Insufficient permissions to perform this operation - Unable to register VRMS/SRM Appliance using LDAP/SSO local user accounts
search cancel

Insufficient permissions to perform this operation - Unable to register VRMS/SRM Appliance using LDAP/SSO local user accounts

book

Article ID: 389606

calendar_today

Updated On:

Products

VMware Live Recovery VMware vCenter Server 8.0

Issue/Introduction

1. LDAP user accounts with administrator privileges fail to register the appliance to vCenter 

2. Single Sign-On (SSO) user accounts with global administrator privileges also fail to register the appliance to vCenter 

3. Registering the appliance using administrator@mydomain/[email protected] works fine 

ERROR
Operation Failed
Insufficient permissions to perform this operation.
Operation ID: 7c3657d2-2948-42a0-bacb-cfa8d95df7a6
2/14/25, 11:20:08 AM -0600



/var/log/vmware/dr/drconfig.log: 

--> NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
--> vSphere Replication Appliance configuration error:Unable to create solution user.
--> Details: Service account com.vmware.vr-sa-942a4b5b-f140-4bb8-8134-c8ff73517b56 not found
--> [ msgId: com.vmware.vr.config.unable_to_create_user; value: null; errorStacktrace :  ]
-->     at com.vmware.hms.config.helper.ServiceAccountHelper.createServiceAccount(ServiceAccountHelper.java:143)
-->     at com.vmware.hms.config.VrConfig.createServiceAccount(VrConfig.java:552)
-->     at com.vmware.hms.config.VrConfig.reconfigVr(VrConfig.java:505)
-->     at com.vmware.hms.config.VrConfig.expressSetup(VrConfig.java:345)
-->     at com.vmware.hms.config.cli.command.ExpressSetup.run(ExpressSetup.java:59)
-->     at com.vmware.hms.config.cli.command.CommandBase.run(CommandBase.java:347)
-->     at com.vmware.hms.config.cli.App.run(App.java:146)
-->     at com.vmware.hms.config.cli.App.main(App.java:206)
--> Exception: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=ja
va.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
2025-02-06T15:19:11.389Z info drconfig[03365] [SRM@6876 sub=ConfigureVrmsOp opID=1b45a309-c840-43cd-a4a2-bd9628ef45b6-configure:3fe5] Exiting Configu
reVrms
2025-02-06T15:19:11.389Z verbose drconfig[03365] [SRM@6876 sub=vmomi.soapStub[128] opID=1b45a309-c840-43cd-a4a2-bd9628ef45b6-configure:3fe5] Resetting stub adapter; <[N7Vmacore4Http3Ext15DrUserAgentImplE:0x00007f932406b778], /lookupservice/sdk>, (null)
2025-02-06T15:19:11.389Z error drconfig[03365] [SRM@6876 sub=ConfigureVrmsOp opID=1b45a309-c840-43cd-a4a2-bd9628ef45b6-configure:3fe5] Operation failed
--> (vmodl.fault.SystemError) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    reason = "Failed to register VRMS."
-->    msg = ""
--> }
--> [context]zKq7AVECAAQAAGFXdAELZHJjb25maWcAACwZHGxpYnZtYWNvcmUuc28AATOWCmRyLWNvbmZpZ3VyYXRvcgABnwUFARoWEgGxKhEBDxYKAM4pNADSQjQA4H1JArCOAGxpYnB0aHJlYWQuc28uMAAD3/oPbGliYy5zby42AA==[/context]
2025-02-06T15:19:11.389Z info drconfig[03365] [SRM@6876 sub=ConfigureVrmsOp opID=1b45a309-c840-43cd-a4a2-bd9628ef45b6-configure:3fe5] Exiting Start
2025-02-06T15:19:11.389Z verbose drconfig[03803] [SRM@6876 sub=DrConfigConfigurationManager ctxID=7b2d2b09 opID=1b45a309-c840-43cd-a4a2-bd9628ef45b6-configure:3fe5] OnError: Configuration task failed


/var/log/vmware/sso/ssoAdminServer.log:

2025-02-11T15:29:05.054Z INFO ssoAdminServer[171:pool-2-thread-44] [OpId=2829aa4b-c374-4fad-ae53-d8468e696329] [com.vmware.identity.vlsi.SessionManagerImpl] User {Name: AD-USER-ACCOUNT, Domain: vmware.com} with role 'Administrator' logged in successfully.
2025-02-11T15:29:05.057Z INFO ssoAdminServer[171:pool-2-thread-44] [OpId=91a7e0c3-4983-4bcb-8631-304b46d5a6a0] [com.vmware.identity.vlsi.RoleBasedAuthorizer] User {Name: AD-USER-ACCOUNT, Domain: vmware.com} with role 'Administrator' is authorized for method call 'RoleManagementService.hasAdministratorRole'
2025-02-11T15:29:05.058Z INFO ssoAdminServer[165:pool-2-thread-43] [OpId=91a7e0c3-4983-4bcb-8631-304b46d5a6a0] [com.vmware.identity.admin.vlsi.RoleManagementServiceImpl] [User {Name: AD-USER-ACCOUNT, Domain: vmware.com} with role 'Administrator'] Checking Administrator role for user {Name: AD-USER-ACCOUNT, Domain: vmware.com}
2025-02-11T15:29:06.503Z INFO ssoAdminServer[165:pool-2-thread-43] [OpId=91a7e0c3-4983-4bcb-8631-304b46d5a6a0] [com.vmware.identity.admin.vlsi.RoleManagementServiceImpl] Vmodl method RoleManagementService.hasAdministratorRole return value is true


/var/log/vmware/vpxd/vpxd.log:

2025-02-11T15:29:42.762Z info vpxd[1921986] [Originator@6876 sub=User opID=1671db2e] Login token: SamlToken [subject={Name: AD-USER-ACCOUNT; Domain:vmware.com}, groups=[{Name: AD-USERS-VMWARE; Domain:vmware.com}, {Name: SRM-Users; Domain:vmware.com}, {Name: AD-USERS-BROADCOM; Domain:vmware.com}, {Name: SystemConfiguration.Administrators; Domain:vsphere.local}, {Name: LicenseService.Administrators; Domain:vsphere.local}, {Name: Everyone; Domain:vsphere.local}], delegationChain=[], startTime=2025-02-11 15:29:39.865, endTime=2025-02-11 15:34:39.865, renewCount=0, delegableCount=0, isSolution=false, type=Saml_Bearer]


/var/log/vmware/sso/svcaccountmgmt.log:  

2024-08-27T07:26:23.021Z INFO svcaccountmgmt[69:tomcat-http--32] [CorId=8d12a295-7a78-48c8-a207-3b7ee2fff29f OpId=] [com.vmware.vcenter.svcaccountmgmt.vapi.setup.AuthzPermissionValidator] User vmware.com\\AD-USERS-VMWARE has required privileges [ServiceAccount.ManageAccount] to invoke API com.vmware.vcenter.svcaccountmgmt.service_account.create
2024-08-27T07:26:23.021Z INFO svcaccountmgmt[69:tomcat-http--32] [CorId=8d12a295-7a78-48c8-a207-3b7ee2fff29f OpId=] [com.vmware.vcenter.svcaccountmgmt.impl.ServiceAccount] Creating Service Account : com.vmware.vr-sa-e3a1d6d2-ffae-4fc4-b1d5-cd6c6226adb9
2024-08-27T07:26:23.085Z ERROR svcaccountmgmt[69:tomcat-http--32] [CorId=8d12a295-7a78-48c8-a207-3b7ee2fff29f OpId=] [com.vmware.vcenter.svcaccountmgmt.impl.ServiceAccount] createServiceAccount: Got Directory Exception
2024-08-27T07:26:23.085Z ERROR svcaccountmgmt[69:tomcat-http--32] [CorId=8d12a295-7a78-48c8-a207-3b7ee2fff29f OpId=] [com.vmware.vcenter.svcaccountmgmt.impl.DirectoryError] Entry already exists, VMware directory error[9706]

Environment

VMware vCenter Server 8.X
vSphere Replication 9.0.X
VMware Live Site Recovery 9.0.X

Cause

The problem lies in the VR configuration. When creating a service account, it uses the domain from the administrator account instead of the default domain from vCenter. If the domain name provided is not the default, the process will fail.

 

Resolution

Workaround:


Use an administrator account in default domain.

For example, if default domain is vsphere.local, use <admin-user>@vsphere.local. If default domain is xyz.local, use <admin-user>@xyz.local

Resolution:


Non-default domain will be supported in VLR 9.0.3, shipping with VCF 9.0

Powered by Wolken Software