Virtual Machine Permission requirements for Remote Console Access when Encryption is enabled
search cancel

Virtual Machine Permission requirements for Remote Console Access when Encryption is enabled

book

Article ID: 384499

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Remote Console access to Virtual Machine through vCenter UI for User/Group will fail with a similar error to below when encryption is enabled in the environment and insufficient privileges are assigned: 

Unable to connect to the Virtual Machine web console: Permission to perform this operation was denied. 

In /var/log/vmware/vpxd/vpxd.lo may see entries similar to below: 

[YYYY-MM-DDTHH:MM:SS] error vpxd[06788] [Originator@6876 sub=Default opID=<OP ID>] [VpxLRO] -- ERROR lro-####-- <Session ID>(#################) -- vm-<VM ID>-- 
vim.VirtualMachine.acquireTicket: :vim.fault.NoPermission
--> Result:
--> (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null, 
-->    faultMessage = <unset>, 
-->    object = 'vim.VirtualMachine:#######################:vm-<VM ID>', 
-->    privilegeId = "Cryptographer.Access", 
-->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
-->       (vim.fault.NoPermission.EntityPrivileges) {
-->          entity = 'vim.VirtualMachine:#####################:vm-<VM ID>', 
-->          privilegeIds = (string) [
-->             "Cryptographer.Access"
-->          ]
-->       }
-->    ]
-->    msg = ""
--> }
--> Args:
--> 
--> Arg ticketType:
--> "webmks"
[YYYY-MM-DDTHH:MM:SS] info vpxd[06784] [Originator@6876 sub=vpxLro opID=<OP ID>] [VpxLRO] -- BEGIN lro-205171 -- vm-<VM ID> -- vim.VirtualMachine.acquireTicket -- <Session ID>(
###################)
[YYYY-MM-DDTHH:MM:SS] warning vpxd[06784] [Originator@6876 sub=CryptoManager opID=<OP ID>] The session <ID> of user VSPHERE.LOCAL\xxx does not have privilege Cryptographer.
Access on entity [vim.VirtualMachine:vm-<VM ID>,VM-NAME

Environment

VMware vCenter Server 7.0 

VMware vCenter Server 8.0 

Cause

Missing "Direct Access" Privilege within Cryptographic operations for User/Group when Encryption is enabled or if a vTPM module is attached to a virtual machine.

Resolution

Please ensure to apply required privileges to the role attached to a User/Group when Encryption is enabled in the environment.

  • When encryption is enabled, you require the following privilege to allow Remote Console Access: Cryptographic operations -> Direct Access

For more information on this privilege, please see the following documentation: Cryptographic Operations Privileges

Powered by Wolken Software