VMware Cloud Community
sheikhy
Contributor
Contributor
Jump to solution

Permission denied signing into VCenter Single Sign On Server

Hi can anyone help please. I have installed V Center server appliance and I was logging into the SSO but it keep saying that I do not have the permission. this is the exact error message

"A server error occurred.

Unable to login because you do not have permission on any vCenter Server systems connected to this client.

Check the vSphere Web Client server logs for details."

on googling for information, I found this information "To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file."

but I cannot find where the webclient.properties file are as the Single Sign On server is installed on an ESXI 6.5. can anyone help how I can edit this file and enable loggin to the web client so I can start creating data centers.

Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
IRIX201110141
Champion
Champion
Jump to solution

Well...

1. The configure "allow.user.without.permissions.login" option is part of another solution and can not help you dealing with your current issue. Its only good to bring back an weird behaviour which was changed in vCenter 6.5b

2. After a fresh installation there is only one usable account available to login into the application named vCenter trough WebClient or vSphere Client(HTML5). The accound is named "administrator@vsphere.local". Please dont mix it with your maybe existing "administrator@yourwindowsad.local" account.

3. The user root which comming from the underlaying photon OS havent got grant permission to the vCenter application on default. So you cant use it there. You can later grant permission to the root@localos if you like/needed

4. During the installation of the VCSA it creates its own directory service named "vsphere.local". Dont change that name and please dont change it to your maybe existing yourwindowsad.local domain. You can later add your existing directory service as an identity source and pick up the users you like and grand permissions to vCenter.

You mentioned that you use a IP instead of Domain? If you answer the question within the installer for the FQDN and use an ip address instead so please wipe your installation and start from scratch.

In the previous posts you can see the important screenshot about the vsphere.local Domain and the password for the one and only important user named "administrator".

The most important things to remember

1. Use a FQHN

2. Specifiy the password for adminstrator@vsphere.local

3. Specifiy the password for "root". We use the same password as for #2

4. Disable later the password runtime for both accounts and set them to unlimited!

Regards
Joerg

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

Reply
0 Kudos
12 Replies
johncol
VMware Employee
VMware Employee
Jump to solution

what version and what user are you using, can you screenshot the login page?

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee
Jump to solution

Are you getting this error when tried with administrator@vsphere.local user?

Regards

Lokesh

Reply
0 Kudos
RajeevVCP4
Expert
Expert
Jump to solution

First backup this file then edit by vi editor path is here

  • /etc/vmware/vsphere-client/vsphere-client/webclient.properties

     /etc/vmware/vsphere-client/

allow.user.without.permissions.login = true

Once add this line , restart web-client service and wait for 10 minutes

Delete all history/cookies from browser then try to login

Rajeev Chauhan
VCIX-DCV6.5/VSAN/VXRAIL
Please mark help full or correct if my answer is use full for you
Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee
Jump to solution

@sheikhy,

The error you mentioned typically occurs when user you are trying to login have no permission on vCenter or it's objects.

You can try as suggested by Rajeev but I don't think that will solve your issue after the workaround user is allowed to login but will see empty inventory since user don't have any permission on vCenter or it's objects.

So first you have to grant permission to the user you are trying to login and then try.

Regards

Lokesh

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

Hello, and thanks for the quick response. the version of VCSA am using is version 6.7.0-11726888 and this is what I run to deploy the 2 part installation of the VCenter Server and on the second part when I was configuring and installing the Single Sign On I used the username: root and not administrator@mydomain.local but I cannot sign on using the root username. that is where the error is coming up

Thanks

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

hello thanks for responding but I just answer that question. am using root

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

Hello and thanks for the response. but I don't know how to get to the path you mentioned. I found a similar answer but the problem is that my VCenter server is installed on my ESXI server just like another server. and when I browse the datastore and finf the VCenter install folder and start digging into it, I cannot find this file to edit

Thanks

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

Hello LokeshHK  I understand, but how do I grant root the permission when I have configured and install the Single Sign Server with root as the username. this is my question. how to grant the permission.

Thanks

Reply
0 Kudos
LokeshHK
VMware Employee
VMware Employee
Jump to solution

This is the SSO configuration page in second part of VC installation.

pastedImage_0.png

what values you provided here?

Regards

Lokesh

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

hello LokeshHK the values I provided on the Single Sign On was

Domain name  was an IP address

User name : root

and a password. but these are the vales am inputting to access the Vcente server . the IP address on the browser will bring up the logging in page, but is not giving permission to the root user. I don't know how to edit the file that was suggested on the discussion

Reply
0 Kudos
sheikhy
Contributor
Contributor
Jump to solution

Hello

 

RajeevVCP4 please find attached one of the Logs maybe someone may be able to help more

Thanks

 

Reply
0 Kudos
IRIX201110141
Champion
Champion
Jump to solution

Well...

1. The configure "allow.user.without.permissions.login" option is part of another solution and can not help you dealing with your current issue. Its only good to bring back an weird behaviour which was changed in vCenter 6.5b

2. After a fresh installation there is only one usable account available to login into the application named vCenter trough WebClient or vSphere Client(HTML5). The accound is named "administrator@vsphere.local". Please dont mix it with your maybe existing "administrator@yourwindowsad.local" account.

3. The user root which comming from the underlaying photon OS havent got grant permission to the vCenter application on default. So you cant use it there. You can later grant permission to the root@localos if you like/needed

4. During the installation of the VCSA it creates its own directory service named "vsphere.local". Dont change that name and please dont change it to your maybe existing yourwindowsad.local domain. You can later add your existing directory service as an identity source and pick up the users you like and grand permissions to vCenter.

You mentioned that you use a IP instead of Domain? If you answer the question within the installer for the FQDN and use an ip address instead so please wipe your installation and start from scratch.

In the previous posts you can see the important screenshot about the vsphere.local Domain and the password for the one and only important user named "administrator".

The most important things to remember

1. Use a FQHN

2. Specifiy the password for adminstrator@vsphere.local

3. Specifiy the password for "root". We use the same password as for #2

4. Disable later the password runtime for both accounts and set them to unlimited!

Regards
Joerg

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

Reply
0 Kudos