Console access fails for Encrypted or vTPM Virtual Machines in vSphere with "Permission to perform this operation was denied."
search cancel

Console access fails for Encrypted or vTPM Virtual Machines in vSphere with "Permission to perform this operation was denied."

book

Article ID: 384499

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Console access to an encrypted virtual machine (VM) or a VM with a virtual TPM (vTPM) through the vCenter UI fails with the following error messages:

    • From web console: Unable to connect to the Virtual Machine web console: Permission to perform this operation was denied.


    • From VMware Remote Console (VMRC): Unable to connect to MKS: Permission to perform this operation was denied.
  •  
  • From /var/log/vmware/vpxd/vpxd.log in vCenter Server

    [YYYY-MM-DDTHH:MM:SS:ZZZ] error vpxd[#####] [Originator@#### sub=Default opID=<OP_ID>] [VpxLRO] -- ERROR lro-######## -- <Session ID>(########-####-####-####-############) -- vm-<VM-ID> -- vim.VirtualMachine.acquireTicket: :vim.fault.NoPermission
    --> Result:
    --> (vim.fault.NoPermission) {
    -->    faultCause = (vmodl.MethodFault) null,
    -->    faultMessage = <unset>,
    -->    object = 'vim.VirtualMachine:########-####-####-####-############:vm-<VM-ID>',
    -->    privilegeId = "Cryptographer.Access",
    -->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
    -->       (vim.fault.NoPermission.EntityPrivileges) {
    -->          entity = 'vim.VirtualMachine:########-####-####-####-############:vm-<VM-ID>',
    -->          privilegeIds = (string) [
    -->             "Cryptographer.Access"
    -->          ]
    -->       }
    -->    ]
    -->    msg = ""
    --> }
    --> Args:
    -->
    --> Arg ticketType:
    --> "webmks"

Environment

VMware vCenter Server

Cause

The error "Permission to perform this operation was denied" occurs because the user's assigned role is missing the Direct Access privilege under Cryptographic operations. This privilege is mandatory for acquiring a console ticket (webmks) for any encrypted Virtual Machine.

Resolution

To restore console access, add the required privilege to the user's role:

  1. Log in to vCenter Server with administrative privileges.
  2. Navigate to Menu > Administration > Access Control > Roles.
  3. Select the specific role assigned to the user or group.
  4. Edit the role and enable the Cryptographic operations > Direct Access privilege.
  5. Click OK to save the changes.

Additional Information

If the VM is part of a cluster with DRS enabled, you should also ensure the Cryptographic operations > Migrate and Read KMS information privileges are granted to prevent issues during automated migrations

Please refer the following document for more information on cryptographic privileges: Cryptographic Operations Privileges
Additionally, ensure other needed Virtual Machine Interaction privileges are also provided. Reference: Virtual Machine Interaction Privileges

Powered by Wolken Software