VMware Cloud Community
wilber822
Enthusiast
Enthusiast

You have no authority to view this page. The system logs all attempts at inappropriate access

I followed up the guideline to install vCAC 6.2. I'm pretty sure installation was good.

After installation of vCAC appliance, I connect it to my vCenter Server  5.5 SSO (Windows based).

Then I login to vCAC console by administrator@vsphere.local and assigned a domain account to infrastructure administrators group.

Then I login vCAC console by the domain account, I see "infrastructure" tab, but whatever I click under the tab it show me "You have no authority to view this page. The system logs all attempts at inappropriate access".

System time are same on SSO, vCenter and vCAC.

Domain is in identity stores of my default tenant.

IaaS components was installed by following up the guideline.

My account even has local administrator permission on IaaS server.

I deployed twice, first time IaaS server was Windows 2008, then 2012. Both same error.

It's only on infrastructure tab.

Does anybody have a idea?

https://www.zhengwu.org
Tags (3)
31 Replies
sbeaver
Leadership
Leadership

Did you install the vsphere agent for that vCenter server?  Also goto the users and group tab and search for the domain account you added and when you find that account you have a option to select addition rights that you will be looking for. Assign all the rights you think you need and then logoff and log back on again and see what happens

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
wilber822
Enthusiast
Enthusiast

Thanks for the reply, sbeaver.

I think vCenter agent was installed.

Services.png

When you say "goto the users and group tab and search for the domain account", which account I should login?

If I login by administrator@vsphere.local, it show below, there is no "users and group" tab.


Default.png

If I login by tenant administrator, there is the option, but nothing listed.

tenant.png

If I login by infrastructure administrator, there is a "groups" tab, but access denied.

infra.png

https://www.zhengwu.org
Reply
0 Kudos
sbeaver
Leadership
Leadership

Did you set up the tenant with identity servers to your authentication domain servers? You should have a search in the upper right of the users and group

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
wilber822
Enthusiast
Enthusiast

I guess you are talking about configure "Tenants" and "Identity Stores".

If you see secondary screenshot, I have "vsphere.local" tenant and my domain appeared in "Identity Stores" tab  of the tenant.

https://www.zhengwu.org
Reply
0 Kudos
wilber822
Enthusiast
Enthusiast

It looks like something wrong on vCAC 6.2. I'm able to log in on vCAC 6.1 with same installation manner.

https://www.zhengwu.org
GrantOrchardVMw
Commander
Commander

Have you accepted the cert for the IaaS box? Navigate to https://fqdn.of.your.iaasbox and accept the cert. That box rings a bell but I can't quite remember why.

Grant

Grant http://grantorchard.com
Reply
0 Kudos
wilber822
Enthusiast
Enthusiast

Is that step in installation document? Or it's a trick?

I never tried it as I'm using default SSL.

I think the problem is because my vCenter is 5.5.U1 but vCAC is 6.2. And it's also may related to domain token size.

vCAC 6.1 is working fine.

https://www.zhengwu.org
Reply
0 Kudos
ztwy
Contributor
Contributor


I have exactly the same issue. I use the vRA 6.2 with vCenter 5.5 U2 Build 2183112 Windows SSO. All Infrastructure access denied with the message "You have no authority to view this page. The system logs all attempts at inappropriate access."

Thanks for your help.

vcac62.jpg

Reply
0 Kudos
ztwy
Contributor
Contributor

I noticed some events in my IAAS server, I think it should be related to the certificates error :

Timestamp: 02/02/2015 15:53:58 Message: Thread-Id: 8 - <?xml version="1.0"

encoding="utf-16"?> <boolean>false</boolean>

System.Security.Cryptography.CryptographicException: SignatureDescription could

not be created for the signature algorithm supplied. at

System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm

key) at

System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm

key) at

System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2

certificate, Boolean verifySignatureOnly) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.ValidateSAMLTokenSignature(String

samlToken, SsoX509CertificateValidator ssoCertValidator) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.ReadIdentityFromToken(String

tokenString) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.AuthenticateSamlUser(AuthorizationHeaderParameters

parameters) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.OnAuthenticate(Object

sender, EventArgs e) at

System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&

completedSynchronously) Category: Error Priority: -1 EventId: 0 Severity: Error

Title: Machine: IAAS App Domain: /LM/W3SVC/1/ROOT/vcac-1-130673655232936666

ProcessId: 2872 Process Name: c:\windows\system32\inetsrv\w3wp.exe Thread Name:

Win32 ThreadId:3780 Extended Properties:

Do you have any ideas ?

Reply
0 Kudos
JihemmeT
Enthusiast
Enthusiast

Hello,

what is your SSO default authentication realm ?

EDIT : Something else that happened to me once, imagine my login name is NAME and the domain is DOMAN.LOCAL for example, I didn't have the same result using name@domain.local and domain\name. Maybe you can try them both as well.

Reply
0 Kudos
ztwy
Contributor
Contributor

Thanks for your response. My default login is administrator@vsphere.local

I tried the two login formats, it's the same result. I think that it should be a certificate issue ....

Reply
0 Kudos
JihemmeT
Enthusiast
Enthusiast

Hello,

Was asking because I had several problems with default authentication realm (AD, SSO or localos) and was adding domain where I shouldn't, strange...

Something else that might happen is time shift between servers, when they are not sync, they may react curiously, something to check as well. Really, check servers time.

Can you point the guidelines you mentioned in your first post that you followed ? Maybe something is missing, I reinstalled the full solution 5 times past week for documenting purpose and I realized many details are missing in almost everything I read on the internet.

Reply
0 Kudos
kumarankpl
Hot Shot
Hot Shot

Can you open a case with GSS so that they provide a workaround which will unblock you. Please don't forget to point the below log which will help them to get it resolved faster.

imestamp: 02/02/2015 15:53:58 Message: Thread-Id: 8 - <?xml version="1.0"

encoding="utf-16"?> <boolean>false</boolean>

System.Security.Cryptography.CryptographicException: SignatureDescription could

not be created for the signature algorithm supplied. at

System.Security.Cryptography.Xml.SignedXml.CheckSignedInfo(AsymmetricAlgorithm

key) at

System.Security.Cryptography.Xml.SignedXml.CheckSignature(AsymmetricAlgorithm

key) at

System.Security.Cryptography.Xml.SignedXml.CheckSignature(X509Certificate2

certificate, Boolean verifySignatureOnly) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.ValidateSAMLTokenSignature(String

samlToken, SsoX509CertificateValidator ssoCertValidator) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.ReadIdentityFromToken(String

tokenString) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.AuthenticateSamlUser(AuthorizationHeaderParameters

parameters) at

VMware.SSOAuthentication.VMwareSSOAuthenticationModule.OnAuthenticate(Object

sender, EventArgs e) at

System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&

completedSynchronously) Category: Error Priority: -1 EventId: 0 Severity: Error

Title: Machine: IAAS App Domain: /LM/W3SVC/1/ROOT/vcac-1-130673655232936666

ProcessId: 2872 Process Name: c:\windows\system32\inetsrv\w3wp.exe Thread Name:

Win32 ThreadId:3780 Extended Properties

Reply
0 Kudos
kumarankpl
Hot Shot
Hot Shot

Can you check the below two things

1) Check the Time difference between the vCAC VA and IAAS which should be less the one min.

2) What kind of SSO are you using? vCenter SSO or normal SSO?

Reply
0 Kudos
ztwy
Contributor
Contributor

1) The vCAC VA and IAAS are two VMs deployed on the same host, they are both synchronized with the host.

2) I use the vCenter SSO which has been upgraded to 5.5 U2 build 2183111

Reply
0 Kudos
JihemmeT
Enthusiast
Enthusiast

Can you try to log in from IaaS server ?

Also, please make sure both are synced, vmware tools sync may work but just check it nevertheless. The client station have to be synced as well I think.

Something else : check that IaaS admin is local admin of IaaS server, either in the right group oir himself directly. Saw many things not working properly when this is not the case, someone applied a GPO that was reseting local admins, search for ages a simple cause to a very boring issue.

Reply
0 Kudos
ztwy
Contributor
Contributor

I checked that time is synced between the IAAS, SSO and client. In the Identity Store, I configured a domain admin (administrator@mydomain.com) as IAAS admin that was not the admin of local IAAS server initially. Following your suggestion, I added the administrator@mydomain.com to the local admin of the IAAS server, but the result is the same. Each time I clicked the "Infrastructure" tab, I got the error "You have no authority to view this page. The system logs all attempts at inappropriate access." And in the IAAS server, I got the error message like following :

iaas.jpg

Reply
0 Kudos
JihemmeT
Enthusiast
Enthusiast

Hello,

Not sure this is due to this but to be perfectly clear, the user that have to be local admin is the one that you used to configure IaaS service. If this user is not local admin, service will start but you'll get a permission error on infrastructure tab, which is your case. The user you use on the vCAC web UI doesn't have to be local admin.

Another point to check is SSL certificates, you have to use fqdn when you configure your environment.

Reply
0 Kudos
ztwy
Contributor
Contributor

Hello,

What do you mean the user used to configure IaaS service ?

Is the user used to install the IaaS package in Windows server ?

Reply
0 Kudos