After upgrading a customer environment to the latest available vCenter Server version (5.1.0 U1a) i couldn’t access the vCenter Server. The vSphere Web Client didn’t list any available vCenter Server.
The vSphere Client indicates i don’t have the required permissions.
The customer uses the following user account, local Windows server group, and active directory group structure (nested active directory groups) to manage user permissions.
- Local Windows Server (where the vCenter Server is installed) based groups, e.g. “vSphere Administrators”
- Active director server service groups, e.g. “Server 1 – Administrators”
- Active director user service groups, e.g. “Environment 1 – vSphere Administrators”
- Active directory based user accounts, e.g magnus (Display name = Magnus Andersson)
All active directory groups and users are located in the same active directory domain meaning the problem in release vCenter Server version 5.1 U1 does not apply to this specific case.
The local Windows Server group “vSphere Administrators” is added to the vCenter Server with the Administrator role.
The server service active directory group “Server 1 – Administrators” is added to the local Windows Server group “vSphere Administrators”
The user service active directory group “Environment 1 – vSphere Administrators” is added to the server service active directory group “Server 1 – Administrators”
And finally my active directory based user account “magnus” is added to the user service active directory group “Environment 1 – vSphere Administrators”
This means i should have the required access but i don’t. The customer test environment does not use the same permission structure meaning the problem was not recognized during the test environment upgrade.
Luckily i could log on and manage the vCenter Server using the “In case Of Emergency” (icoe) account added to the local Windows Server based group “vSphere Administrators” and start my troubleshooting session. The two below examples solves the problem:
- Use vCenter Single Sign On (SSO):,
- Create a SSO group, “vSphere Administrators”
- Add the server service active directory group “Server 1 – Administrators” to the newly created SSO group
- Removed the local Windows Server based group “vSphere Administrators” from vCenter Server
- Add the local Windows Server based “In Case Of Emergency” account to vCenter Server with the Administrator role.
- Add the SSO “vSphere Administrators” group to vCenter Server with the Administrator role.
- Remove the user service active directory group “Environment 1 – vSphere Administrators” from the server service active directory group “Server 1 – Administrators”
Add my active directory based user account to the server service active directory group “Server 1 – Administrators”.
This means the active directory nested group structure is removed.
My customer chose to implement the SSO based solution since they want to keep their active directory structure for the time being.
The below figure describes the possible configuration options i tested when adding permissions to an active directory based user via active directory based groups to vCenter Server.
I haven’t given much time to investigate if the behavior i experienced is by design or if it is a bug because my focus was to solve the problem. WIll do some additional investigation and update the blog post when i find the time.
6 pings
vCenter Server permission problem in vSphere 5.5 | VCDX56
March 21, 2014 at 2:10 pm (UTC 0) Link to this comment
[…] have written a blog post about pretty much the same behavior which you can find here, but unfortunately the nested group structure was not used this […]