VMware Cloud Community
dcampos47
Contributor
Contributor
Jump to solution

vCenter 7.0.2.00500 SSO LifeCycle Permission

Hi Guys

 

I am using VCSA 7.0.2.00500 , after setting up SSO authentication, and adding the access group in "Administration>Access Control>Global Permissions>, choosing the options:

ROLE: Administrator
Propagate to Child: Enable

When I go to Administration>Access Control>Roles, the group is added.

After authenticating using my "Active Directory" domain user, when I access Lifecycle Manager, I am getting the following errors.

Authentication failed, Lifecycle Manager server could not be contacted.
You have no privileges to view this object or it does not exist.

Are there any other places I need to release permission? Any Ideias .

Reply
0 Kudos
1 Solution

Accepted Solutions
dcampos47
Contributor
Contributor
Jump to solution

Hello Everyone.

The vmware team released version 7.0.3.00100 Build number: 18778458

I just applied in my environment, the bug was fixed, authentication via SSO if and against normal.

Thanks to everyone who contributed to this post.

Regards.

Darley Campos

View solution in original post

Reply
0 Kudos
18 Replies
fga352
Contributor
Contributor
Jump to solution

same problem here

Reply
0 Kudos
DRAGONKZ
Enthusiast
Enthusiast
Jump to solution

I've got the exact same issue after upgrading to 7.0 Update 3.

My SSO admin account works fine, but my AD accounts configured with either custom administrator role or using the built in role no longer have access to Lifecycle manager.

Permissions being set at the global or vcenter level seem to make no difference.

How can we further troubleshoot lost/broken access to lifecycle manager?

Thanks

(I'm seeing the access denied on the main lifecycle manager menu, as well as the updates view when a VM is selected, and the VM hardware and VM tools views on the updates view when a host is selected)

fga352
Contributor
Contributor
Jump to solution

this is my case. I opened a ticket with vmware. I updated to 7.0.3, my sso account works perfectly with Lifecycle, but my AD users, not. 

DRAGONKZ
Enthusiast
Enthusiast
Jump to solution

Mine's only a home lab so can't log a ticket... if you end up finding a solution would you be able to post it here? 

Reply
0 Kudos
fga352
Contributor
Contributor
Jump to solution

Sure. But I am beginning to think that is a bug

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

Hi Guys,

I am thinking that it might really be some bug that was caused by some hotfix.

I have a second environment that vCenter is using release "7.0.2.00400 - 18356314" with ESXi "7.0.2-18426014". which is showing Warning in the SSO configuration "The node didn't join any Active Directory." When an analyst that is part of the Active Directory group login there is no error in LifeCycle.

I am thinking of updating this environment to validate if it is really a bug, I have not read the release notes of these updates to see if there was a drastic change of access when we use the SSO.

 

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

Hi Guys,

My partner opened a case at vmware support and received the procedure below, I have not executed it yet, I will be scheduling this activity until the end of the month, if it is successful I will share it here.

1. Create a snapshot of the vCenter VM.
2. Log in as root in an SSH session with vCenter.
3. download the lsdoctor.zip attached in KB Using the 'lsdoctor' Tool (https://kb.vmware.com/s/article/80469)
4. Move the .zip to the VCSA in the /tmp folder (you can use WinSCP.)
5. Execute the commands
cd /tmp
unzip lsdoctor.zip
cd lsdoctor-mastr
chmod 777 lsdoctor.py
./lsdoctor.py -l
./lsdoctor.py -t
./lsdoctor.py -s
./lsdoctor.py -l
service-control --stop --all && service-control --start --all

Reply
0 Kudos
chadc1979
Enthusiast
Enthusiast
Jump to solution

I'm having the same issue after upgrading to 7.0U3, didn't have any issues on 7.0U2d. It works when logged in as a local user just not AD. I'm using AD over LDAP, not sure if it effects folks using IWA also. I did try removing the identity source and users from global perms and adding everything back and that didn't help. Haven't run into any other issues though using an AD user other than in Lifecycle Manager access.

Reply
0 Kudos
fga352
Contributor
Contributor
Jump to solution

As I suspected, confirm that this does not work. Sorry guys. I am waiting for support to respond, they have asked me for the bundle of vcenter logs

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

Hello,  chadc1979

So far the problem is only occurring with Lifecycle Manager, even if I removed and reconfigured SSO authentication as LDAP, the problem persisted.

The procedure mentioned above, I will perform at the end of October, if successful I will be posting here again.

Reply
0 Kudos
baijup
VMware Employee
VMware Employee
Jump to solution

Please check KB https://kb.vmware.com/s/article/85962 ("Authentication failed, Lifecycle Manager server could not be contacted", Access to Lifecycle Manager fails in vCenter 7.0 Update 3 when logged in with an Active Directory account).

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

Hi ga352 

If you have a different answer from vmware support, and it works in your case, please share it here with us, thanks.

Reply
0 Kudos
baijup
VMware Employee
VMware Employee
Jump to solution

@dcampos47 VMware is investigating this issue, no solutions as of now. Request you to try with the vsphere.local account (eg. Administrator@vsphere.local) as a workaround as documented in KB https://kb.vmware.com/s/article/85962

Thanks,

Baiju

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

@baijup Thanks for the feedback, I'll be following up on further releases\hotfix for the problem.

Tags (1)
Reply
0 Kudos
fga352
Contributor
Contributor
Jump to solution

as I imagined it is a bug ... I understand that vmware will release a hotfix?

 

thanks for the info!

Reply
0 Kudos
baijup
VMware Employee
VMware Employee
Jump to solution

@fga352 It is currently under investigation and can't comment on the Hotfix as of now. I will keep this thread updated when we have some updates.

Reply
0 Kudos
dcampos47
Contributor
Contributor
Jump to solution

Hello Everyone.

The vmware team released version 7.0.3.00100 Build number: 18778458

I just applied in my environment, the bug was fixed, authentication via SSO if and against normal.

Thanks to everyone who contributed to this post.

Regards.

Darley Campos

Reply
0 Kudos
IanMOosca
Contributor
Contributor
Jump to solution

I have this happening in our environment.  7.0.3.01500    I have to login in using the FQDN when this happens as a work around.

Reply
0 Kudos