Error: "Permission to perform this operation was denied" when attempting to deploy OVA or enabling vSphere HA
search cancel

Error: "Permission to perform this operation was denied" when attempting to deploy OVA or enabling vSphere HA

book

Article ID: 388993

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to enable vSphere HA
  • The following vSphere HA UI errors may appear:

    Cannot complete the configuration of the vSphere HA agent on the host
    Setting desired image spec for cluster failed
    ALARM Unable to find vSphere HA master agent
    Cannot find vSphere HA master agent
    vCenter Server is unable to find a master vSphere HA agent in cluster <cluster name> in <datacenter name> Datacenter
    vSphere HA agent for this host has an error: The vSphere HA agent is not reachable from vCenter Server

  • Unable to deploy OVA
  • vCenter - /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

    2025-01-23T11:09:34.746-08:00] [ERROR] http-nio-5090-exec-2022      70244956 102516 200171 c.v.vsphere.client.provisioning.ovf.impl.OvfDeployServiceImpl     Unable to query OVF. com.vmware.vapi.std.errors.InternalServerError: InternalServerError (com.vmware.vapi.std.errors.internal_server_error) => {
        messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
        id = vapi.bindings.method.impl.unexpected,
        defaultMessage = Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Unauthorized,
        args = [com.vmware.vapi.std.errors.Unauthorized],
        params = <null>,
        localized = <null>
    }, LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
        id = com.vmware.vdcs.vsphere-auth-lib.permission.denied,
        defaultMessage = Permission to perform this operation was denied.,
        args = [],
        params = <null>,
        localized = <null>
    }],
        data = <null>,
        errorType = INTERNAL_SERVER_ERROR

  • vCenter - /var/log/vmware/vpxd-svcs/authz-event.log

    2025-01-12T02:29:02.581-08:00 [tomcat-exec-85 [] INFO  AuthorizationService.AuditLog  opId=] Action performed by principal(name=VSPHERE.LOCAL\Administrator,isGroup=false):Added access control [ Principal=Name= VSPHERE.LOCAL\vpxd-<string of ####>,isGroup=false,roles=[-5],propogating=true ] to document urn:acl:global:permissions

Cause

The vCenter Server's solution users play vital roles in performing regular vCenter functions. Below is a list of vCenter Server's solution users:

  • machine
  • vsphere-webclient
  • vpxd
  • vpxd-extension
  • hvc
  • wcp

When these solution users do not have the correct administrator permission, vCenter's tasks and workflows are degraded.

Resolution

  1. Confirm vCenter has the appropriate solution users present and are not missing.
  2. Confirm the solution users have the appropriate permissions. 
    • Refer to Using the "authz-doctor" tool to identify vCenter permission issues to perform "permission_check".
    • Review the Principal Name and Role Id column.

      Example Output

      root@vcenter [ ~ ]# /usr/lib/vmware-vpx/scripts/authz-doctor/authz-doctor.py permission_check
      authz-doctor version: 9.0.0.0-14454563
      Argument --user is not provided. Results will be limited.
      Permission Check results:
      1. Permissions list:
      +-------------------------------------------------------------------------+-------+------------+-----------------------------------+-----------+----------+
      | Principal                                                               | Group | Role Id    | Role Name                         | Propagate | Entity   |
      +-------------------------------------------------------------------------+-------+------------+-----------------------------------+-----------+----------+
      | VSPHERE.LOCAL\vpxd-568da01a-2c55-44a2-8d33-669b25ada0b3                 | False | -5         | None                              | True      | Global   |
      | VSPHERE.LOCAL\vpxd-extension-568da01a-2c55-44a2-8d33-669b25ada0b3       | False | -1         | Admin                             | True      | Global   |
      | VSPHERE.LOCAL\vpxd-svc-acct-568da01a-2c55-44a2-8d33-669b25ada0b3        | False | -1         | Admin                             | True      | Global   |
      | VSPHERE.LOCAL\vpxd-svcs-user-568da01a-2c55-44a2-8d33-669b25ada0b3       | False | -1         | Admin                             | True      | Global   |
      | VSPHERE.LOCAL\vsphere-ui-568da01a-2c55-44a2-8d33-669b25ada0b3           | False | 1003       | vSphere Client Solution User      | True      | Global   |
      | VSPHERE.LOCAL\vsphere-webclient-568da01a-2c55-44a2-8d33-669b25ada0b3    | False | 1003       | vSphere Client Solution User      | True      | Global   |
      +-------------------------------------------------------------------------+-------+------------+-----------------------------------+-----------+----------+

    • If the solution users have a Role ID assignment of anything other than -1, it must be corrected.

  3. To correct the solution user Role ID via the UI
    1. Open a web client to the vCenter UI
    2. Navigate to Home > Administration > Access Control > Global Permissions
    3. Ensure the Permissions provider is set to the SSO domain (e.g. vsphere.local)
    4. Select the vpxd solution user 
    5. Click on Edit 
    6. In the "Change Role" popup window, under Role, select the Administrator role in the dropdown menu. 
    7. Ensure "Propagate to children" is checked.
    8. Click OK.

  4. Attempt to enable vSphere HA or deploy an OVA.

Note: It is not required for the vCenter Server services to be restarted for this to go into effect.

Powered by Wolken Software