• Attempts to configure the vCenter Server Adapter in VMware Cloud Foundation (VCF) Operations reports a Warning message stating: "The vCenter credentials must have the Global.Licenses privilege assigned and be a member of the LicenseService.Administrators Single Sign-On group.License management will not be available." This occurs even when using [email protected] account
  
• Login to vCenter UI using [email protected] account and Navigating to Administration > Users & Groups > Groups in the vSphere Client displays a "No Privilege" error.
  
  
• The Add button in the Users section is greyed out, preventing new user creation.
  
  
• The [email protected] account is missing from Builtin Administrators group, steps to validate same is mentioned below:
  
  
  • SSH to the impacted vCenter Server using root account and perform an ldapsearch against the vmdir service to dump the current members of the Builtin Administrators group into an LDIF file for inspection, enter the SSO Administrator password when prompted.

    /opt/likewise/bin/ldapsearch -h localhost -b "cn=Administrators,cn=Builtin,dc=vsphere,dc=local" -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W > /tmp/admin_group.ldif

  • Open the output file using a text editor (e.g., cat /tmp/admin_group.ldif) and look through the member: entries. Confirm that member: cn=Administrator,cn=Users,dc=vsphere,dc=local is missing.
    
    
• The dir-cli state get command(/usr/lib/vmware-vmafd/bin/dir-cli state get) reports privilege issues for the administrator account.
  
  
• Reviewing the vmdir logs(/var/log/vmware/vmdird/vmdird.log) reveals consistent SASL bind failures and invalid credentials for the Administrator account, even if the password is correct:

  ERROR vmdir 13995#####70368 [vc@4413] SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
  ERROR vmdir 13995#####70368 [vc@4413] VdirPasswordFailEvent from user(cn=administrator,cn=users,dc=vsphere,dc=local), error(0)()
  ERROR vmdir 13995#####70368 [vc@4413] VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID_CREDENTIALS(49)), Message ((49)(SASL step failed.)), (0) socket (127.0.0.1) 
  ERROR vmdir 13995#####70368 [vc@4413] Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL

VMware vCenter Server 9.x

VMware Cloud Foundation Operations (VCFOPS) 9.x

The issue occurred because [email protected] was accidentally removed from the vmdir Builtin Administrators group.

To resolve this issue, we need to manually restore the [email protected] account to the Builtin Administrators group.

1. Take a backup or virtual machine snapshot of the vCenter Server Appliance before proceeding with next steps.
2. SSH to the impacted vCenter server using root account

3. Execute the following ldapmodify command to inject the missing member record back into the directory. Press Enter after typing EOF:

   ldapmodify -H ldap://localhost/ -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W << EOF
   dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
   changetype: modify
   add: member
   member: cn=Administrator,cn=Users,dc=vsphere,dc=local
   EOF
   

4. When prompted Enter LDAP Password:, type the SSO Administrator([email protected]) account password. You should see the output: modifying entry "cn=Administrators,cn=Builtin,dc=vsphere,dc=local".

5. Verify that the directory server state is healthy and that privileges have been restored by running:

   /usr/lib/vmware-vmafd/bin/dir-cli state get
   

6. Enter the password for [email protected]. Ensure the output returns: Directory Server State: Normal (3)

7. Return to the VCFOPS UI, navigate to the vCenter Adapter configuration, and successfully complete the setup. The adapter status should now transition to "Collecting".

If the account in use is not the local SSO administrator, follow the instructions provided in KB: The vCenter credentials you use must have the Global.Licenses privilege assigned and be a member of the LicenseService.Administrators Single Sign-On group.