Notifications
Clear all

vCenter user "does not have sufficient permissions"  

  RSS

jetkins
(@jetkins)
New Member
Joined: 2 months ago
Posts: 3
20/07/2020 7:57 am  

I'm attempting to set up a trial of Pure, but I'm running into a roadblock at the connection to my vCenter.  I'm using the same SSO account that I use currently for my Nakivo backups, which has the Administrator role assigned and thus has full permissions across my entire lab, but Pure keeps insisting that the user "does not have sufficient permissions."  What am I missing here?


Quote
Marijan Kozic
(@marijan)
Member Admin
Joined: 1 year ago
Posts: 64
20/07/2020 9:48 am  

Below is the list of permissions that Pure checks for. If all of the permissions are present, it might be possible that something else is causing the error. In that case, please try connecting your Pure instance to vCenter again and observe VMware logs to see if there are any errors connected to 'RetrieveAllPermissions' or 'RetrievePropertiesEx' commands at that time.

Required permissions:

VirtualMachine.State.CreateSnapshot
System.Anonymous
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Config.ChangeTracking
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.Config.RemoveDisk
Datastore.AllocateSpace
Network.Assign
VirtualMachine.Config.AddNewDisk
VirtualMachine.Inventory.Delete
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn

ReplyQuote
jetkins
(@jetkins)
New Member
Joined: 2 months ago
Posts: 3
21/07/2020 1:54 am  

I'm not seeing any such errors in the vCenter log, though if there's someplace else I should be looking please let me know.  As I mentioned, this user has the Administrator role which give full access to everything (and is successfully used by Nakivo Backup and Replication), so something would appear to be borked somewhere.  I'm running vCenter Server appliance 6.7.0.44100.

07/20/2020, 6:49:38 PM User SNIKTE.NET\backup@192.168.0.11 logged in as NaviServer removed link
07/20/2020, 6:49:37 PM User SNIKTE.NET\backup@192.168.0.11 logged out (login time: Monday, July 20, 2020 11:49:37 PM UTC, number of API invocations: 1, user agent: NaviServer removed link )
07/20/2020, 6:49:37 PM User SNIKTE.NET\backup@192.168.0.11 logged in as NaviServer removed link
07/20/2020, 6:49:37 PM User SNIKTE.NET\backup@192.168.0.11 logged in as NaviServer removed link

This post was modified 2 months ago by jetkins

ReplyQuote
Marijan Kozic
(@marijan)
Member Admin
Joined: 1 year ago
Posts: 64
22/07/2020 2:50 pm  

Can you check the roles and permissions assignment in MOB (Managed Object Browser) for the vCenter you are trying to connect to? Enable MOB access if it is not already enabled and then do the following:

1. Open the following address in a browser (replacing the red part with the address of your server):

https://192.168.0.10/mob/?moid=AuthorizationManager&method=retrieveAllPermissions

2. Click on the 'Invoke method' link

3. Find the section where your username (SNIKTE.NET\backup) is in the 'principal' field.

4. Remember the corresponding 'roleId' value

5. Open this address in a browser window (changing the red part)

https://192.168.0.10/mob/?moid=AuthorizationManager&doPath=roleList

6. Find the section where 'roleId' matches the one you got earlier

7. Check the 'privilege' section (expand if necessary) and make sure that it contains all of the privileges I listed earlier.

 


ReplyQuote
jetkins
(@jetkins)
New Member
Joined: 2 months ago
Posts: 3
22/07/2020 6:31 pm  

OK, I found the problem - I had to enter the fully-qualified user name in "old school" format - SNIKTE.NET\backup.  backup@snikte.net didn't work, nor did just backup, despite the fact that snikte.net is my vCenter's local SSO domain and is the default.  This is the first time I've ever needed to enter it in that fashion - perhaps your developers might like to look into why the alternative methods are not accepted in Pure.

Thanks!
  Jon.


ReplyQuote
Marijan Kozic
(@marijan)
Member Admin
Joined: 1 year ago
Posts: 64
23/07/2020 9:54 am  

Hi. I'm glad that things worked our for you. However, the problem is not caused by Pure not accepting 'username@domain' format - in fact, this is the format that Pure expects. I checked the code yesterday and then again this morning just to be sure and yes, 'backup@snikte.net' gets converted to 'SNIKTE.NET\Backup' before being forwarded to the vCenter (title case in username part is later explicitly ignored). I honestly have no idea why it doesn't work for you but I can't think of a good way to diagnose this without direct access to the system so it remains an unsolved issue for now.

And yes, using just 'backup' without a domain name will not work as this is not accepted by vCenter.

EDIT: Another confirmation that username/password combination that you entered is indeed valid is the fact that permission checking is performed after a successful login. If the credentials were not acceptable, you would get "Invalid username or password" error instead.


ReplyQuote
Share: