I'm trying to create more limited permissions in our vcenter environment, but every role I assign my users to, none of them have console permissions and receive the below:
A server error occurred.
Unable to connect to MKS: Permission to perform this operation was denied.
Check the vSphere Client server logs for details.
My role is as follows:
The only role that works is administrator.
vsphere_client_virgo.log is not showing me much, beside me getting a lot of the following:
[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-79825 c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound Encountered EOF character, sleeping for 100 ms.
[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-15192 c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound Encountered EOF character, sleeping for 100 ms.
Mohamed of the VMware Support team found the answer for me.
Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:
Cryptography Administrator > Direct Access
Hi
Unable to connect to MKS: Permission to perform this operation was denied.
Diego, unfortunately that's not it. I've tried that permission on the host itself, same result.
Did you check your firewall?
It works if I grant them the administrator role. It stops working when I put them in any other role, including No-Cryptography administrator all the way down to console only.
Do the user have permissions to run and install plugins on machine from whcih they are trying to access MKS....
Yes. I can replicate this behavior myself.
Bumping for visibility, can't wrap my head around this?
Mohamed of the VMware Support team found the answer for me.
Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:
Cryptography Administrator > Direct Access
Thanks a lot. This worked for me to get vmrc access back after enabling vTPM.
Cryptography Administrator > Direct Access
In VCSA 7 the nessecary setting is to be found here:
After applying that VMRC and WebConsole are accessible again.
Even after 5 years, THIS is the Solution for Windows 2022 Encrypted VM
Thanks a lot !
Confirmed again, in 2023! This is also the solution for a Windows 10 VM that had a vTPM added (vCenter and Hosts on 7.0U3). After we added the vTPM, the web console said "Unable to connect to MKS. Permission to perform this operation was denied." We had to add the permission detailed above to the correct role our admins were in to restore console access. Worked great. I wish that permission was a bit clearer in its description.