When attempting to register a Supervisor to Tanzu Mission Control Self-Hosted (TMC-SM) via the vCenter UI, the process fails. The registration wizard returns a generic error message:

“The Tanzu Mission Control installation request failed. Your changes were not saved.”

While the TMC installer CronJob on the Supervisor successfully creates a Job, the registration never finalizes. The Supervisor remains unmanaged, and the registration process does not progress to agent reconciliation.

To confirm this specific issue, check the logs of the installer pod on the Supervisor:

1. Identify the installer pod in the TMC service namespace: kubectl get pods -n svc-tmc-<id>
2. View the logs for the failed pod: kubectl -n svc-tmc-<id> logs tmc-agent-installer-<id>

The logs will contain an entry similar to the following:

E0210 15:00:55.305201 1 tmc.go:21] "handleTmcGet() encountered error fetching configuration" err="agentinstalls.installers.tmc.cloud.vmware.com \"tmc-agent-installer-config\" is forbidden: User \"sso:<sso user>\" cannot get resource \"agentinstalls\" in API group \"installers.tmc.cloud.vmware.com\" in the namespace \"svc-tmc-<id>\""

The failure is caused by insufficient RBAC permissions associated with the active vSphere session.

This happens while logged into the vCenter UI with a personal SSO user account rather than a high-privileged administrative account (e.g., [email protected]). Because the registration workflow triggers the tmc-agent-installer to interact with protected system-level Custom Resource Definitions (CRDs) and namespaces on the Supervisor, the restricted SSO identity is "forbidden" from accessing the agentinstalls resource. This prevents the agent from fetching its configuration and completing the installation.

To resolve this issue, you must re-initiate the registration using an account with full global administrative privileges.

1. If the UI shows a hung or partial registration state, refer to the documentation for Manually Removing the Cluster Agent from a Supervisor.
2. Log out of the current vCenter UI session.
3. Log back into vCenter using the integrated [email protected] account or a domain account with equivalent Global Administrative permissions.
4. Navigate to the Supervisor registration section and follow the standard workflow to Register Tanzu Mission Control Self-Hosted with Supervisor.
5. Verify that the tmc-agent-installer pod now completes successfully and the Supervisor status updates to "Ready" or "Associated" within the TMC-SM console.