Queries for tags or tag assigments using PowerCLI or vSphere Client are failing with "com.vmware.vapi.std.errors.Unauthorized" and "INTERNAL_SERVER_ERROR"
Article ID: 392470
Updated On:
Products
Issue/Introduction
When trying to query tag assigments using PowerCLI, the following error is thrown:
Get-VM | Get-TagAssignment -Category '<string>'
Get-TagAssignment : DD/MM/YYYY hh:mm:ss Get-TagAssignment com.vmware.vapi.std.errors.internal_server_error {'messages': [com.vmware.vapi.std.localizable_message {'id': vapi.bindings.method.impl.unexpected, 'default_message':
Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Unauthorized, 'args': [com.vmware.vapi.std.errors.Unauthorized], 'params': , 'localized':}], 'data': , 'error_type': INTERNAL_SERVER_ERROR}
When doing the same in vSphere Client, the wizard remains empty
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
This issue can happen when the vCenter machineGUID does not match the solution user IDs.
For example,
- you query the machineGUID:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost AAAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAAA - but when you look at the vCenter Solution Users, their names contain a different ID:
# /usr/lib/vmware-vmafd/bin/dir-cli service list Enter password for [email protected]: 1. machine-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB 2. vsphere-webclient-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB 3. vpxd-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB 4. vpxd-extension-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB 5. hvc-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB 6. wcp-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB
Resolution
To resolve this issue, update the machine GUID of the vCenter Server Appliance(s) in order to match the UID contained in the solution user names.
Before implementing the following steps, please ensure that the necessary precautions have been taken and that either a fresh backup or a snapshot of the VCSA has been created. If the vCenter Server is running in an Enhanced Linked Mode (ELM) replication group with other vCenter Servers, please be aware that offline snapshots (in powered off) state need to be created for the affected VCSA itself as well as of all of its ELM replication partners.
Then follow these steps:
- List the solution users by running this command:
# /usr/lib/vmware-vmafd/bin/dir-cli service list - All of the users shown should have the same UID in their name.
- Note down the UID in the name of the vpxd-solution-user (vpxd-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB)
- Now query the vCenter machine GUID
/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost - If this ID is different from the one in the solution user names, update it with the following commands:
/usr/lib/vmware-vmafd/bin/vmafd-cli set-machine-id --id BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB —server-name localhost /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\vmdir]' 'MachineGuid' ‘BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB' - Restart the vCenter services:
service-control --stop --all && service-control --start --all - Repeat this process for all affected vCenter Servers.
Additional Information
( AAAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAAA and BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB are used as replacers in this article.
In an actual vCenter, those strings will be real hex values)
Feedback
