I have the same issues with the environment I had setup in lab a few weeks ago. I can't even logon with the Administrator@vSphere.local anymore either. Tried resetting it via the VCSA console with no success..
I hit into the issue once and restarting SSO fixed the problem for me.
Has anyone found a solution to this? I can log on to vCenter via SSO, however, I can't get into the roles or global permissions (or anything else that requires admin privilege). Using the default firstname.lastname@example.org does not allow me to access any area to configure. The only way I can manage my hosts is through the vCenter vSphere client. Anyone from VMware review these posts? We can't be the only users having this issue.....
I've installed appliance 6.0 and esxi 6.0, and with email@example.com account I can add or modify users.
root user don't have that permission.
vsphere.local is the domain name you set up when you're install appliance with VCSA.
I have raised a support case with VMware on this issue, and they have confirmed that this is indeed an issue they are aware of, however so far no workaround is available:
"This is a known issue which is being handled by our Engineering department. I cannot give a time frame for the resolution. I can only say that it is at the highest priority within our organisation"
Will post when I get any update on this.
I'm having the exact same issue. I'm using vSphere 6.0 Build 26567760 which I believe is the latest. My VC is 2008 R2 Enterprise. Anyone have a workaround? Thanks.
Any updates on this?
Finally got workaround from Vmware, in my case adding all vsphere and Kerberos paths for Local system account solved web client permission issue see detailed instructions below.
Hope it helps
Please try the following. (before that please create a backup from the vCenter server)
In regedit system wide path is defined here:
Local system account overridden Path is defined under:
(first step, second location can be verified if exists; and if exists values can be compared to see differences)
You can either remove(rename) the existing override
(Computer->HKEY_USERS->S-1-5-18\Environment->Path) completely. This will make the system wide Path to take effect.
Or if this override was specified on purpose (for some reason), then modify
Computer->HKEY_USERS->S-1-5-18\Environment->Path to make sure to include MIT Kerberos installation (such as c:\Program Files\MIT\Kerberos\bin), and possibly other vSphere paths (like OpenSSL) for completeness.
That doesn't help us using the VCSA with this problem. Is there not an update for official fix for this yet? Is this not a widespread problem for people?
Yep, experiencing this issue with VCSA. One workaround I've tried is to delete the permission on an object assigned to a user and re-add it. Refresh the web client and all is good. But if you make other permission changes it may not work as expected. Rinse, repeat. Not a good workaround in the end.
Great fix. Thanks for sharing jholeci!
Has anyone come across any other workarounds. I have tried the suggested registry changes. They didn't help because the key (Path) under the system account did not exist to begin with in the registry. The Vsphere Client works fine but is limited in its functionality, it would be nice to have the web client working. Thank you!
Is there any KB related to this?