Solved: Re: vCenter 7.0.2.00500 SSO LifeCycle Permission

dcampos47 · ‎10-06-2021

Hi Guys

I am using VCSA 7.0.2.00500 , after setting up SSO authentication, and adding the access group in "Administration>Access Control>Global Permissions>, choosing the options:

ROLE: Administrator
Propagate to Child: Enable

When I go to Administration>Access Control>Roles, the group is added.

After authenticating using my "Active Directory" domain user, when I access Lifecycle Manager, I am getting the following errors.

Authentication failed, Lifecycle Manager server could not be contacted.
You have no privileges to view this object or it does not exist.

Are there any other places I need to release permission? Any Ideias .

dcampos47 · ‎11-20-2021

Hello Everyone.

The vmware team released version 7.0.3.00100 Build number: 18778458

I just applied in my environment, the bug was fixed, authentication via SSO if and against normal.

Thanks to everyone who contributed to this post.

Regards.

Darley Campos

View solution in original post

fga352 · ‎10-06-2021

same problem here

DRAGONKZ · ‎10-06-2021

I've got the exact same issue after upgrading to 7.0 Update 3.

My SSO admin account works fine, but my AD accounts configured with either custom administrator role or using the built in role no longer have access to Lifecycle manager.

Permissions being set at the global or vcenter level seem to make no difference.

How can we further troubleshoot lost/broken access to lifecycle manager?

Thanks

(I'm seeing the access denied on the main lifecycle manager menu, as well as the updates view when a VM is selected, and the VM hardware and VM tools views on the updates view when a host is selected)

fga352 · ‎10-06-2021

this is my case. I opened a ticket with vmware. I updated to 7.0.3, my sso account works perfectly with Lifecycle, but my AD users, not.

DRAGONKZ · ‎10-06-2021

Mine's only a home lab so can't log a ticket... if you end up finding a solution would you be able to post it here?

fga352 · ‎10-06-2021

Sure. But I am beginning to think that is a bug

dcampos47 · ‎10-07-2021

Hi Guys,

I am thinking that it might really be some bug that was caused by some hotfix.

I have a second environment that vCenter is using release "7.0.2.00400 - 18356314" with ESXi "7.0.2-18426014". which is showing Warning in the SSO configuration "The node didn't join any Active Directory." When an analyst that is part of the Active Directory group login there is no error in LifeCycle.

I am thinking of updating this environment to validate if it is really a bug, I have not read the release notes of these updates to see if there was a drastic change of access when we use the SSO.

dcampos47 · ‎10-07-2021

Hi Guys,

My partner opened a case at vmware support and received the procedure below, I have not executed it yet, I will be scheduling this activity until the end of the month, if it is successful I will share it here.

1. Create a snapshot of the vCenter VM.
2. Log in as root in an SSH session with vCenter.
3. download the lsdoctor.zip attached in KB Using the 'lsdoctor' Tool (https://kb.vmware.com/s/article/80469)
4. Move the .zip to the VCSA in the /tmp folder (you can use WinSCP.)
5. Execute the commands
cd /tmp
unzip lsdoctor.zip
cd lsdoctor-mastr
chmod 777 lsdoctor.py
./lsdoctor.py -l
./lsdoctor.py -t
./lsdoctor.py -s
./lsdoctor.py -l
service-control --stop --all && service-control --start --all

chadc1979 · ‎10-07-2021

I'm having the same issue after upgrading to 7.0U3, didn't have any issues on 7.0U2d. It works when logged in as a local user just not AD. I'm using AD over LDAP, not sure if it effects folks using IWA also. I did try removing the identity source and users from global perms and adding everything back and that didn't help. Haven't run into any other issues though using an AD user other than in Lifecycle Manager access.

fga352 · ‎10-07-2021

As I suspected, confirm that this does not work. Sorry guys. I am waiting for support to respond, they have asked me for the bundle of vcenter logs

dcampos47 · ‎10-07-2021

Hello, chadc1979

So far the problem is only occurring with Lifecycle Manager, even if I removed and reconfigured SSO authentication as LDAP, the problem persisted.

The procedure mentioned above, I will perform at the end of October, if successful I will be posting here again.

baijup · ‎10-07-2021

Please check KB https://kb.vmware.com/s/article/85962 ("Authentication failed, Lifecycle Manager server could not be contacted", Access to Lifecycle Manager fails in vCenter 7.0 Update 3 when logged in with an Active Directory account).

dcampos47 · ‎10-07-2021

Hi ga352

If you have a different answer from vmware support, and it works in your case, please share it here with us, thanks.

baijup · ‎10-07-2021

@dcampos47 VMware is investigating this issue, no solutions as of now. Request you to try with the vsphere.local account (eg. Administrator@vsphere.local) as a workaround as documented in KB https://kb.vmware.com/s/article/85962

Thanks,

Baiju

dcampos47 · ‎10-07-2021

@baijup Thanks for the feedback, I'll be following up on further releases\hotfix for the problem.

fga352 · ‎10-07-2021

as I imagined it is a bug ... I understand that vmware will release a hotfix?

thanks for the info!

baijup · ‎10-07-2021

@fga352 It is currently under investigation and can't comment on the Hotfix as of now. I will keep this thread updated when we have some updates.

dcampos47 · ‎11-20-2021