Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When you log in with the vSphere Web Client using a domain user, you see the error: Client is not authenticated to VMware Inventory Service Note: This issue might also occur within the VMware vSphere Client. You are unable to view the vCenter Server 5.5 inventory. When you log in with the vSphere Web Client with an SSO user (administrator@vsphere.local) the vCenter Inventory is visible In the %ProgramData%\VMware\Infrastructure\Inventory Service\Logs\ds.log file, you see similar to: <YYYY-MM-DD>T<time> pool-12-thread-1 INFO com.vmware.vim.vmomi.server.impl.ValidationStartTask] Starting activation validation for 31 <YYYY-MM-DD>T<time> pool-12-thread-1 INFO com.vmware.vim.query.server.authentication.AuthenticationValidator] Authentication not needed <YYYY-MM-DD>T<time> pool-12-thread-1 INFO com.vmware.vim.vmomi.server.impl.ValidatorFutureImpl] Future 1/1 is set for for 31 (valid: true) <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.sso.client.impl.SamlTokenImpl] SAML token for subject {Name: username, Domain: domain} successfully parsed from Element <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Computing permissions for domain\account <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after add]: domain\account is 1 <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] User has no privileges. <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Removed user data for: domain\account <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Session count for user [after remove]: IDCO\ncharman is 0 <YYYY-MM-DD>T<time> pool-11-thread-1 ERROR com.vmware.vim.vcauthenticate.servlets.AuthenticationHelper] Authentication error: com.vmware.vim.vcauthenticate.exception.NoPrivilegesException <YYYY-MM-DD>T<time> pool-11-thread-1 INFO com.vmware.vim.query.server.authentication.impl.MoSessionManager] Unabled to complete login <YYYY-MM-DD>T<time> Thread-2 INFO com.vmware.vim.vcauthorization.impl.SessionAuthDataImpl] Session closed for principal: domain\account <YYYY-MM-DD>T<time> Thread-2 WARN com.vmware.vim.vcauthorization.impl.AuthorizationManagerImpl] Unable to find user data for user: domain\user <YYYY-MM-DD>T<time> pool-12-thread-1 INFO com.vmware.vim.vmomi.server.impl.ValidationStartTask] Starting activation validation for 32</time></time></time></time></time></time></time></time></time></time></time></time></time></time>
This issue occurs if the Inventory service cannot validate the permissions for the domain user through VMware Single Sign-On. This can be caused by problems with the identity source or due to the format in which the users associated permissions are currently stored.
To resolve the issue, remove and re-add the user permissions and the Identity Source. Removing the permissions: Log in to the vSphere Web Client with an administrator account such as administrator@vsphere.local.Navigate to vCenter > Manage > Permissions.Select the user or group that is experiencing the issue and remove it. Recreating the identity source: Log into the vSphere Web Client with an administrator account such as administrator@vsphere.local. Note: The default vSphere Web Client URL is https://client-hostname:9443/vsphere-client Navigate to Administration > Single Sign-On > Configuration.Remove the currently Identity source(s) for the domain.Click the Identity Sources tab then click the Add Identity Source icon.Select the Active Directory (Integrated Windows Authentication) option. Note: If the Domain name field is not automatically propagated with the proper Windows DNS domain, enter the proper DNS domain. Select User machine account and click OK.After the Active Directory identity source is configured, users from that domain can be added to vCenter Server. Re-add the permissions for the removed users or groups: Log into the vSphere Web Client with an administrator account such as administrator@vsphere.local.Navigate to vCenter > Manage > Permissions.Click Add.Select the Role for the user or group.Add the user or group.Log into the vSphere Web Client with the user or a user of the modified group and verify the vCenter inventory is visible.
To work around this issue, Add Identity source as LDAP.For vCenter Server 6.0, see Add a vCenter Single Sign-on Identity Source.For vCenter Server 6.5, see Add a vCenter Single Sign-on Identity Source.For vCenter Server 6.7, see Add or Edit a vCenter Single Sign-on Identity Source.
If vCenter version is below vCenter Server 5.5 0b, see Logging in to a VMware vCenter Server Single Sign-On deployment with the VMware vSphere Web Client results in an error: Client is not authenticated to VMware Inventory Service.VMware vSphere Web Client による VMware vCenter Server Single Sign-On デプロイへのログインで次のエラーが報告される: クライアントは VMware Inventory Service に対して未認証です