Solved: Re: VM Console only loads for administrator permis...

ap_idb · ‎12-11-2018

I'm trying to create more limited permissions in our vcenter environment, but every role I assign my users to, none of them have console permissions and receive the below:

A server error occurred.

Unable to connect to MKS: Permission to perform this operation was denied.

Check the vSphere Client server logs for details.

My role is as follows:

The only role that works is administrator.

vsphere_client_virgo.log is not showing me much, beside me getting a lot of the following:

[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-79825 c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound Encountered EOF character, sleeping for 100 ms.

[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-15192 c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound Encountered EOF character, sleeping for 100 ms.

ap_idb · ‎12-28-2018

Mohamed of the VMware Support team found the answer for me.

Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:

Cryptography Administrator > Direct Access

View solution in original post

diegodco31 · ‎12-11-2018

Hi

Unable to connect to MKS: Permission to perform this operation was denied.

VMware Knowledge Base

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego

ap_idb · ‎12-11-2018

Diego, unfortunately that's not it. I've tried that permission on the host itself, same result.

diegodco31 · ‎12-11-2018

Did you check your firewall?

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego

ap_idb · ‎12-11-2018

It works if I grant them the administrator role. It stops working when I put them in any other role, including No-Cryptography administrator all the way down to console only.

sushilkm · ‎12-11-2018

Do the user have permissions to run and install plugins on machine from whcih they are trying to access MKS....

ap_idb · ‎12-17-2018

Yes. I can replicate this behavior myself.

ap_idb · ‎12-26-2018

Bumping for visibility, can't wrap my head around this?

ap_idb · ‎12-28-2018

Mohamed of the VMware Support team found the answer for me.

Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:

Cryptography Administrator > Direct Access

RThornburg · ‎01-19-2021

Thanks a lot. This worked for me to get vmrc access back after enabling vTPM.

Cryptography Administrator > Direct Access

WuGeDe · ‎01-13-2022

In VCSA 7 the nessecary setting is to be found here:

After applying that VMRC and WebConsole are accessible again.

POCote · ‎05-17-2023

Even after 5 years, THIS is the Solution for Windows 2022 Encrypted VM

Thanks a lot !

RichardKenyan · ‎06-23-2023

Confirmed again, in 2023! This is also the solution for a Windows 10 VM that had a vTPM added (vCenter and Hosts on 7.0U3). After we added the vTPM, the web console said "Unable to connect to MKS. Permission to perform this operation was denied." We had to add the permission detailed above to the correct role our admins were in to restore console access. Worked great. I wish that permission was a bit clearer in its description.

All

VM Console only loads for administrator permission?