• When accessing Management domain vCenter Server from SDDC Manager → Workload Domains → Services, a domain user may encounter the below error message:
  
  "Unable to login because you do not have permission on any vCenter Server systems connected to this client."

  
  This behavior is observed even when authentication to SDDC Manager itself is successful.
  
  
• The following log snippets are observed on the vCenter Server, in /var/log/vmware/vpxd/vpxd.log:
  
  

  YYYY-MM-DDTHH:MM:SS.Z info vpxd[07682] [Originator@6876 sub=UserDirectorySso opID=###############################] GetUserInfoInternal(domain_name\user_name, false) res: domain_name\user_name
  YYYY-MM-DDTHH:MM:SS.Z info vpxd[07682] [Originator@6876 sub=AuthorizeManager opID=###############################] [Auth]: User domain_name\user_name
  .
  .
  .
  YYYY-MM-DDTHH:MM:SS.Z info vpxd[07682] [Originator@6876 sub=vpxLro opID=###############################] [VpxLRO] -- FINISH lro-666430
  YYYY-MM-DDTHH:MM:SS.Z error vpxd[07682] [Originator@6876 sub=Default opID=###############################] [VpxLRO] -- ERROR lro-666430 -- ########-####-####-####-############ -- SessionManager -- vim.SessionManager.loginByToken: :vim.fault.NoPermission
  --> Result:
  --> (vim.fault.NoPermission) {
  -->    faultCause = (vmodl.MethodFault) null,
  -->    faultMessage = <unset>,
  -->    object = 'vim.Folder:########-####-####-####-############:group-##',
  -->    privilegeId = "System.View",
  -->    missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [
  -->       (vim.fault.NoPermission.EntityPrivileges) {
  -->          entity = 'vim.Folder:########-####-####-####-############:group-##',
  -->          privilegeIds = (string) [
  -->             "System.View"
  -->          ]
  -->       }
  -->    ]
  -->    msg = ""
  --> }
  --> Args:
  -->
  --> Arg locale:
  --> "en"

vCenter Server Appliance 8.x
SDDC Manager 5.2.x

The user may have the required privileges in the SDDC manager. However, SSO redirection will only succeed if the user has appropriate privileges in the vCenter instance that they are attempting to access as well.

Logging in to SDDC Manager as [email protected] works for vCenter redirection because this account exists locally in vCenter and has full administrative privileges.

• Assign the domain user or group, an appropriate role in vCenter (e.g., Administrator, or a custom role depending on requirements).
  
  
• After the correct role associations are made:

1. 1. Log in to SDDC Manager with the domain account.

   2. Navigate to Workload Domains → Services.

   3. Select vCenter.

The user should now be logged in automatically without encountering an error.

• The account [email protected] does not exist in NSX Manager or Aria by default. Therefore, attempts to navigate to NSX Manager or Aria from SDDC Manager using this account will always result in a login prompt.
  
  
• When accessing the Management vCenter from the SDDC Manager UI, the logged-in session is passed through and no additional authentication is required. However, when accessing a Workload Domain vCenter, SSO authentication is not propagated, and a separate login prompt will appear.
  This is an expected behavior as highlighted in the KB article below:
  SDDC Manager SSO passthrough authentication only allows login to Management WLD vCenter Server