icvmco
Contributor
Contributor

VCSA 6.5 AD Groups Authorization Failed

Hello.

I`m have a some problem with authorization on vcsa 6.5 build 7515524 and vcsa 6.5 build 7515524 with error:

A server error occurred.

Unable to login because you do not have permission on any vCenter Server systems connected to this client.

Check the vSphere Web Client server logs for details.

In logs:

Cannot login user MYDOMAIN\user@127.0.0.1:no permission (A user could not log in due to insufficient access permission)

User is a member of AD Group "vSphere_Admins", and in Global Permissions granted Administrator privileges to group "vSphere_Admins".

If I`m directly granting Administrator privileges in Global Permissions to user - all fine, authorization success and user can manage vSphere.

Anybody know what the problem? Maybe need create new Identity Source by LDAP server (right now Integrated Windows Authentication)?

Thanks.

8 Replies
daphnissov
Immortal
Immortal

Have you rebooted vCenter Server since joining it to your Active Directory domain? This is a required step in order to have IWA function properly. If the answer is "yes", please show your SSO identity source configuration and the permissions you've assigned.

0 Kudos
icvmco
Contributor
Contributor

yes, i`m reboot vcsa after join to AD

0 Kudos
admin
Immortal
Immortal

0 Kudos
daphnissov
Immortal
Immortal

The user that cannot login when the group is granted...is it a member of a second-level or third-level nested group?

0 Kudos
Matlock78
Contributor
Contributor

I have the same problem. If the permissions is granted directly for user account from domain, it's OK. But when I grant permissions for group from domain and try to login (user is of course member of this group), login fail (Unable to login because you do not have permission on any vCenter Server systems connected to this client.)

Were you eventually succesfull?

0 Kudos
bikashsharma
Contributor
Contributor

HI icvmo,

I have the same problem , it believe you found the answer can you please share.

Thankyou

0 Kudos
Matlock78
Contributor
Contributor

We found a solution. In our case, all the users we tested were members of the group (from user's and vCenter's domain) who was a member of the group from another domain. There were no open ports from vCenter to DC in this second domain. In our case DOMAIN1\Domain Users was a member of DOMAIN2\GROUPX. vCenter and users were in doman DOMAIN1.

So, verify membership your groups (and users to) in groups from other domains (including builtin groups)

0 Kudos
victor_a
Contributor
Contributor

I have the same issue. We use Red Hat Identity Management (FreeIPA). Our vCenter Appliance 6.5 talks to the Red Hat identity server over a regular LDAP connection.

Assigning individual permissions works fine, but assigning group permissions has never worked at all.

This seems like a very basic functionality which is simply lacking from vCenter. We are very disappointed.