Virtual Machine Permission requirements for Remote Console Access when Encryption is enabled
search cancel

Virtual Machine Permission requirements for Remote Console Access when Encryption is enabled

book

Article ID: 384499

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Remote Console access to Virtual Machine through vCenter UI for User/Group will fail with a similar error to below when encryption is enabled in the environment and insufficient privileges are assigned: 

Unable to connect to the Virtual Machine web console: Permission to perform this operation was denied. 

/var/log/vmware/vpxd/vpxd.log may see entries similar to below: 

[YYYY-MM-DDTHH:MM:SS] error vpxd[####] [Originator@#### sub=Default opID=<OP ID>] [VpxLRO] -- ERROR lro-####-- <Session ID>(#################) -- vm-<VM ID>-- 
vim.VirtualMachine.acquireTicket: :vim.fault.NoPermission
--> Result:
--> (vim.fault.NoPermission) {
-->    faultCause = (vmodl.MethodFault) null, 
-->    faultMessage = <unset>, 
-->    object = 'vim.VirtualMachine:#######################:vm-<VM ID>', 
-->    privilegeId = "Cryptographer.Access", 
-->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
-->       (vim.fault.NoPermission.EntityPrivileges) {
-->          entity = 'vim.VirtualMachine:#####################:vm-<VM ID>', 
-->          privilegeIds = (string) [
-->             "Cryptographer.Access"
-->          ]
-->       }
-->    ]
-->    msg = ""
--> }
--> Args:
--> 
--> Arg ticketType:
--> "webmks"
[YYYY-MM-DDTHH:MM:SS] info vpxd[####] [Originator@#### sub=vpxLro opID=<OP ID>] [VpxLRO] -- BEGIN lro-##### -- vm-<VM ID> -- vim.VirtualMachine.acquireTicket -- <Session ID>(
###################)
[YYYY-MM-DDTHH:MM:SS] warning vpxd[####] [Originator@#### sub=CryptoManager opID=<OP ID>] The session <ID> of user VSPHERE.LOCAL\xxx does not have privilege Cryptographer.
Access on entity [vim.VirtualMachine:vm-<VM ID>,VM-NAME

Environment

VMware vCenter Server 7.0 
VMware vCenter Server 8.0

Cause

Missing "Direct Access" Privilege within Cryptographic operations for User/Group when Encryption is enabled or if a vTPM module is attached to a virtual machine.

Resolution

The following privilege needs to be allowed for Remote Console Access: Cryptographic operations -> Direct Access

Steps to apply required privileges to a User/Group when Encryption is enabled:

  1. Log in to vCenter Server.
  2. Navigate to the VMs and Templates tab and select the Folder containing the VMs.
  3. Right-click the Folder (or select the Actions menu) and click Add Permission.
  4. Select the Domain (e.g., abc.local) and search for the specific User/Group.
  5. Under the Role dropdown, select a role (e.g., Administrator) that allows Cryptographic operations.
    • Note: Ensure the selected role has the specific privilege: Cryptographic operations -> Direct Access.
  6. Click OK to save.
  7. Users should now be able to access the VM's web console.

For more information on this privilege, please see the following documentation: Cryptographic Operations Privileges
In addition to the above, you need to ensure Virtual Machine Interaction privileges are also provided, please see the following document on this: Virtual Machine Interaction Privileges

Powered by Wolken Software