VMware vCenter Server 8.x
VMware NSX

This issue is caused if solutionuser account permission are missing or misconfigured on the vCenter server.

• In the vCenter Server /var/log/vmware/vpxd-svcs/vpxd-svcs.log, following errors are seen:


YYYY-MM-DDThh:mm:ss.fff-##:# [authz-service-ID [] INFO  com.vmware.cis.server.authentication.impl.MoSessionManager  opId=ID] Logged in user: "DOMAIN.LOCAL\serviceaccountmgmt-[ID]"
YYYY-MM-DDThh:mm:ss.fff-##:# [authz-service-ID [] WARN  com.vmware.cis.authorization.impl.AclPrivilegeValidator  opId=ID] User DOMAIN.LOCAL\serviceaccountmgmt-[ID] does not have privileges [System.View] on object urn:acl:global:permissions
YYYY-MM-DDThh:mm:ss.fff-##:# [authz-service-ID [] WARN  com.vmware.cis.core.authz.accesscontrol.impl.CheckPrivilegesRouterRiseImpl  opId=ID] User DOMAIN.LOCAL\serviceaccountmgmt-[ID] does not have privileges [System.View] on object urn:acl:global:permissions
YYYY-MM-DDThh:mm:ss.fff-##:# [authz-service-ID [] WARN  com.vmware.cis.core.authz.accesscontrol.impl.CheckPrivilegesRouterRiseImpl  opId=REDACTED] User DOMAIN.LOCAL\serviceaccountmgmt-[ID] does not have privileges [System.View] on object urn:acl:global:permissions
YYYY-MM-DDThh:mm:ss.fff-##:# [authz-service-ID [] WARN  com.vmware.cis.authorization.impl.AclPrivilegeValidator  opId=REDACTED] User DOMAIN.LOCAL\serviceaccountmgmt-[ID] does not have privileges [System.View] on object urn:acl:global:permissions
  
  
  
• In the vCenter Server /var/log/vmware/vpxd-svcs/svcaccountmgmt.log, following errors are seen:

YYYY-MM-DDThh:mm:ss.fff-##:# INFO svcaccountmgmt[PID] [CorId=REDACTED] [com.vmware.vcenter.svcaccountmgmt.vapi.setup.ServiceUtil] Obtained token with service account credentials
YYYY-MM-DDThh:mm:ss.fff-##:# WARN svcaccountmgmt[PID] [CorId=REDACTED] [com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase] Asynchronous execution requested but no Executor configured. The request will be executed as synchronous one.
YYYY-MM-DDThh:mm:ss.fff-##:# INFO svcaccountmgmt[PID] [CorId=REDACTED] [com.vmware.vcenter.svcaccountmgmt.vapi.setup.AuthzServiceUtil] AuthzClient session authenticated successfully
YYYY-MM-DDThh:mm:ss.fff-##:# WARN svcaccountmgmt[PID] [CorId=REDACTED] [com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase] Asynchronous execution requested but no Executor configured. The request will be executed as synchronous one.
YYYY-MM-DDThh:mm:ss.fff-##:# ERROR svcaccountmgmt[PID] [CorId=REDACTED] [com.vmware.vapi.authz.impl.AuthorizationFilter] Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.delete invocation.
com.vmware.vim.binding.vmodl.fault.SecurityError at sun.reflect.GeneratedConstructorAccessor[ID].newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:[LINE])
        

In order to resolve solutionuser permission on vCenter server follow below steps.

1. Take vCenter Server snapshot. 

2. Download the solution_users_fixer.py script from KB Fixing missing SSO Group Memberships for vSphere Solution Users with the solution_users_fixer script

3. Transfer solution_users_fixer.py script  to vCenter Server /tmp folder location using  KB How to upload or download files to or from vCenter and ESXi hosts.

4. Log into the vCenter Server Appliance (VCSA) via SSH using root credentials.

5. Execute the below command.
   
   python /tmp/solution_users_fixer.py --check
   
   Sample output : serviceaccountmgmt-<UUID> is MISSING from groups: {'cn=solutionusers,dc=<DOMAIN>,dc=<LOCAL>', 'cn=<USERNAME>,dc=<DOMAIN>,dc=<LOCAL>', 'cn=readonlyusers,dc=<DOMAIN>,dc=<LOCAL>'}

6. Execute the below command.

python /tmp/solution_users_fixer.py --fix

7. Restart vCenter server services. 
   

   service-control --stop --all && service-control --start --all

    

Fixing missing SSO Group Memberships for vSphere Solution Users with the solution_users_fixer script