1. When vCenter is configured in a vCenter Group in VCF Operations, the vCenter UI does not load the second vCenter.
2. Logging in to vCenter, only one vCenter instance is seen.
3. In vcsa01 below, similar entries are seen
   
   /var/log/vmware/vsphere-ui/log/vsphere_client_virgo.log

Successful VCs: https://VCSA01.Domain.com:443/sdk
Failed VCs: []
Caused by: com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied. at jdk.internal.reflect.GeneratedConstructorAccessor664.newInstance(Unknown Source)
Successful VCs: https://VCSA01.Domain.com:443/sdk
Failed VCs: []


4. In vcsa02, similar entries are seen

   /var/log/vmware/vsphere-ui/log/vsphere_client_virgo.log

   [com.vmware.identity.sts.util.JIT] Updating group membership for mailto:[email protected]

   [com.vmware.identity.sts.util.JIT] Current groups: [vsphere.local\Everyone]

   [com.vmware.identity.sts.util.JIT] Mapped groups: []

    

5. From the log below, the user got added as a JIT user

   /var/log/vmware/vmdird/vmdird-syslog.log

   Add Entry (cn=mailto:[email protected],cn=JITUsers,cn=VCTrusts,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=domain,dc=local, EID 0)(from 127.0.0.1)(by mailto:[email protected])

• Once the user is added as a JIT user, later updates to the Administrator group membership will not take effect.

vCenter 9.0.0

The problem is related to the user who was added as a JITuser in vCenter.

Add Entry ([email protected], cn=JITUsers)

This issue is resolved in VCF 9.0.1. Log in to the Broadcom Support Portal to download this patch

Note:  Ensure this KB is followed on all the vCenters before upgrading to 9.0.1

The domain suffix of the affected users must be removed. For eg example.com

Important: Back up/Snapshot all linked vCenter servers in the group before proceeding. For more information, File-Based Backups for SDDC Manager NSX Manager and vCenter

To allow the addition of the user to the local SSO group again, follow the steps below,

1. Copy the attached script, upn-suffix-removal.sh, to /tmp/ on the vCenter Server.
   
   
2. The script requires the following inputs:
   
   Password for the [email protected] account
   
   The UPN Suffix that needs to be removed from the affected IDP domain. For eg example.com
   
   
3. Execute the command below to run the script.
   
   $> ./upn-suffix-removal.sh

   Note: Provide the details requested by the input prompts during script execution.
   
   
4. In the example below, the domain suffix, EXAMPLE.LOCAL is being removed.
   
   Example output from script where one of the UPN suffixes is removed:
   

   ./upn-suffix-removal.sh

   Enter password for [email protected]:
Searching for UPN suffixes...
Found UPN suffixes: [EXAMPLE.COM, EXAMPLE.LOCAL]
Enter UPN suffix to be removed for the affected IDP domain (or 'quit' to exit): EXAMPLE.LOCAL
UPN suffix to be removed: EXAMPLE.LOCAL
modifying entry ""cn=vsphere.local,cn=IdentityProviders,cn=vsphere.local,cn=Tenants,cn=IdentityManager,CN=Services,dc=vsphere,dc=local""

   Successfully removed UPN suffix: EXAMPLE.LOCAL
Script execution is complete.
===============================================================================