rasmusan
Enthusiast
Enthusiast

issues with Web Client permissions (vsphere 6)

Hi

I have installed vCenter Server 6.0 for a customer today, which completed fine - however  I now have issues getting permissions i vCenter Web Client - even when using the SSO administrator login.

I can manage the environment from the legacy vSphere Client, however when logging into the Web Client i get the "You do not have permission to view this object or this object does not exist". and this even goes for the SSO administrator login. I cannot add global permissions or administer roles.

see screeenshots attached.

anyone had this issue before? and maybe a solution?

25 Replies
nimos001
Enthusiast
Enthusiast

I have the same issues with the environment I had setup in lab a few weeks ago. I can't even logon with the Administrator@vSphere.local anymore either. Tried resetting it via the VCSA console with no success..

0 Kudos
snekkalapudi
VMware Employee
VMware Employee

I hit into the issue once and restarting SSO fixed the problem for me.

-Suresh
0 Kudos
Chris_CCI
Contributor
Contributor

Has anyone found a solution to this? I can log on to vCenter via SSO, however, I can't get into the roles or global permissions (or anything else that requires admin privilege). Using the default administrator@vsphere.local does not allow me to access any area to configure. The only way I can manage my hosts is through the vCenter vSphere client. Anyone from VMware review these posts? We can't be the only users having this issue.....

ihuang
Contributor
Contributor

I've installed appliance 6.0 and esxi 6.0, and with administrator@vsphere.local account I can add or modify users.

root user don't have that permission.

vsphere.local is the domain name you set up when you're install appliance with VCSA.

0 Kudos
rasmusan
Enthusiast
Enthusiast

I have raised a support case with VMware on this issue, and they have confirmed that this is indeed an issue they are aware of, however so far no workaround is available:

"This is a known issue which is being handled by our Engineering department. I cannot give a time frame for the resolution. I can only say that it is at the highest priority within our organisation"


Will post when I get any update on this.

bfarahi
Contributor
Contributor

I'm having the exact same issue.   I'm using vSphere 6.0 Build 26567760 which I believe is the latest.   My VC is 2008 R2 Enterprise.   Anyone have a workaround?   Thanks.

0 Kudos
nimos001
Enthusiast
Enthusiast

Any updates on this?

0 Kudos
jholeci
Contributor
Contributor

Hi

Finally got workaround from Vmware, in my case adding all vsphere and Kerberos paths for Local system account solved web client permission issue see detailed instructions below.

Hope it helps

Jan

 

Please try the following. (before that please create a backup from the vCenter server)

 

In regedit system wide path is defined here:

 

Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment->Path

 

 

Local system account overridden Path is defined under:

 

Computer->HKEY_USERS->S-1-5-18\Environment->Path

 

 

(first step, second location can be verified if exists; and if exists values can be compared to see differences)

 

 

You can either remove(rename) the existing override

 

(Computer->HKEY_USERS->S-1-5-18\Environment->Path) completely. This will make the system wide Path to take effect.

 

Or if this override was specified on purpose (for some reason), then modify

 

Computer->HKEY_USERS->S-1-5-18\Environment->Path to make sure to include MIT Kerberos installation (such as c:\Program Files\MIT\Kerberos\bin), and possibly other vSphere paths (like OpenSSL) for completeness.

 

nimos001
Enthusiast
Enthusiast

That doesn't help us using the VCSA with this problem. Is there not an update for official fix for this yet? Is this not a widespread problem for people?

0 Kudos
Phillip_Chee
Contributor
Contributor

Yep, experiencing this issue with VCSA. One workaround I've tried is to delete the permission on an object assigned to a user and re-add it. Refresh the web client and all is good. But if you make other permission changes it may not work as expected. Rinse, repeat. Not a good workaround in the end.

paulvr
Contributor
Contributor

Great fix.  Thanks for sharing jholeci!

0 Kudos
lockdwn
Contributor
Contributor

Has anyone come across any other workarounds.  I have tried the suggested registry changes.  They didn't help because the key (Path) under the system account did not exist to begin with in the registry.  The Vsphere Client works fine but is limited in its functionality, it would be nice to have the web client working. Thank you!

MatteoMarchetti
Contributor
Contributor

Is there any KB related to this?

0 Kudos
lockdwn
Contributor
Contributor

Its kb2125229...

MatteoMarchetti
Contributor
Contributor

I've checked that KB but this is not my case:

  1. It doesn't happen for ALL users but just for those with a restricted permissions role
  2. I can't find any of the errors in the logs.

I've opened a case to VMware support but I'm not going anywhere. Any other idea?

0 Kudos
adr1an5
Contributor
Contributor

Having the same issue using the 6.0 U1 appliance. Work around is only applicable to Windows install. Is there a workaround for the appliance?

0 Kudos
mulcas
Enthusiast
Enthusiast

I am having the same issue here. I did a new vCenter server installation for Windows 2012 R2.

This KB does't help:

VMware KB:    After Installing or Upgrading to vCenter Server 6.0, logging in to the vSphere Web Cli...

I could log in normally the first time but after closing and opening again the web client it did't work again.

The path registry key does't exists in my server...  HKEY_USERS\S-1-5-18\Environment



MortenHayAnders
Contributor
Contributor

I have been Googling for a solution for two days now. There are lots of people who experience the exact same problem using the appliance. Every question is left unanswered.

0 Kudos
niLo8
Contributor
Contributor

Hi guys. I have the solution which helped me. You need to open the console of vCenter Server Appliance and change any DNS parameters (I changed  my setting of Suffixes) After that I rebooted the server

0 Kudos