VMware Cloud Community
DanielDuesenTri
Contributor
Contributor
Jump to solution

vsphere 6.5 administrator@vsphere.local sso you do not have permission to view this object

Hey Guys,

we have the Problem that we cannot create new User under Administration-->SSO-->Users and Groups. When i login with administrator@vsphere.local to the VCSA and try to create new User it shows you do not have permission to view this object. The administrator@vsphere.local is in Administrator Group under Global Permissions and Roles. Basically even with other Users which have Admin rights it is not possible to create new User.

I can only add AD User which is not what we want. We just need a User to logon to the VCSA.

How can we fix this issue? Is the User Database corrupt? Because it worked for sure before. We didnt do any Updates in the meantime.

When you need further Information please dont hesitate to ask me.

Thank you in advanced.

Kind regards

Daniel

1 Solution

Accepted Solutions
lucasbernadsky
Hot Shot
Hot Shot
Jump to solution

Hi Daniel. Sorry to hear that.

I found this KB: VMware Knowledge Base so there you can check if you imported a not compatible AD Group.

Since you are running VCSA with embedded PSC, it seems to be a corrput DB entry with STS certificates. Maybe if you remove AD from your identity sources? Otherwise I would suggest opening a SR at vmware.

While VMware answers, maybe take a look at /var/log/vmware/sso/lookupServer.log and the logs described in the following doc: Platform Services Controller Service Logs Reference

Please keep us updated!

Regards

View solution in original post

7 Replies
harry89
Enthusiast
Enthusiast
Jump to solution

so is the option to create local user in sso domain grayed out .

Can you send a screenshot

Harry
VCIX-DCV6.5 ,VCIX-NV6 , VCAP-CMA7
Mark answer as correct/helpful if it solves your query
Reply
0 Kudos
lucasbernadsky
Hot Shot
Hot Shot
Jump to solution

Hi. It sounds like an issue with PSC. Are you running VCSA with external PSC? Maybe rebooting in the right order may help. (1. Shutdown VCSA. 2. Shutdown PSC. 3. Power on PSC 4. After 4 / 5 minutes power on vCenter).

Also some logs may help to see what's failing.

Another question. Since you can AD users, can you assign them the same role as the local admin and try with brand new imported users?

Reply
0 Kudos
DanielDuesenTri
Contributor
Contributor
Jump to solution

yes the options are greyed out...on the right side there ist this no permission written...I also cant edit by using the plus to add a new user...its just not there this option

Reply
0 Kudos
DanielDuesenTri
Contributor
Contributor
Jump to solution

Hi PSC and VCSA is not seperated so its a whole in one thing. We dont run the VCSA in the "Cluster Mode" with external PSC.

I tried to add a ne vsphere.local User but to be honest not a new AD User. I will try that and come back to you.

I just tried it and it didnt work either. I says you do not have permission...I took my personal AD user and choosed Admin rights.

Thank you all for your reply.

Reply
0 Kudos
DanielDuesenTri
Contributor
Contributor
Jump to solution

Hi Guys,

does anybody has any ideas on that issue?

Kind regards

Daniel

Reply
0 Kudos
lucasbernadsky
Hot Shot
Hot Shot
Jump to solution

Hi Daniel. Sorry to hear that.

I found this KB: VMware Knowledge Base so there you can check if you imported a not compatible AD Group.

Since you are running VCSA with embedded PSC, it seems to be a corrput DB entry with STS certificates. Maybe if you remove AD from your identity sources? Otherwise I would suggest opening a SR at vmware.

While VMware answers, maybe take a look at /var/log/vmware/sso/lookupServer.log and the logs described in the following doc: Platform Services Controller Service Logs Reference

Please keep us updated!

Regards

DanielDuesenTri
Contributor
Contributor
Jump to solution

Hi Lucas,

we set up a new VCSA 7.0. The Admin of it took all stuff over and it worked perfectly ok now.

Thank you for your help.

Kind regards

Daniel

Reply
0 Kudos