ap_idb
Enthusiast
Enthusiast

VM Console only loads for administrator permission?

Jump to solution

I'm trying to create more limited permissions in our vcenter environment, but every role I assign my users to, none of them have console permissions and receive the below:

A server error occurred.

Unable to connect to MKS: Permission to perform this operation was denied.

Check the vSphere Client server logs for details.

My role is as follows:

pastedImage_0.png

The only role that works is administrator.

vsphere_client_virgo.log is not showing me much, beside me getting a lot of the following:

[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-79825  c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound  Encountered EOF character, sleeping for 100 ms.

[2018-12-11T20:25:01.863Z] [INFO ] e-console-message-pool-15192  c.vmware.vise.vim.commons.mks.tomcat.RemoteConsoleMessageInbound  Encountered EOF character, sleeping for 100 ms.

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
ap_idb
Enthusiast
Enthusiast

Mohamed  of the VMware Support team found the answer for me.

Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:

Cryptography Administrator > Direct Access

View solution in original post

10 Replies
diegodco31
Leadership
Leadership

Hi

Unable to connect to MKS: Permission to perform this operation was denied.

VMware Knowledge Base

Diego Oliveira LinkedIn: http://www.linkedin.com/in/dcodiego
0 Kudos
ap_idb
Enthusiast
Enthusiast

Diego, unfortunately that's not it. I've tried that permission on the host itself, same result.     

0 Kudos
diegodco31
Leadership
Leadership

Did you check your firewall?

Diego Oliveira LinkedIn: http://www.linkedin.com/in/dcodiego
0 Kudos
ap_idb
Enthusiast
Enthusiast

It works if I grant them the administrator role. It stops working when I put them in any other role, including No-Cryptography administrator all the way down to console only.

0 Kudos
sushilkm
Enthusiast
Enthusiast

Do the user have permissions to run and install plugins on machine from whcih they are trying to access MKS....

0 Kudos
ap_idb
Enthusiast
Enthusiast

Yes. I can replicate this behavior myself.

0 Kudos
ap_idb
Enthusiast
Enthusiast

Bumping for visibility, can't wrap my head around this?

0 Kudos
ap_idb
Enthusiast
Enthusiast

Mohamed  of the VMware Support team found the answer for me.

Because majority of my VMs are encrypted, the encryption policies are all now different. When a VM is encrypted, Administrator role is the only one that has all the Cryptography settings selected in roles, and the ONE setting you need to view the console is the following:

Cryptography Administrator > Direct Access

RThornburg
Contributor
Contributor

Thanks a lot. This worked for me to get vmrc access back after enabling vTPM. 

Cryptography Administrator > Direct Access

WuGeDe
Enthusiast
Enthusiast

In VCSA 7 the nessecary setting is to be found here:

WuGeDe_0-1642080279665.png

After applying that VMRC and WebConsole are accessible again.

 

0 Kudos