VMware Cloud Community
hank-ger
Enthusiast
Enthusiast
Jump to solution

Authentication Error in vSphere Client

Hi,

when anybody of my VM Users try to use the vCops Plugin in the vSphere Client he become an error message.

"vCenter Server Authentication Error"

error_vc.JPG

Does anybody have the same issue?

The Web-Client Acces is also not possible -> "User not authorized"

1 Solution

Accepted Solutions
pfuhli
Enthusiast
Enthusiast
Jump to solution

Hi Henry,

by going to https://your.vcops.ui.server/vcops-custom/ you can access the administration workspace of VCOPS.

Login is admin

Password had to be set at the initial configuration by you. Hopefully you remember it 😉

Go to ADMIN => Security in the upper menu and check for user management.

vcops.PNG

At this stage it's just a guess but I think you need to assign roles to users. Users can be VCOPS local users or LDAP users.

I think administrative users are allowed to use VCOPS UI by their high level rights in the vcenter.

HTH

daniel

View solution in original post

Reply
0 Kudos
23 Replies
admin
Immortal
Immortal
Jump to solution

Hi, VCOps can be accessed only by a user with an administrative rights. Most probably your VM users don't have such rights.

Please check if this is the case.

Thanks!

Reply
0 Kudos
hank-ger
Enthusiast
Enthusiast
Jump to solution

all Users are in the default "Virtual Maschine user".

When I set "administrative rights" to the VM it doesn´t work too.

What kind of administrative rights do they need?

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

The user should be an administrator of the whole VC server.

hank-ger
Enthusiast
Enthusiast
Jump to solution

You are right.

But that is not acceptable!

May I have to call the support or open an feature request..

Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast
Jump to solution

Hi Henry,

by going to https://your.vcops.ui.server/vcops-custom/ you can access the administration workspace of VCOPS.

Login is admin

Password had to be set at the initial configuration by you. Hopefully you remember it 😉

Go to ADMIN => Security in the upper menu and check for user management.

vcops.PNG

At this stage it's just a guess but I think you need to assign roles to users. Users can be VCOPS local users or LDAP users.

I think administrative users are allowed to use VCOPS UI by their high level rights in the vcenter.

HTH

daniel

Reply
0 Kudos
hank-ger
Enthusiast
Enthusiast
Jump to solution

It works, thank you Daniel.

Reply
0 Kudos
Rincey
Contributor
Contributor
Jump to solution

Hi,

I was using the appliance and the /vcops-custom url as well.

I got up to the section in the Admin guide about enabling LDAP and thought it would be a good idea (I don't want everyone logging in as 'admin' and I don't want to manage users through the application - I'd rather they belong to an LDAP/AD group and get their rights that way).

I entered all the LDAP configuration information under admin>security>Import from LDAP.

When I clicked ok, my browser locked up and eventually I got the page refreshed but it was back to the login page.

So I re-logged in as 'admin', but the credentials weren't accepted. So I tried my own Active Directory account. It got me logged in, but to the https://vcops URL which isn't as usual as the custom URL, so I manually entered https://vcops/vcops-custom but I got a 404 error:

HTTP Status 404 - /vcops-custom


type Status report

message /vcops-custom

description The requested resource (/vcops-custom) is not available.


Apache Tomcat/6.0.26

I'm using the vCOps appliance v5.0, Enterprise Edition, currently licensed with an eval key while I wait for our real key to appear on our portal.

vSphere - ESXi & vCenter - still at v4.1

I only deployed it yesterday or the day before, so if I have to redeploy, I'm not going to lose a great deal of data/work. But I'd prefer if there was a way to get back into vcops without redeploying, then that would be appreciated.

Cheers

Scott

Reply
0 Kudos
Rincey
Contributor
Contributor
Jump to solution

unbelieveable - fixed itself.

decided to hit refresh on the error page again - now works, and local 'admin' account lets me back into the /vcops-custom URL

weird.

Reply
0 Kudos
FGShepherdP10
Enthusiast
Enthusiast
Jump to solution

We're having similar issues with vCOPs 5:

  • Non-Administrator users in VirtualCenter cannot use the plug-in
  • Non-Administrator users in VirtualCenter cannot log into the web interface at .../vcops-vsphere
  • LDAP-connected users cannot Authenticate to .../vcops-vsphere
  • Locally-created users (in the -custom) interface cannot log into .../vcops-vsphere (known issue, according to Release Notes)

Has anyone else found a way to use this product without making all users Administrators?  Such a great utility, but we can't remove RBAC entirely, just to get it to work.

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

You don't need administrative privileges to view VCOPS data. It is only required for registration. Make sure that the users have vCenter Operations privilege as part of their roles. This privilege should be available at the vCenter level.

Reply
0 Kudos
hank-ger
Enthusiast
Enthusiast
Jump to solution

I think you mean this point:

Under: Roles - Global:

vcops-admin.jpg

pilphil
Contributor
Contributor
Jump to solution

Hi Hank-ger and krajah,

Could you please explain what you mean in your 2 preceeding posts?

Can users added via the vcops-custom->Admin->Security, not login to vcops-vsphere?

Thanks in advance for your time!

Reply
0 Kudos
FGShepherdP10
Enthusiast
Enthusiast
Jump to solution

SOLVED: (In response to my own post) I created a role called "vcops-user" and gave it Administrator permissions, then chopped away at it, leaving only the Global > vCenter Operations User checkbox, and it kept working the whole time.  Every user that I added to that role worked.  But when I added that Permission to existing users, they got the Authentication Error.

The main difference:  The test "vcops-user" role was assigned as a permission at the Virtual Center object, the ROOT of vCenter-- the very highest level of the "Hosts and Clusters", while the users in question were assigned at lower levels in the hierarchy.  As soon as I added those users to the new permission, at the root of vCenter, they started working.

So, we've made an Active Directory group called "vcops-users" and assigned them to the limited "vcops-user" Role, with only the vCenter Operations User permission checked, at the root level of vCenter and everything is working just fine.

pilphil
Contributor
Contributor
Jump to solution

Thank you very much, FGShepherdP10, for your detailed explanation.

I was able to create an Active Directory user, and assign the limited  "vcops-user" role to this user, per your post. This user can login to vcops-vsphere UI which is a big step forward.

For this user to be able to login in vcops-custom UI, should I proceed to "Import LDAP User" as documented in the Admin Guide? Right now, an attempt to login to the vcops-custom UI results in an authentication error.

Thanks again, for your help and guidance.

Reply
0 Kudos
critical3rr0r
Enthusiast
Enthusiast
Jump to solution

The answer to your question is yes. The original discussion is giving access through the VI client.

"All you touch and all you see is all your life will ever be."
Reply
0 Kudos
FGShepherdP10
Enthusiast
Enthusiast
Jump to solution

Exactly.  I am still not able to grant anyone access to the Web UI using LDAP.  Access for our users is strictly through the client UI.

Reply
0 Kudos
kattrap
Contributor
Contributor
Jump to solution

Based on hank-ger's reply and my own testing.. here's how I got it to work without compromising the security of my RBAC...too much.

New active directory group for VCOps, active directory users associated with that group. vCenter role with only the Global -> vCenter Operations Manager User privilege. This role is set at the root of vCenter Hosts & Clusters and set to not propagate.

Within VCOps, the users can see all the VMs/datastore/resources but outside of the app, they've got no access to anything.

vcops_priv.jpg

Reply
0 Kudos
TBKing
Enthusiast
Enthusiast
Jump to solution

This deserves a bump and a pat on the back to FGSheperd (and more points if we could)

Glad I found it before I pulled out all of my hair.

Thanks

Reply
0 Kudos
R_Brightwell
Enthusiast
Enthusiast
Jump to solution

I am able to get my non-admin users access to vcops, with many thanks to those who privided the solution in this thread, but I'd like to refine what those users are able to view in vcops.

Is there a way in vcops to have a set of users (say DBAs) so that they are only presented with the servers associated with them?  More specifically, currently, my DBAs can only see their SQL servers in the vcenter client, can this be done in vcops as well?

Reply
0 Kudos