vCenter 5 Web Client issue

fish6288 · ‎07-26-2012

I have installed vCetner 5 U1a (Windows 2008R2) and the Web Client server as well. I am having a problem with one thing in the Web Client though....

I can log in to the vCenter Web Client and view/work with everything just fine when i log in using an account that is an administrator on the local vCenter server...but when i try to log in as a user that is not a local Admin on the vCetner box i get an empty list of VMs and the "loading" sign just sits there and spins (see attached screen shot).

I look at the security logs on the vCetner server and it shows login failures for the non-local admin user for login type 2 (lnteractive) and login type 4 (Batch). So it appears to me that for a user to login to the vCenter Web Client and view the inventory that user must have permissions to Logon locally and Batch logon for the vCenter server. Is that a true statement? I dont want admins of certains VMs to need those kind of permissions on the vCetner server itself. Thru the fat Client they can view just their respective VMs just fine (so i know the vCenter permissions are set correctly) but thru the Web Client site they cant view anything and im giessing its because they dont have login type 2, and 4 access....and i would like to keep it that way.

So my question is, is anyone else having an issue where non-local Admins can not view the inventory list when loggin into the vCenter Web Client site?

dchunt · ‎07-27-2012

I am seeing the exact same thing with a similar setup to yours. Even if I make the user a member of the vCenter Administrator's role, when he logs in I get the error "Access to perform the operation was denied" with no indication of what operation it was. If I make the user a member of Domain Admins, then he can log in just fine. Also, using the vSphere client the user can log in and has the permissions that I have granted him in vCenter.

Like you, I would not like my users to be admins of the vCenter Server.

Dan

erikjanvnl · ‎07-30-2012

We see the same problem after a clean install.

It look like this is a bug in the vCenter 5 U1a.

The client can login just fine into the vpshere client but the webclient is getting stuck on the loading screen.

bamson · ‎08-02-2012

I ran into the same issue after upgrading to vCenter 5 U1A.

Users with full admin rights to the entire vCenter server tree could use the web client just fine, but users with explicit permissions to only a few VMs weren't able to get past the "Loading" screen.

A work around that seemed to fix the problem was to add read only permissions at the vCenter server level (disable propagation to ensure that users don't get any extra permissions) for the users or groups who are stuck at the "Loading" screen.

Hopefully that gets you working again.

dchunt · ‎08-02-2012

Thanks for the tip. I'll give that a try.

Dan

dchunt · ‎08-02-2012

Well I tried that. It didn't work. Just to be sure that I am doing what you suggested, in vCenter Server I went to the top of the tree in the Home | Inventory | VMs and Templates view and then added a permission to the vCenter Server for the test user I was working with. I gave him 'Read only' permissions and then unchecked the option to 'Propagate to chield objects'.

When I logged into the Web client with that test user I got the same error message as before. I then allowed permissions to propagate to child objects and I still got the error.

That trick doesn't seem to be working for me. The only thing that works is that in Active Directory for the tree that the vCenter Server is in, if I make the test user a part of the local administrators group, then when I log in as the test user with the Web Client, I get what I would expect.

Dan

bamson · ‎08-02-2012

It sounds like you have applied the permissions in the right place, I have included a screen cap of where I applied the permissions.

I am not sure what specific permissions this grants or if our OS permissions/local policy settings are different than yours, but I do know it has allowed our users to connect and continue working.

aqualityplacem · ‎08-25-2012

We had this same issue. Only problem with giving the users read-only at this level is they will get to see any notifications or alarms reported at the VC level. In an Ideal world we would like the users to only see events and messages for their own virtual machines

Anyone logged a ticket with VMware yet?

amtag · ‎08-27-2012

Same here, I don't want the users to see all machines. In 4.1 it was possible to grant access just for the user's machines. At the moment I have not found a way to do this. Is this a known issue?

fish6288 · ‎08-27-2012

This is a known issue and VMWare has issued a KB article on it just the other day. Hope they get this fixed soon or this is a bad design on their side.

KB 2033207

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&externalId=2033207&sliceId=1&doc...

All

vCenter 5 Web Client issue