AD users removed from the SSO group VSPHERE.LOCAL\Administrators are still able to login to vCenter Server even though no permission to login
search cancel

AD users removed from the SSO group VSPHERE.LOCAL\Administrators are still able to login to vCenter Server even though no permission to login

book

Article ID: 376607

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • AD users previously added to VSPHERE.LOCAL\Administrators group are still able to login to vCenter Server even after removing specific user(s) from the group.
  • This issue is observed in vCenter Servers in Enhanced Linked Mode (ELM) environment.
  • Following entries are logged in /var/log/vmware/vpxd/vpxd.log when the user tries to login:

YYYY-MM-DDTHH:MM:SS.519Z info vpxd[0940] [Originator@6876 sub=AuthorizeManager] [Auth] : User domain.com\userid
YYYY-MM-DDTHH:MM:SS.519Z info vpxd[0940] [Originator@6876 sub=UserDirectorySso] GetUserInfoInternal (VSPHERE.LOCAL\Administrators, true) res: VSPHERE.LOCAL\Administrators

  • Above log entries indicate that the user is getting the permission through the VSPHERE.LOCAL\Administrators group.

Environment

VMware vCenter Server 8.x

Resolution

  1. Login to vSphere Client on any of the vCenter Server in Linked Mode with SSO Admin credentials.
  2. Re-add the removed User(s) back to the VSPHERE.LOCAL\Administrators group from Administration -> Users and Groups -> Groups.
  3. Wait for couple of minutes and remove the User(s) again from the Administrators group.
  4. Re-login to the VCenter with the removed User credentials and the result must be as below, logins will fail with error  "Unable to login because you do not have permission on any vCenter Server systems connected to this client.".

Powered by Wolken Software