"Session Not Authenticated" Error When Managing vSAN in vSphere Client After vCenter Upgrade to 8.x
search cancel

"Session Not Authenticated" Error When Managing vSAN in vSphere Client After vCenter Upgrade to 8.x

book

Article ID: 367591

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • vSAN Skyline Health alarms may be seen, such as:
    • vSAN cluster alarm "vSAN Cluster Configuration Consistency"
    • vSAN cluster alarm "vSAN daemon liveness"
    • vSAN physical disk alarm "Physical disk health retrieval issue"
    • vSAN performance service alarm "Performance service status"
    • vSAN hardware compatibility alarm: "Host issues retrieving hardware info"
  • Accessing functions, such as <Cluster> -> Configure -> Services or <Cluster> ->Configure -> Disk Management, display "Session Not authenticated" error:

  • You may see messages like this in the /var/log/vmware/vsan-health/vsanmgmtd.log on the vCenter server: 

2024-04-17T14:19:12.120-05:00 info vsanvcmgmtd[256466] [vSAN@6876 sub=vmomi.soapStub[4] opId=d836afeb] SOAP request returned HTTP failure; <<cs p:00007f67e00b1220, TCP:localhost:8085>, /sdk>, method: fetchVsanSharedSecret; code: 500(Internal Server Error); fault: (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    object = 'vim.HostSystem:cdef2f69-####-####-####-face92176c4b:host-345716',
-->    privilegeId = "Host.Config.Storage",
-->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
-->       (vim.fault.NoPermission.EntityPrivileges) {
-->          entity = 'vim.host.VsanSystem:cdef2f69-####-####-####-face92176c4b:vsanSystem-345716',
-->          privilegeIds = (string) [
-->             "Host.Config.Storage"
-->          ]
-->       }
-->    ]
-->    msg = "Received SOAP response fault from [<<cs p:00007f67e00b1220, TCP:localhost:8085>, /sdk>]: fetchVsanSharedSecret
--> Permission to perform this operation was denied."
--> }

  • When connected to the VCSA via SSH as root user run command "journalctl -xe". The below error may be present related to "vpxd-extension" user.

    Month DD HH:MM:SS [email protected] vpxd[3889977]: [161136239] [Privilege check failed for user VSPHERE.LOCAL\vpxd-extension-3######-7###-4-################# for missing permission Host.Config.Storage. Session user performing the check: ]

  • Permissions role for "vxpd-extension-#####" missing when viewing in vCenter vSphere client > vCenter > Permissions > Search "User/Group" column for "vpxd-extension".

Environment

After upgrade of vCenter 7.x to 8.x

Cause

A low-level permission role was assigned to a hidden group in the vCenter Database.

  • The database may have to be manually edited to remove the unneeded role. 
  • The hidden group is the vsphere.local\Users group. 
  • The "Virtual Console Users" role was assigned to the group at the cluster level.
  • The vpxd-extension user is missing permissions/privileges.

Resolution

Add the "vxpd-extension" on the Global permission and propagating it to children. 

  1. Log in to the vCenter and click the menu button (three horizontal lines at the top left of the vSphere client). 
  2. Navigate to "Administration > Global permissions > Add".
  3. Select the domain "vsphere.local" (or the custom local domain name if different).
  4. Using the filter for the "User/Group" column, search for "vpxd-ext".

  5. If the user is not listed or shows different role, add the "Administrator" role to the user copied from the journalctl error ("vpxd-extension-####") and select the "Propagate to children" check box and click "OK".

    Note: If the "Administrator" is already listed for "Global Permission" it is possible the "Propagate to children" check box was not selected. To resolve this select the user and "Edit" it. Then select the check box and click "OK".
Powered by Wolken Software