Connect to vCenter fails with error "ServerFaultCode: NoPermission" while SSP Deployment
search cancel

Connect to vCenter fails with error "ServerFaultCode: NoPermission" while SSP Deployment

book

Article ID: 397737

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

During SSP Deployment configuration, while connecting to the vCenter, after entering the username, password, and certificate details, you may see the error stating:

"ServerFaultCode: NoPermission"

Environment

vDefend SSP >= 5.0

Cause

This is due to the username/group provided not having administrator privileges. This differs from the "Administrator" role under Global Permissions. 

The group/username is expected to be under the Single Sign-On (SSO) Administrators group.

Resolution

Understanding the Distinction:

  1. Global Permissions:

    • Located under: Administration > Access Control > Global Permissions

    • Purpose: Assigns roles (like "Administrator") to users or groups across the entire vCenter inventory.

    • Effect: Grants the specified privileges to the assigned entities throughout the vCenter environment.

    • Note: These permissions are specific to vCenter operations and do not extend to SSO-level administrative tasks.

  2. SSO Administrators Group:

    • Located under: Administration > Single Sign-On > Users and Groups > Groups > Administrators

    • Purpose: Manages administrative access to the SSO domain itself.

    • Effect: Members can perform tasks such as managing identity sources, configuring SSO settings, and other domain-level operations.

    • Note: Being assigned the "Administrator" role in Global Permissions does not automatically add a group to the SSO Administrators group.

Assigning a group the "Administrator" role in Global Permissions provides you with administrative rights within the vCenter inventory, but does not grant you the administrative privileges over the SSO domain.

Therefore, unless the group is explicitly added to the SSO Administrators group, it won't appear there.

To resolve this, please follow the steps below:

  1. Navigate to Administration > Single Sign-On > Users and Groups > Groups.

  2. Select the Administrators group.

  3. Click Add Members.

  4. Choose the appropriate domain and select the group/username that you are trying to enter during SSP Deployment.

  5. Confirm and save the changes.

This will help solve the issue. SSP expects the Groups/Users added under the "Administrators" group under "Users and Groups" for configuration.

Reference Documentation for SSP Deployment: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-0/security-services-platform-installer/deploy-ssp.html#GUID-e1e78f51-c493-42c9-9ede-56f5c45ca610-en

Powered by Wolken Software