VMware Horizon Community
Arindrew
Contributor
Contributor

VMware View 4.5 - Error during Provisioning

I have ESXi 4.1 installed on the blade, with three virtual clients

      One virtual client is VMware View Administrator

      One virtual client is VMware vCenter Admin

      One virtual client is Windows 7 x64

I connect to VMware View Administrator through the web interface, and connect to VMWare vCenter Admin through the vSphere client installed on my local desktop.

I created a template from my Windows 7 build, and attempted to create a desktop pool for the thin clients to connect to.

So I go to create the desktop pool, and configure all the settings, and click OK. From here, its suppose to create however many desktops you have it set to for your clients. I have it set to just one, which is about all the HDD space I have available for. After a couple of minutes, I get a red X on the pool name, and when clicked on it gives me the following error:

Error during provisioning [DATE/TIME STAMP] Permission to perform the operation was denied.

I have searched through this forum and google, but couldnt find anyone else having this error.

(Keep in mind that I am completely new to VMware and virtualizing, so I am not sure if this is in the right forum.)

Reply
0 Kudos
9 Replies
pcerda
Virtuoso
Virtuoso

Hi,
When you add vCenter Server into View Manager, the user account you enter has to have the proper rights on vCenter Server:
  • Folder
    • Create Folder
    • Delete Folder
  • Virtual Machine
    • Configuracion
      • Add or remove device
      • Advanced
      • Modify device settings
    • Interaction
      • Power Off
      • Power On
      • Reset
      • Suspend
    • Inventory
      • Create New
      • Remove
    • Provisioning
      • Customize
      • Deploy Template
      • Read Customization specifications
  • Resource
    • Assign virtual machine to resource Pool
If you also want to use Composer, you have to set additional rights:
  • Datastore
    • Allocate Space
    • Browse datastore
    • Low level file operations
  • Virtual Machine
    • Inventory (all)
    • Configuration (all)
    • State (all)
    • Provisioning
      • Clone Virtual Machine
      • Allow disk access
  • Resource
    • Assign virtual machine to resource pool
  • Global
    • Enable Methods
    • Disable Methods
    • System Tag
  • Netwotk
    • Todos
Regards / Saludos - Patricio Cerda - vExpert 2011 / 2012 / 2013
Arindrew
Contributor
Contributor

I tried assigning permissions to my domain admin account (which is the same account I have setup everything to work with so far), but the permissions dont seem to take. I go back into the permission window, and its blank again. Below are my steps, maybe I'm doing something wrong:

Connect to vCenter Server with vSphere with my domain admin account

Right Click on my vCenter Server and select "Add Permission"

The left field is blank, so I add my domain account in there, and select the Administrator Role on the right side, ensure Propogate on Child Objects is selected, and click OK.

Right Click on vCenter Server again and the left field is blank again.

If I click on Inventory in the Address Bar type window, and click on Administration, then Roles, my account is listed under the Administrators role.

Reply
0 Kudos
mittim12
Immortal
Immortal

Are you setting the permissions on your virtual vCenter machine object?   The permissons should be set at the top level of the vCenter environment or at the very least the top level of the cluster that holds the VDI environment.   On a side note everytime I open a ticket with VMware support they want to verify that my account used for view administrator is also in the local admin group of the vCenter server.  I can't remember if that's actually required but it's one of the first things they ask me. 

Reply
0 Kudos
six4rm
Enthusiast
Enthusiast

In order to check the assigned permissions within vCenter goto the Hosts & Clusters view and select the very top node in the left hand pane, which is your vCenter Server. You should then see a number of tabs in the right hand pane, select Permissions. You should then see your AD user or group defined and associated with the Administrator role defined in "this object". If you right-click on the user/group you can then select whether to propagate that permission down to child object, which of course you want to do.

The area you were in before is simply used for adding a new permission. The Roles section allows you to see which users/group have been assigned to each defined role.

I think what we're trying to achieve here is determine whether the user you have setup within View has the required permissions within vCenter to perform the pool provisioning task. My View user has been assigned the Administrator role.

pcerda
Virtuoso
Virtuoso

Hi Arindrew,
Try to follow the Six4rm instructions, but remember it's a best practice to assign the minimum permissions required to the account you are using for Composer.
VMware View documentation says:
"To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges."
This applies to AD and vCenter permission.
Regards / Saludos - Patricio Cerda - vExpert 2011 / 2012 / 2013
Reply
0 Kudos
Arindrew
Contributor
Contributor

Within the vSphere client, went to View - then Hosts and Clusters (which seems to be what I was already looking at)

Click on the Permissions tab, right clicked the user I am logging into View with.

Ensured it was an Administrator, and that propagation was set for the account (it was already set up as such).

So it seems the account I am using is set as an administrator, and it is set to propagate down.

Reply
0 Kudos
pcerda
Virtuoso
Virtuoso

Hi,
In order to check if the permission are being propagated, you have to take a look to permission tab on any object within vCenter Server, like a host, folder, resource pool, etc. 
If the user appears in the permission list, then the permissions are being propagated.
In the other side, make sure the "Administrator" role has not been modified
Regards / Saludos - Patricio Cerda - vExpert 2011 / 2012 / 2013
Reply
0 Kudos
Arindrew
Contributor
Contributor

Verified that permissions are being propagated through everything in the tree, down to the clients.

Also checked the Administrator Role has not been modified. I was not able to edit the role, like I am able to with the other roles. Possibly this is not allowed?

Either way, this is a fresh install, and I haven't modified any of the roles, so the likely hood of this is slim.

Reply
0 Kudos
Arindrew
Contributor
Contributor

I reinstalled vCenter and the problem went away. Not sure exactly what it was, but everything is in working order now.

Thanks everyone for your help!

Reply
0 Kudos