http-nio-3###-exec-## ####### ##### ##### com.vmware.vise.mvc.controllers.PluginServiceController A general error occurred while evaluating plugin (com.vmware.vlcm.client:8.0.0.21216066:-#####) dynamic extensions info from the vSphere Client platform. com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized) => {
 messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
 id = vapi.security.authorization.invalid,
 defaultMessage = Unable to authorize user,
 args = [],
 params = <null>,
 localized = <null>
 }],
 data = <null>,
 errorType = UNAUTHORIZED
 }
 at java.lang.Thread.getStackTrace(Thread.java:1564)
 at com.vmware.vapi.bindings.client.AsyncCallbackSyncAdapter.get_aroundBody1$advice(AsyncCallbackSyncAdapter.java:49)
 at com.vmware.vapi.bindings.client.AsyncCallbackSyncAdapter.get(AsyncCallbackSyncAdapter.java:1)
 at com.vmware.vapi.internal.bindings.Stub.invokeMethod(Stub.java:145)
 at com.vmware.vcenter.system_config.FeatureStateStub.get(FeatureStateStub.java:47)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
 at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
 at com.sun.proxy.$Proxy387.get(Unknown Source)
 at com.vmware.vise.plugin.filter.feature.ConditionalExtensionFeatureStatesFilter.retrieveVcFeatureStateSwitches(ConditionalExtensionFeatureStatesFilter.java:101)
 at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1660)
 at com.vmware.vise.plugin.filter.feature.ConditionalExtensionFeatureStatesFilter.filter(ConditionalExtensionFeatureStatesFilter.java:68)
 at com.vmware.vise.plugin.filter.impl.PluginDynamicExtensionFilteringServiceImpl.conditionalFiltering(PluginDynamicExtensionFilteringServiceImpl.java:168)

    3.This issue can also be observed if there is an expired STS Tenant 

/var/log/vmware/vmware-updatemgr/vum-server:

yyyy-mm-dd error vmware-vum-server[13336] [Originator@6876 sub=CertManager] [CertManager 230] Retrieved invalid certificate 

var/log/vmware/applmgmt/applmgmt.log:

yyyy-mm-dd [8618]DEBUG:vmware.appliance.extensions.authentication.authentication_sso:Downloading trusted certs from url : http://localhost:7080/idm/tenant/vsphere.local/certificates?scope=TE NANT 
yyyy-mm-dd [8618]DEBUG:vmware.appliance.extensions.authentication.authentication_sso:Downloading trusted certs from url : http://localhost:7080/idm/tenant/vsphere.local/certificates?scope=TE NANT 
yyyy-mm-dd [8618]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token Traceback (most recent call last):   File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate     self.validate_certificate()   File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 709, in validate_certificate     raise AuthenticationError( vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.

• This behavior is caused by the SystemConfiguration.Administrators group missing for the token on the environment Or if the SystemConfiguration.Administrators group is present an expired STS Tenant can also cause this behaviour.