issues with Web Client permissions (vsphere 6)

rasmusan · ‎05-05-2015

Hi

I have installed vCenter Server 6.0 for a customer today, which completed fine - however I now have issues getting permissions i vCenter Web Client - even when using the SSO administrator login.

I can manage the environment from the legacy vSphere Client, however when logging into the Web Client i get the "You do not have permission to view this object or this object does not exist". and this even goes for the SSO administrator login. I cannot add global permissions or administer roles.

see screeenshots attached.

anyone had this issue before? and maybe a solution?

BWinchell · ‎03-08-2016

Hello,

We had a very similar issue after our VCSA had a memory allocation error and crashed. We rebooted it and the PSC but then lost any connectivity via the web client (thick client worked on some things).

The main issue = PSC lost it's AD connection

The verification:

VCSA
- SSh session
- Drop to the shell
- run
  - /opt/likewise/bin/domainjoin-cli query
- The return should say your domain and distinguished name
PSC
- SSh session
- Drop to the shell
- run
  - /opt/likewise/bin/domainjoin-cli query
- The return should say your domain and distinguished name
  - My case was blank

The fix:

On either system that does not show you the AD information
- run
  - /opt/likewise/bin/domainjoin-cli join YOURDOMAINNAME.COM %AD user account%
  - enter password
Reboot the PSC and VCSA
Once they are back up
- run
  - /opt/likewise/bin/domainjoin-cli query
- You might initially receive a "time skew" error with AD
  - This happens as the service has not fully updated. Might take a 1-2 minute to fully update
  - You can keep running the above command to verify. It will eventually update to the correct time
Login to the web client and check your permissions

In my case I did lose some of my 3rd party plugins which I had to re-register.

Hopefully this helps someone else.

Thanks

B

BWinchell · ‎03-08-2016

Forgot to mention....

If you have multiple PSC servers in a single SSO domain, perform the AD query on each one to verify they are connected.

Thanks

B

BWinchell · ‎03-14-2016

This is also a possibility of the initial cause.

If you restored a PSC via a snapshot or backup. This can cause replication issues between PSC as the Update Sequence Number (USN) gets out of sync. There is currently no fix for this (VMware KB: Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sig...)

A way to double check: (https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=21270...)

If your PSC does not show the replication partner you expect, then the replication is broken.

Thanks

B

Stormarov · ‎02-14-2017

I think I have an answer for this one, or at least a workaround.

I found it by accident when my machine would not load Adobe Air.

The issue is similar to the one covered by KB article 2125229:Error: "You do not have permissions to view this object or this object does not exist" in vSphere We...‌;

A search for the solution to that lead me to a German forum on Air installation issues:Installationsproblem mit AIR - never ending story |Adobe Community which had to be Google Translated;

Which lead me to web page for resolving Autodesk Installation issues which contains 4 possible solutions: Install Failure: Error 997. Overlapped I/O operation is in progress. | Search | Autodesk Knowledge N...

The first solution worked for me. No since you are not installing Autodesk or air there is a slight difference: (The installations replaced the file we are going to edit.)

SOLUTION: (works for Windows 7-10 I believe)

Navigate to C:\ProgramData\Microsoft\Crypto\RSA\
For safety purposes backup the folder: S-1-5-18\. For me this means simply COPY the folder in place and name it S-1-5-18_Backup (Please make a backup copy)
Now that you have a backup of S-1-5-18, you can drill down into it. (You should be in C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\)
Here you will see three .SYS files.
Finally DELETE these files: (They have long names)
- ccd7457ddbc56b5e247ccc53f164daa0_c114b4a5-568e-4b12-b5b4-f244d2d6577e
- d42cc0c3858a58db2db37658219e6400_c114b4a5-568e-4b12-b5b4-f244d2d6577e
You should be left with only one file: 4eccd106f69e31c1b12304e5463bb71d_c114b4a5-568e-4b12-b5b4-f244d2d6577e
Now try the vSphere Web Client again.

The Autodesk page refers to a Windows security update KB2918614 that is preventing Overlapped I/O operations. I suspect the file from June 2016 is to blame, (starts with ccd74...), and you can test this yourself but I only ended up with one file. YMMV

If you are still having issues there are three other solutions to try from the Autodesk page. One of them is a registry hack for the SecureRepairWhitelist and is more likely to be useful than the VMware KB article's registry hack.

vinodparab · ‎10-24-2019

Please check the status of all serveries in vcenter appliance by ssh.

service-control --status --all

and if service stop then start all services

Specially check the service-control --status vmware-vapi-endpoint .

vinodparab · ‎10-24-2019

If problem with vcenter appliance then please follow the below steps

lease check the status of all serveries in vcenter appliance by ssh.

service-control --status --all

and if service stop then start all services

Specially check the service-control --status vmware-vapi-endpoint .

All