I`m have a some problem with authorization on vcsa 6.5 build 7515524 and vcsa 6.5 build 7515524 with error:
A server error occurred.
Unable to login because you do not have permission on any vCenter Server systems connected to this client.
Check the vSphere Web Client server logs for details.
Cannot login user MYDOMAIN\firstname.lastname@example.org:no permission (A user could not log in due to insufficient access permission)
User is a member of AD Group "vSphere_Admins", and in Global Permissions granted Administrator privileges to group "vSphere_Admins".
If I`m directly granting Administrator privileges in Global Permissions to user - all fine, authorization success and user can manage vSphere.
Anybody know what the problem? Maybe need create new Identity Source by LDAP server (right now Integrated Windows Authentication)?
Have you rebooted vCenter Server since joining it to your Active Directory domain? This is a required step in order to have IWA function properly. If the answer is "yes", please show your SSO identity source configuration and the permissions you've assigned.
I have the same problem. If the permissions is granted directly for user account from domain, it's OK. But when I grant permissions for group from domain and try to login (user is of course member of this group), login fail (Unable to login because you do not have permission on any vCenter Server systems connected to this client.)
Were you eventually succesfull?
We found a solution. In our case, all the users we tested were members of the group (from user's and vCenter's domain) who was a member of the group from another domain. There were no open ports from vCenter to DC in this second domain. In our case DOMAIN1\Domain Users was a member of DOMAIN2\GROUPX. vCenter and users were in doman DOMAIN1.
So, verify membership your groups (and users to) in groups from other domains (including builtin groups)
I have the same issue. We use Red Hat Identity Management (FreeIPA). Our vCenter Appliance 6.5 talks to the Red Hat identity server over a regular LDAP connection.
Assigning individual permissions works fine, but assigning group permissions has never worked at all.
This seems like a very basic functionality which is simply lacking from vCenter. We are very disappointed.