Random domain user might report login failure to vCenter Server with error "You do not have permission on any vCenter Server systems"
search cancel

Random domain user might report login failure to vCenter Server with error "You do not have permission on any vCenter Server systems"

book

Article ID: 413277

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Domain user is unable to log in to the vSphere Client

  • User directly assigned to Global Permissions does not exhibit the issue
  • On the vCenter server, /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

    [INFO ] agw-token-####              ##### ###### ##### com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl           Successfully acquired token for user: {Name: User, Domain: domain
    [ERROR] linkedVcGroup-pool-7280      ##### ##### ##### com.vmware.vise.util.concurrent.ExecutorUtil                     
     A task crashed: com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl$1@5158ff0f java.util.concurrent.ExecutionException: (vim.fault.NoPermission) {
       faultCause = null,
       faultMessage = null,
       object = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = #####-###-###-##-######,
       privilegeId = System.View,
       missingPrivileges = (vim.fault.EntityPrivileges) [
          (vim.fault.EntityPrivileges) {
             dynamicType = null,
             dynamicProperty = null,
             entity = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = #####-##-##-###-######,
             privilegeIds = (STRING) [
                System.View
             ]
          }
       ]
    }
            at java.util.concurrent.FutureTask.report(FutureTask.java:122)
            at java.util.concurrent.FutureTask.get(FutureTask.java:206)
    Caused by: com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.

    [INFO ] vim-authentication-pool-#### ##### ##### ##### com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl      VC Login results:
    Failed VCs: []
    [ERROR] vim-authentication-pool-#### ###### ###### ##### com.vmware.vsphere.client.security.VimAuthenticationHandler       
    Connection failure to vc https://vcfqdn:443/sdk com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.


Cause

This issue is reported if user is not part of the Active Directory group that has been granted privileges in vCenter Server Permissions

Resolution

  • Login to the vCenter Server using SSH
  • Verify the User’s Group Membership in Active Directory

    • Run the following command to check if the user is a member of the correct AD group:
      ldapsearch -x -H ldap://<Domain controller FQDN> -D "CN=<username from logs>,CN=Users,DC=Test,DC=Lab" -W -b "DC=Test,DC=Lab" "(&(objectClass=user)(memberOf=CN=<Domain group>,DC=Test,DC=Lab))"

      Need to replace the placeholders in the command with values from your own environment:

      Placeholder Replace with
      Domain controller FQDN The FQDN or IP of your AD server
      CN=username,CN=Users,DC=Test,DC=Lab A real bind DN of an AD user with read access
      DC=Test,DC=Lab Your domain's distinguished name components
      CN=Domain Group,CN=Users,DC=Test,DC=Lab

      The full DN of the AD group assigned Global Permissions in vCenter

    • The output would list the users added to the group

  • Proceed to add the user to the required group
Powered by Wolken Software