Error - "Unable to retrieve pairs from extension server at https://xxxxxx:8043. Permission to perform this operation was denied" on launching Site Recovery UI.
Article ID: 400352
Updated On:
Products
Issue/Introduction
Symptoms:
On launching the Site Recovery UI, following error is observed:
"Unable to retrieve pairs from extension server at https://<vsphere-replication-FQDN:8043. Permission to perform this operation was denied."This issue is not observed when using the local vCenter administrator account.
The issue is only observed for users assigned with a new/old (modified) role which was supposed to give access to Site Recovery UI to perform DR operations.
Environment
vSphere Replication 9.0.2
VMware Live Recovery 9.0.5
Cause
- In /opt/vmware/support/logs/dr-client/dr.log of the VR/VLR appliance, the below entries can be observed which suggests that the user doesn't have enough permissions to access the Site Recovery UI:
2026-01-20 16:54:30,993 [srm-reactive-thread-830] WARN com.vmware.srm.client.infrastructure.requestHandlers.navigation.SitePairHelper 5701817940452108613 fe728847-####-####-####-############ getRoboPairs - Fail to get HMS sitePairData for HmsServerImpl {_guid = d05dc9b3-####-####-####-############_url = https://<VR FQDN>:8043}:com.vmware.srm.client.topology.client.view.availability.ExtensionServer$GetPairFailedException: Unable to retrieve pairs from extension server at https://<VR FQDN>:8043.Permission to perform this operation was denied.at com.vmware.srm.client.topology.impl.view.availability.ExtensionServerImpl.complete(ExtensionServerImpl.java:51)at com.vmware.srm.client.topology.impl.core.mxn.nodes.HmsNode.lambda$discoverNeighbours$1(HmsNode.java:69)at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$ErrorCompletion.complete(PromiseImpl.java:172)at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$Result.complete(PromiseImpl.java:43)at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$Completion.lambda$setResult$0(PromiseImpl.java:63)at com.vmware.dr.ui.tools.utilities.ThreadContext.lambda$wrap$1(ThreadContext.java:55)at com.vmware.dr.ui.tools.utilities.ThreadContext.execute(ThreadContext.java:209)at com.vmware.dr.ui.tools.utilities.ThreadContext.execute(ThreadContext.java:185)at com.vmware.dr.ui.tools.utilities.ThreadContext.setupContext(ThreadContext.java:76)at com.vmware.dr.ui.tools.utilities.ThreadContext.setupContext(ThreadContext.java:105)at com.vmware.dr.ui.tools.reactive.impl.PromiseImpl$Completion.lambda$setResult$1(PromiseImpl.java:63)at com.vmware.dr.ui.tools.utilities.AsyncConsumer$Worker.run(AsyncConsumer.java:38)at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)at java.base/java.lang.Thread.run(Unknown Source)Caused by: (vim.fault.NoPermission) {faultCause = null,faultMessage = null,object = ManagedObjectReference: type = HmsRemoteSiteManager, value = site-manager, serverGuid = d05dc9b3-####-####-####-############,privilegeId = HmsRemote.com.vmware.vcHms.Hms.View,missingPrivileges = (vim.fault.EntityPrivileges) [(vim.fault.EntityPrivileges) {dynamicType = null,dynamicProperty = null,entity = ManagedObjectReference: type = HmsRemoteSiteManager, value = site-manager, serverGuid = d05dc9b3-####-####-####-############,privilegeIds = (STRING) [HmsRemote.com.vmware.vcHms.Hms.View]}]} The privileges assigned to the user via a role on the vCenter can be validated from the vCenter's /var/run/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log by searching for the role's name. Example:
Info (com.vmware.cis.authz.role.info) => {id = 1101,name = <role_name>,description = <role_description>,privilegeId = [VcDr.RecoveryProfile.com.vmware.vcDr.Create, HmsReplication.com.vmware.vcHms.Replication.View, System.Anonymous, Resource.com.vmware.vcDr.RecoveryUse, Sessions.TerminateSession, VcDr.RecoveryProfile.com.vmware.vcDr.Run, Datastore.Replication.com.vmware.vcDr.Protect, VcDr.ProtectionProfile.com.vmware.vcDr.Edit, System.Read, VcDr.Internal.com.vmware.vcDr.InternalAccess, HmsDiagnostics.com.vmware.vcHms.Diagnostics.Manage, VcDr.RecoveryProfile.com.vmware.vcDr.Reprotect, VcDr.RecoveryHistoryManager.com.vmware.vcDr.Delete, VcDr.RecoveryProfile.com.vmware.vcDr.ConfigureServerCommands, HmsSession.com.vmware.vcHms.Session.Terminate, HmsDatastoreMapper.com.vmware.vcHms.Mappings.Manage, VcDr.Storage.com.vmware.vcDr.Configure, VcDr.RecoveryProfile.com.vmware.vcDr.Edit, VcDr.ProtectionProfile.com.vmware.vcDr.AssignToRecoveryPlan, VcDr.Diagnostics.com.vmware.vcDr.SystemLogs, StorageProfile.View, VcDr.InventoryMapper.com.vmware.vcDr.Edit, VcDr.ProtectionProfile.com.vmware.vcDr.Delete, VcDr.Backup.com.vmware.vcDr.Manage, VcDr.RemoteSite.com.vmware.vcDr.Edit, HmsDatastoreMapper.com.vmware.vcHms.Mappings.View, System.View, HmsDpx.com.vmware.vcHms.Subscription.Manage, VcDr.RecoveryProfile.com.vmware.vcDr.Restore, VcDr.RecoveryHistoryManager.com.vmware.vcDr.ViewDeleted, VcDr.RecoveryProfile.com.vmware.vcDr.Delete, HmsRemote.com.vmware.vcHms.Hbr.View, VcDr.ProtectionProfile.com.vmware.vcDr.Create, VcDr.RecoveryProfile.com.vmware.vcDr.Failover, HmsRemote.com.vmware.vcHms.Hbr.Manage, Datastore.Replication.com.vmware.vcDr.Unprotect, VirtualMachine.Replication.com.vmware.vcDr.Protect],tenant = <null>,system = false
Resolution
To resolve this issue:
Modify Role assigned to AD user by adding required permissions for vSphere Replication (VRM).
In vSphere Client > Click on Menu > Administration > Roles > Select the 'Role' assigned to AD user > Click on 'Edit'.
Add following privileges to the role:
VRM datastore mapper
ManageView
VRM diagnostics
ManageVRM replication
View replicationsVRM session
Terminateprivilege.HmsDpx.label
privileage.HmsDpx.com.vmware.vcHms.Subscription.Manage.labelVRM remote
Manage VR serverManage VRM
View VR Server
View VRM
Example:
Relaunch Site Recovery UI by clicking on 'Open Site Recovery' to validate resolution of issue.
If the issue persists, reboot the VLR/VR appliance which is serving the Site Recovery client.
Feedback
