Error: "Internal Server Error - Permission to perform this operation was denied." when attempting to use Guest Customization on VM with vTPM attached in VMware Cloud Director
search cancel

Error: "Internal Server Error - Permission to perform this operation was denied." when attempting to use Guest Customization on VM with vTPM attached in VMware Cloud Director

book

Article ID: 398416

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • You are unable to Power on Guest Customize VM's that have a vTPM attached 
  • In the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log you see entries similar to:

    com.vmware.ssdc.util.LMException: Internal Server Error
        at com.vmware.ssdc.util.LMException.wrap(LMException.java:135)
        at com.vmware.ssdc.library.ExceptionFactory.createFromMultiple(ExceptionFactory.java:32)
        at com.vmware.ssdc.backend.DeployVAppVmSubsetActivity.checkFuturesForException(DeployVAppVmSubsetActivity.java:529)
        at com.vmware.ssdc.backend.DeployVAppVmSubsetActivity$PowerOnVmsPhase.invoke(DeployVAppVmSubsetActivity.java:433)
        at com.vmware.vcloud.activity.executors.ActivityRunner.runPhase(ActivityRunner.java:175)
        at com.vmware.vcloud.activity.executors.ActivityRunner.run(ActivityRunner.java:112)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: com.vmware.vcloud.api.presentation.service.InternalServerErrorException: Internal Server Error
        at com.vmware.vcloud.common.future.FutureUtil.convertExecutionException(FutureUtil.java:264)
        at com.vmware.vcloud.common.future.FutureUtil.checkCompletedFuture(FutureUtil.java:203)
        at com.vmware.ssdc.backend.DeployVAppVmSubsetActivity.checkFuturesForException(DeployVAppVmSubsetActivity.java:522)
        ... 8 more
    Caused by: (vim.fault.NoPermission) {
       faultCause = null,
       faultMessage = null,
       object = ManagedObjectReference: type = HostSystem, value = host-####, serverGuid = null,
       privilegeId = Cryptographer.ManageKeys,
       missingPrivileges = (vim.fault.EntityPrivileges) [
          (vim.fault.EntityPrivileges) {
             dynamicType = null,
             dynamicProperty = null,
             entity = ManagedObjectReference: type = CryptoManagerHostKMS, value = CryptoManagerHost-####, serverGuid = null,
             privilegeIds = (STRING) [
                Cryptographer.ManageKeys
             ]
          }
       ]

Environment

VMware Cloud Director 10.6.X
VMware Cloud Director 10.5.X

Cause

This issue is caused due to the SSO account connecting VMware Cloud Director to vCenter Server missing the privilege ManageKeys.

Resolution

To resolve this issue please follow the steps below:

  1. Login to the vCenter Server and Select Administration
  2. Under Roles select the role that has been assigned to the SSO account that is connecting VMware Cloud Director to vCenter
  3. Select Edit 
  4. Select Cryptographic operations and add the privilege Manage Keys and select save. 

Additional Information

Powered by Wolken Software