DRS fails to migrate powered on encrypted vms with error: “Permission to perform this operation was denied. You do not hold privileges”
search cancel

DRS fails to migrate powered on encrypted vms with error: “Permission to perform this operation was denied. You do not hold privileges”

book

Article ID: 386904

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to identify the issue regarding missing “Cryptographic operations > Migrate” privilege when attempting to put a host into maintenance mode with encrypted virtual machine running on it with DRS failing to migrate them and resolve by running through workaround steps.

Error is reported in /var/log/vmware/vpxd/vpxd.log as follows;

YYYY-MM-DDThh:mm:ss.472Z info vpxd[06061] [Originator@6876 sub=drsExec opID=<op_id>] Executing DRM recommended vMotion in [vim.ClusterComputeResource:domain-c<id>,esxi_name], migrating [vim.VirtualMachine:vm-<vm_id>,vm_name] from vim.HostSystem:host-<src_id> to vim.HostSystem:host-<dstn_id>
……..
YYYY-MM-DDThh:mm:ss.494Z info vpxd[06061] [Originator@6876 sub=pbm opID=<op_id>-01] pre migrate callback is skipped - for cached from pre migrate check reason
YYYY-MM-DDThh:mm:ss.494Z warning vpxd[06061] [Originator@6876 sub=CryptoManager opID=<op_id>-01] The session xx-yy-zz of user DOMAIN\user_name does not have privilege Cryptographer.Migrate on entity [vim.VirtualMachine:vm-<vm_id>,vm_name].
………
YYYY-MM-DDThh:mm:ss.527Z error vpxd[06061] [Originator@6876 sub=VmProv opID=<op_id>-01] Local-VC Host Migrate failed at vpx.vmprov.InvokeCallbacks for poweredOn VM 'vm_name' (vm-<vm_id>, ds:///vmfs/volumes/<datastore_id>/vm_name/vm_name.vmx) on host-<src_id> (2620:10d:c0a9:4::474) in pool resgroup-X with ds ds:///vmfs/volumes/6<datastore_id>/ to host-<dstn_id> (26
20:10d:c0a9:4::481) in pool resgroup-X with ds ds:///vmfs/volumes/<datastore_id>/ with migId <migration_id> with fault vim.fault.NoPermission:  as Operation: Local-VC_DRS_MM_ComputevMotion

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

When a user attempts to put a host running encrypted vms into maintenance mode, DRS uses this user context to migrate an encrypted vm even if it is a system behavior not specific user behavior. If the user without Cryptographer.Migrate privilege attempts to put host into maintenance, it will cause this migration to fail. The pre-migrate callback check to migrate an encrypted VM doesn't verify if the recommendation is from DRS or not.

Resolution

This is a known issue and engineering is working on fix.

To workaround this issue, kindly check if the concerned user account putting host into maintenance has the required cryptographic privilege: Cryptographic operations > Migrate

To add the required missing privilege, please follow the below steps:

  • From vSphere Client navigate to Administration > Roles.
  • Select the desired role for the concerned user.
  • Select Edit > Cryptographic Operations
  • Choose Migrate and click Save.
Powered by Wolken Software