Unable to access Host's UI/SSH/DCUI with the Exception user account after enabling the Lockdown mode
search cancel

Unable to access Host's UI/SSH/DCUI with the Exception user account after enabling the Lockdown mode

book

Article ID: 395362

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Once the Lockdown mode is set to Normal/Strict, we are unable to login to the SHH/DCUI/Host's web client with the Exception user account as it fails with the below error

"permission is denied"

Environment

  • vSphere vCenter Server 8.x

Cause

  • Permissions are not correctly set for the specific Exception userid/Group

Resolution

Note:Starting with vSphere 6.0,  normal Lockdown mode or strict Lockdown mode, offer different degrees of lockdown

  1. If the lockdown mode is already enabled, disable it using Disabling lockdown mode and, Add the Exception users 
  2. To configure a local Exception user account , login into the Host's Web client/UI
    Host>Manage>Security&users>Users>add user and set the password and save the changes.




  3. Once the Exception User local to the Host is added, we must assign the permissions to the user
  4. SSH into the ESXI in question and run the below commands 
  5. To list all user accounts that have been configured on the ESXi host
    esxcli system account list

     

  6. To set the permissions to the local Exception user account

    esxcli system permission set --id=<Exception userid/group> --role=Admin

    Note: copy the Exception userid/group from step 5 output

  7. If it is a domain user account,set the permissions directly from the vCenter's UI
    vCenter's Inventory > Cluster > Host > Permissions > Add



  8. Once the permissions are set, access vCenter UI, go to the Host in question > Configure >Security profile >Edit > Enable the lockdown mode, we can choose either Normal/Strict depending on the requirement and add the Exception Users >Select Ok to save the changes


    Note: Add the domain user or Exception user which is local to the Host that we created from step 2


  9. The exception user now can access the ESXi host's web UI/SSH/DCUI console  if the Lockdown mode is set to Normal
  10. The Exception user can access only the Host web UI/SSH if the Lockdown mode is set to Strict
  11. In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If the connection to the vCenter Server system cannot be restored, reinstall of ESXi may be required
Powered by Wolken Software