DRS fails to migrate powered on encrypted vms with error: “Permission to perform this operation was denied. You do not hold privileges”
search cancel

DRS fails to migrate powered on encrypted vms with error: “Permission to perform this operation was denied. You do not hold privileges”

book

Article ID: 386904

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to migrate powered-on encrypted virtual machines via DRS, the operation consistently fails with a 'Permission to perform this operation was denied. You do not hold privileges' error

We see information below in /var/log/vmware/vpxd/vpxd.log, 

YYYY-MM-DDThh:mm:ss.472Z info vpxd[06061] [Originator@6876 sub=drsExec opID=<op_id>] Executing DRM recommended vMotion in [vim.ClusterComputeResource:domain-c<id>,esxi_name], migrating [vim.VirtualMachine:vm-<vm_id>,vm_name] from vim.HostSystem:host-<src_id> to vim.HostSystem:host-<dstn_id>
……..
YYYY-MM-DDThh:mm:ss.494Z info vpxd[06061] [Originator@6876 sub=pbm opID=<op_id>-01] pre migrate callback is skipped - for cached from pre migrate check reason
YYYY-MM-DDThh:mm:ss.494Z warning vpxd[06061] [Originator@6876 sub=CryptoManager opID=<op_id>-01] The session xx-yy-zz of user DOMAIN\user_name does not have privilege Cryptographer.Migrate on entity [vim.VirtualMachine:vm-<vm_id>,vm_name].
………
YYYY-MM-DDThh:mm:ss.527Z error vpxd[06061] [Originator@6876 sub=VmProv opID=<op_id>-01] Local-VC Host Migrate failed at vpx.vmprov.InvokeCallbacks for poweredOn VM 'vm_name' (vm-<vm_id>, ds:///vmfs/volumes/<datastore_id>/vm_name/vm_name.vmx) on host-<src_id> (#########) in pool resgroup-X with ds ds:///vmfs/volumes/6<datastore_id>/ to host-<dstn_id> (#########) in pool resgroup-X with ds ds:///vmfs/volumes/<datastore_id>/ with migId <migration_id> with fault vim.fault.NoPermission:  as Operation: Local-VC_DRS_MM_ComputevMotion

Environment

  • vCenter 7.x
  • vCenter 8.x

 

Cause

When a user attempts to put a host running encrypted vms into maintenance mode, DRS uses this user context to migrate an encrypted vm even if it is a system behavior not specific user behavior. If the user without Cryptographer.Migrate privilege attempts to put host into maintenance, it will cause this migration to fail. The pre-migrate callback check to migrate an encrypted VM doesn't verify if the recommendation is from DRS or not.

Resolution

Resolved in vCenter Server 8.0 u3e.Log in to the Broadcom Support Portal to download this Patch

Resolved in vCenter Server 7.0 u3v.Log in to the Broadcom Support Portal to download this Patch

To workaround this issue without upgrade, kindly check if the concerned user account putting host into maintenance has the required cryptographic privilege: Cryptographic operations > Migrate

To add the required missing privilege, please follow the below steps:

  • From vSphere Client navigate to Administration > Roles.
  • Select the desired role for the concerned user.
  • Select Edit > Cryptographic Operations
  • Choose Migrate and click Save.

Additional Information

 

 
 
Distributed Resource Scheduler (DRS) fails to migrate an encrypted VM with an error for missing Cryptographer. Migrate privileges
In some cases, when DRS schedules to migrate an encrypted VM, it might use the context of a user without 
Cryptographer.Migrate
 privilege and migration fails with an error in the vSphere Client such as:
Permission to perform this operation was denied. You do not hold privileges "virtual machine vm-xx : [Cryptographic operations > Migrate]
.
 
Powered by Wolken Software