VMware Cloud Community
gautamparkash
Contributor
Contributor

Vcenter server 6.5 appliance vsphere-webclien, vpxd-extention and local\administrator permission

Hi,

I changed the permission for vsphere-webclient, vpxd-extension, and local\administrator, but unable to restore the original permission administrator.

Please help.

Reply
0 Kudos
16 Replies
admin
Immortal
Immortal

could you explain more about issue and share local administrator Id.  Are you talking about  (administrator@vsphere.local)

Regards,

Randhir

Reply
0 Kudos
gautamparkash
Contributor
Contributor

I change the permission for the below users from administrator to read only, post this i am not able to give and modify the permissions.

VPXD.extention

vsphere.webclient

local.administrators

when i am trying to change permissions getting error message" Provider method implementation threw unexpected exception: %s"

Reply
0 Kudos
admin
Immortal
Immortal

How you are trying to modify the permissions from which login ?

Login with SSO admin to webclient and try to modify the permissions  ,

Regards,

Randhir

Reply
0 Kudos
gautamparkash
Contributor
Contributor

I tried but same error,

version of vCenter server is: Version 6.5.0.13000 Build 7312210

Reply
0 Kudos
daphnissov
Immortal
Immortal

Those are the solution users and you should not have done that. Now it's possible you've broken your vCenter because of that. The Solution Users are the internal accounts used to provide internal service access and configuration and their permissions should not be modified.

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

As daphnissov suggested you should't have modified inbuilt users permissions and it is not recommended.

Since you are already done and want to get the behaviour back please try the following

1) Login as Administrator@vsphere.local user to Webclient.

2) Click on "Home" -- > Administration.

3) Click Users and Group.

4) Create New user.

5) Click on Global permissions

6) Click on add permissions

7) Select the user added in step 4 and assign administrator role.

😎 Logout from the administrator user.

9) Login with new user created.

10) Change back the permission of administrator@vsphere.local to Administrator "role"

Hope this helps.

Regards

Lokesh

Reply
0 Kudos
gautamparkash
Contributor
Contributor

i created the user, but unable to logging through this user.

can you help me who to logging through local user.

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

Did you granted the permissions to the new user in global permission page? if yes what is the error you are getting while logging in?

Reagrds

Lokesh

Reply
0 Kudos
gautamparkash
Contributor
Contributor

i give the global permission, invalid credential,

I am putting username and username field.

and password in password filed.

Please let me know, i have to increase production on this vcenter server and can not take downtime of existing hosts of this vCenter server.

Please help me i am not able to assignee any permission.

Reply
0 Kudos
daphnissov
Immortal
Immortal

There is a possibility you *might* be able to edit the VPX_access table, which in older versions contained the permissions of roles, to restore access to the Administrator@vsphere.local account. There is a KB (which doesn't apply to 6.x so use with caution) here which covers information. Barring that, you'll need to open a case with VMware because it'll likely involve manual edits to some database.

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

You have to enter "username@vsphere.local" (or your username@<sso domain name>) in username filed not just "username".

Regards

Lokesh

Reply
0 Kudos
gautamparkash
Contributor
Contributor

i am able to logging through new user, but getting same error,

i am getting same error. below is the error.

The "Add permission" operation failed for the entity with the following error message.

Provider method implementation threw unexpected exception: %s

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

Could you please post the screenshots for permission page from where you are trying to add new permission and assigned role for newly created user.

Reagrds

Lokesh

Reply
0 Kudos
gautamparkash
Contributor
Contributor

create test user

pastedImage_0.png

give administrator permission

pastedImage_1.png

try to change last to below highlighted users

pastedImage_2.png

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee

The Permission for vsphere.local/Administrator and vsphere.local/vpxd-extension are inerited from global level permission and I belive you modified them at VC root level and the issue is occuring due to vsphere.local/vpxd-extension user permission are set to read-only.

But you can still overcome this issue by following below steps.

1) Take a back-up of your existing VC setup(important)

2) Restart your VPXD service(vmware-vpxd).

3) Login to WebClient as administartor@vsphere.local user.(this user still have admin permission)

4) Go to global permissions page.

5) Select user "vsphere.local/vpxd-extension-"

6) Delete permission.

7) In Global permission page only again add the administrative role permission for "vsphere.local/vpxd-extension-" user.

😎 Comeback to VC level permission page, now you should be able to Add/Modify the permissions.

Please remember you must take a backup of your VC setup before performing above steps if something goes wrong while performing above steps you can always revert to previous state.

also I think if you restart your VC for some reason with current state you are no more able to see any permissions.

Regards

Lokesh

Reply
0 Kudos
MarkKatana
Contributor
Contributor

Long story short,

I was getting this error, couldn't add any AD users/groups to objects in vCenter through permissions. Rebooted the PSC, yada yada but nothing worked. I could add local users/groups to objects so knew it had to be something with AD. Adding a user/group from AD worked all the way up until the end and then it would fail with the error mentioned. This was misleading because I could search AD and find the user/group I wanted to add. So I thought AD was working. But I removed that AD identity source and added it back in and everything worked fine after that. It's almost like it was "half" working. You could search it and find users and groups but it couldn't verify the login for these users.

Anyhoo....the fix here was basically "turn it off and back on again"....but for AD.

Reply
0 Kudos