Note: This article applies to the IDENTITY_UNAUTHORIZED_ENTITY error code (HTTP 401) on SDDC Manager 9.0.x. For the same UI message accompanied by IDENTITY_INTERNAL_SERVER_ERROR (HTTP 500) on SDDC Manager 4.5.x, see Intermittently SDDC GUI displays error "You are not authorized to view this page. Login" while trying to login instead.

• You authenticate to vCenter Server through the SDDC Manager UI login redirect using [email protected] and the vCenter login appears to succeed.

• You are then immediately redirected to a page in the SDDC Manager UI that displays:

  You are not authorized to view this page. Login
  

• Clicking the Login link returns you to the vCenter login page, creating a redirect loop.

• In /var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log, you see entries similar to:

  ERROR [services/wrappers/requestPromiseWrapper.js, logAxiosError] axios.error.response.data {"errorCode":"IDENTITY_UNAUTHORIZED_ENTITY","message":"User is not authorized","referenceToken":"<token>"}
  ERROR [services/authorization.js, isAuthorizedUser] 500.144: VError: User Authorization failed: User is not authorized
  ERROR [services/authorization.js, authorizeUser] 500.143: VError: Unauthorized user, logging out
  ERROR [routes/security/authentication.js] FAILED to Authenticate/Authorize: Unauthorized user, logging out
  

• In /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log, you see entries similar to:

  ERROR [c.v.e.s.i.d.s.c.PermissionClientImpl] Not found any permission for user id [email protected] or associated groups [vsphere.local\Users, vsphere.local\Administrators, vsphere.local\CAAdmins, vsphere.local\SystemConfiguration.Administrators, vsphere.local\SystemConfiguration.BashShellAdministrators, vsphere.local\SystemConfiguration.ReadOnly, vsphere.local\SystemConfiguration.SupportUsers, vsphere.local\LicenseService.Administrators, vsphere.local\Everyone]
  ERROR [c.v.e.s.i.s.PermissionServiceImpl] User is un-authorized
  ERROR [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler] [<token>] IDENTITY_UNAUTHORIZED_ENTITY User is not authorized
  

• The vCenter Server websso.log shows that authentication completed successfully for the user against the local VMware Directory provider, with an audit log event of type com.vmware.sso.LoginSuccess. The failure occurs only on the SDDC Manager authorization step that follows.

Additional symptoms reported:

• Login redirects to the vCenter login page, then back to the SDDC Manager UI, where the "You are not authorized" page appears.
• The behavior persists after restarting SDDC Manager services and after rebooting the SDDC Manager appliance.
• The behavior persists after disabling federated SSO configuration on the vCenter side.

• VMware Cloud Foundation 9.0.x, including SDDC Manager 9.0.2

In VMware Cloud Foundation 9.0.x, the [email protected] account is not automatically present in the SDDC Manager Single Sign On user list. The SDDC Manager UI login flow uses vCenter Server as the SAML identity provider. After vCenter authenticates the user, the SDDC Manager UI server calls its local authorization service to confirm that the user has a role binding on SDDC Manager. If neither [email protected] nor any of its group memberships have a role binding in the SDDC Manager Single Sign On configuration, the local authorization service rejects the session and the UI displays the "You are not authorized" page even though the upstream vCenter authentication succeeded.

This typically occurs when:

• [email protected] was never added as an SDDC Manager admin in the current deployment.
• [email protected] was previously added but later removed, for example during the configuration of an alternate admin account or during a Single Sign On reorganization.
• The vsphere.local\Administrators group is not present as an SDDC Manager admin group, and the user's other group memberships also have no role bindings.

1. Log in to the SDDC Manager UI using an account that already has the Administrator role on SDDC Manager. This is typically a local Single Sign On user that was assigned the role during initial deployment.
2. Navigate to Administration → Single Sign On.
3. Click + USER OR GROUP.
4. Add a binding using one of the following options:
   • Add [email protected] as a USER with the Administrator role.
   • Add vsphere.local\Administrators as a GROUP with the Administrator role to grant access to all members of that group.
5. Confirm the new entry appears in the Single Sign On user and group list.
6. Log out of the SDDC Manager UI.
7. Log in again as [email protected]. The login completes and the SDDC Manager UI loads.

If you do not have access to any account with the Administrator role on SDDC Manager:

1. Identify any account that exists in vCenter Single Sign On and is a member of a group that already has an Administrator role binding on SDDC Manager.
2. Log in to the SDDC Manager UI as that account, then perform the steps above.
3. If no qualifying account exists, contact Broadcom Support for assistance.

• For background on the SDDC Manager UI login redirect to vCenter Server in VCF 9.0.x, see Accessing SDDC Manager UI redirects to vCenter login.
• For the same UI message with the IDENTITY_INTERNAL_SERVER_ERROR error code (HTTP 500) on SDDC Manager 4.5.x, see Intermittently SDDC GUI displays error "You are not authorized to view this page. Login" while trying to login. That issue is a commonsvcs thread deadlock and has a different resolution.
• As a preventative measure, when reorganizing SDDC Manager Single Sign On user and group bindings, verify that at least one Administrator binding remains valid before removing any others. This avoids losing administrative access to the SDDC Manager UI.