Unable to add user permissions to ESXi host with Lockdown Mode enabled.
search cancel

Unable to add user permissions to ESXi host with Lockdown Mode enabled.

book

Article ID: 424142

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • When attempting to assign or modify user permissions directly on a VMware ESXi host, the operation fails with a specific error message preventing the change. 
    • The operation breaks lockdown mode.

From /var/run/log/hostd.log 

YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099142]: [Originator@6876 sub=Vimsvc.TaskManager opID=esxui-####-e4df sid=52####7c user=root] Task Created : haTask--vim.AuthorizationManager.setEntityPermissions-4265####901
YYYY-MM-DDTHH:MM:SSZ Er(163) Hostd[2099140]: [Originator@6876 sub=Vimsvc.AuthorizationManager opID=esxui-####-e4df sid=52####7c user=root] SetEntityPermissions: In lockdown mode this operation is allowed only for 'exception' users!
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099140]: [Originator@6876 sub=AdapterServer opID=esxui-####-e4df sid=52####7c user=root] AdapterServer caught exception; <<52######-####-####-####-####b072d, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 55226'>>, ha-authmgr, vim.AuthorizationManager.setEntityPermissions, <vim.version.v8_0_3_0, official, 8.0.3.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x0000006b322cae18]>, N5Vmomi5Fault13SecurityError9ExceptionE(Fault cause: vmodl.fault.SecurityError
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: --> )
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: --> [context]zKq7AVICAgAAAKckdwEMaG9zdG#########vLjYA[/context]
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099140]: [Originator@6876 sub=Vimsvc.TaskManager opID=esxui-####-e4df sid=52####7c user=root] Task Completed : haTask--vim.AuthorizationManager.setEntityPermissions-4265####901 Status error
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099140]: [Originator@6876 sub=Solo.Vmomi opID=esxui-####-e4df sid=52####7c user=root] Activation finished; <<52######-####-####-####-####b072d, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 55226'>>, ha-authmgr, vim.AuthorizationManager.setEntityPermissions, <vim.version.v8_0_3_0, official, 8.0.3.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x0000006b322cae18]>
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099140]: [Originator@6876 sub=Solo.Vmomi opID=esxui-####-e4df sid=52####7c user=root] Arg entity:
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: --> 'vmodl.ManagedObject:ha-folder-root'
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099140]: [Originator@6876 sub=Solo.Vmomi opID=esxui-####-e4df sid=52####7c user=root] Arg permission:
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: --> (vim.AuthorizationManager.Permission) [
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->    (vim.AuthorizationManager.Permission) {
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->       principal = "Test",
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->       group = false,
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->       roleId = -1,
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->       propagate = true,
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: -->    }
YYYY-MM-DDTHH:MM:SSZ Db(167) Hostd[2099103]: --> ]
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099140]: [Originator@6876 sub=Solo.Vmomi opID=esxui-####-e4df sid=52####7c user=root] Throw vmodl.fault.SecurityError
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099140]: [Originator@6876 sub=Solo.Vmomi opID=esxui-####-e4df sid=52####7c user=root] Result:
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: --> (vmodl.fault.SecurityError) {
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->    faultMessage = (vmodl.LocalizableMessage) [
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->       (vmodl.LocalizableMessage) {
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->          key = "com.vmware.vim.AuthorizationManager.lockdownModeProtection",
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->       }
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->    ],
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: -->    msg = ""
YYYY-MM-DDTHH:MM:SSZ In(166) Hostd[2099103]: --> }

Environment

  • VMware vSphere ESXi 7.X
  • VMware vSphere ESXi 8.X

Cause

This behavior is expected when Lockdown Mode is enabled on an ESXi host.

Lockdown Mode is a security feature that prevents any external users from logging into the ESXi host directly. When active, the host can only be managed through a vCenter Server by default. If a user is not explicitly added to the Exception Users list, any attempt to modify local host permissions is blocked to ensure the security integrity of the host.

Resolution

To add permissions to an ESXi host while maintaining Lockdown Mode, you must add the specific user to the Exception Users list. This list allows designated users to bypass certain lockdown restrictions (typically for service accounts or emergency local management).

Steps to Add a User to the Exception List:

  1. Log in to the vCenter Server using the vSphere Client.
  2. Navigate to the Inventory and select the affected ESXi host.
  3. Click on the Configure tab.
  4. Under the System section, select Security Profile.
  5. Scroll down to the Lockdown Mode panel and click Edit.
  6. Select the Exception Users tab.
  7. Click the Add (plus) icon to add the desired local or domain user to the list.
  8. Click OK.
  9. Once the user is in the Exception List, you can proceed to assign the necessary permissions to that user.
Powered by Wolken Software