Active Directory users integrated through vCenter identity source can access Site Recovery Manager (VLSR) UI even though they are not part of SRM Administrators group.
Article ID: 400756
Updated On:
Products
Issue/Introduction
Symptoms :
1. Active Directory account users which are added to the Single Sign On User's and Groups with no access privileges are able to login to Site Recovery DR UI URL ( https://Site_Recovery_Manager_address/dr ) even though vCenter UI denies access.
2. The user can login to SRM UI but can't see information like site pairs, protection groups & recovery plan.
3. User can trigger a New Pair operation, but the operation will fail with "permission denied".
Site Recovery Manager (VLSR) UI
"Unable to retrieve pairs from extension server at https://Site_Recovery_Manager_FQDN_or IP address:8043.Access to perform the operation was denied."
"Error Access to perform the operation was denied.Operation ID: #####-####-####-####-#########"
vCenter UI
"Unable to login because you do not have permission on any vCenter Server systems connected to this client."
Environment
VMware vCenter Server 7.0
VMware vCenter Server 8.0
VMware vSphere Replication 8.X
VMware Site Recovery Manager 8.X
VMware Live Site Recovery 9.X
Cause
When you add the Active Directory identity source to vCenter Server, we join the vCenter Server to an Active Directory Domain. This involves configuring the vCenter server to recognize and authenticate against your AD domain. With AD as an identity source, vCenter Server can pull all users and groups from AD and use them to log in to vSphere and access resources.
All the users from the Active Directory will show up under the vCenter Administration > Single Sign On > User's and Group's > domain
After joining, you'll need to assign permissions to AD users and groups, granting them access to vCenter resources.
Resolution
This is a known behavior recognized by our SRM Engineering team, and it won't be addressed because of the complex risks and regressions involved.
Additional Information
Feedback
