Storage Policies missing from vCenter
search cancel

Storage Policies missing from vCenter

book

Article ID: 439223

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Under Policies and Profiles -> VM Storage Policies, the view is empty
  • In /var/log/vmware/vmware-sps/sps.log there are entries similar to:

    <timestamp> [http-nio-127.0.0.1-8190-exec-4] INFO  opId=sps-Main-856479-696 com.vmware.vim.storage.common.security.vapi.VapiAuthzPermissionValidator - Logged in user name is <USERNAME> and domain is <DOMAIN>
    <timestamp> [http-nio-127.0.0.1-8190-exec-4] INFO  opId=sps-Main-856479-696 com.vmware.vim.storage.common.serviceclient.identity.impl.SsoManagerImpl - Printing the trusted roots java.util.Vector$1@7147####
    <timestamp> [http-nio-127.0.0.1-8190-exec-4] ERROR opId=sps-Main-856479-696 com.vmware.vim.sso.client.impl.SoapBindingImpl - SOAP fault
    com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Access not authorized! Please see the server log to find more detail regarding exact cause of the failure.
    at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
    at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
    ...
    <timestamp> [http-nio-127.0.0.1-8190-exec-4] INFO  opId=sps-Main-856479-696 com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor - Request is invalid: ns0:InvalidRequest: Access not authorized!
    <timestamp> [http-nio-127.0.0.1-8190-exec-4] ERROR opId=sps-Main-856479-696 com.vmware.vim.storage.common.serviceclient.identity.impl.SsoManagerImpl - Acquiring SAML token failed with exception:
    com.vmware.vim.sso.client.exception.InvalidTokenRequestException: Request is invalid: ns0:InvalidRequest: Access not authorized!

Environment

vCenter Server 8.0 U3

Cause

The SPS service account is missing from one or more of the following groups:

ActAsUsers

Administrators

ServiceProviderUsers

 

These are default group memberships for the SPS service account which grant it permissions on the vCenter for various tasks.

Resolution

Ensure offline snapshot of the vCenter is taken in accordance with VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice before making changes to the group memberships.

 

  1. Verify which group(s) the SPS service account is missing from.
    This can be verified with the following commands:

    Note the machine ID of vCenter:

    /usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost

    List the members of the group and check for the SPS service account which is in format sps-<machine_id> (note if there are multiple vCenters in the SSO domain, then there should be, in total, an equal number of sps service accounts):

    /usr/lib/vmware-vmafd/bin/dir-cli group list --name <GROUP_NAME>

  2. Add it to the group(s) it's missing from using the below command:

    /usr/lib/vmware-vmafd/bin/dir-cli group modify --name <GROUP_NAME> --add sps-<machine_id>

  3. Restart the SPS service to apply the change:

    service-control --restart sps
Powered by Wolken Software