OPERATIONAL DEFECT DATABASE
...
...
Unable to clone the VM (windows 11) with vTPM enabled using REST API, it fails with a permissions ERROR, you see entries similar to: curl -kv "https://vcenter.sddc-XX-XXX-XXX-XX.vmwarevmc.com/api/vcenter/vm?action=clone" -H "vmware-api-session-id:b98c8b089ebf767066f71f0e24c6450a" --data '{ "source":"vm-1207", "name": "VM1"}' -H 'content-type: application/json' * Trying XX.XXX.XXX.XX:443... * Connected to vcenter.sddc-XX-XXX-XXX-XX.vmwarevmc.com (XX.XXX.XXX.XX) port 443 (#0) * ALPN: offers http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN: server accepted http/1.1 * Server certificate: * subject: C=US; ST=California; L=Palo Alto; O=VMware, Inc; CN=vcenter.sddc-XX-XXX-XXX-XX.vmwarevmc.com * start date: Aug 21 15:51:47 2023 GMT * expire date: Nov 19 15:51:46 2023 GMT * issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * using HTTP/1.1 POST /api/vcenter/vm?action=clone HTTP/1.1 Host: vcenter.sddc-XX-XXX-XXX-XX.vmwarevmc.com User-Agent: curl/8.1.2 Accept: */* vmware-api-session-id:b98c8b089ebf767066f71f0e24c6450a content-type: application/json Content-Length: 42 HTTP/1.1 403 Forbidden date: Wed, 04 Oct 2023 08:46:24 GMT content-type: application/json x-envoy-upstream-service-time: 3729 transfer-encoding: chunked * Connection #0 to host vcenter.sddc-XX-XXX-XXX-XX.vmwarevmc.com left intact {"error_type":"UNAUTHORIZED","messages":[{"args":["object: vm-1207:9fa3bcc3-2cfe-40a3-b25b-45d992b6a208 privileges: Cryptographer.Clone"],"default_message":"Session missing privilege: 'object: vm-1207:9fa3bcc3-2cfe-40a3-b25b-45d992b6 This REST API is completed using administrator@vsphere.local (on-prem) or cloudadmin@vmc.local (VMC) which both have the required privileges. Cloning the same VM works in the vSphere-ui In the /var/log/vmware/vpxd/vpxd.log file, you see entries similar to: 2023-10-04T09:01:50.003Z verbose vpxd[14918] [Originator@6876 sub=Http2ServerSession-12 opID=544e5d9b-d6c3-408e-a6ed-a16cc200fb60-ab] OnStreamClose on stream 14838615 with errcode 0 2023-10-04T09:01:50.001Z error vpxd[14959] [Originator@6876 sub=vpxLro opID=171e512f-1867-42ff-8df8-61d4d6da4908-80-381eb78e-01] [VpxLRO] Unexpected Exception: N3Vim5Fault12NoPermission9ExceptionE(Fault cause: vim.fault.NoPermission --> ) --> [context]zKq7AVECAQAAAEIpUgEndnB4ZAAA0cdUbGlidm1hY29yZS5zbwAAYQpGAFEGRwB1zUyB1WkPAXZweGQAgXyIGgGBbDPvAYFZ2vABgSg9BwKBo0AHAoG5XgsCgd60CAKBGOoQAoHEGBECgXEjEQKBPqlKAoGGuUoCgf/hSQKBNC1KAoEF5gcCgSjnBwKBstUHAoFG1gcCgbLVBwKBpygIAoEQ3AcCgbrcBwKB2uoHAoEZPsoBgVaCrgGBPqlKAoGGuUoCgf/hSQKBw49KAgA5mjsAEuo7AOK2UgKHfwBsaWJwdGhyZWFkLnNvLjAAAy82D2xpYmMuc28uNgA=[/context] 2023-10-04T09:01:50.007Z info vpxd[14959] [Originator@6876 sub=vpxLro opID=171e512f-1867-42ff-8df8-61d4d6da4908-80-381eb78e-01] [VpxLRO] -- FINISH lro-65975631 2023-10-04T09:01:50.007Z error vpxd[14959] [Originator@6876 sub=Default opID=171e512f-1867-42ff-8df8-61d4d6da4908-80-381eb78e-01] [VpxLRO] -- ERROR lro-65975631 -- -- -- VmprovWorkflow: :vim.fault.NoPermission --> Result: --> (vim.fault.NoPermission) { --> faultCause = (vmodl.MethodFault) null, --> faultMessage = <unset>, --> object = 'vim.VirtualMachine:9fa3bcc3-2cfe-40a3-b25b-45d992b6a208:vm-1207', --> privilegeId = "Cryptographer.Clone", --> missingPrivileges = (vim.fault.NoPermission.EntityPrivileges) [ --> (vim.fault.NoPermission.EntityPrivileges) { --> entity = 'vim.VirtualMachine:9fa3bcc3-2cfe-40a3-b25b-45d992b6a208:vm-1207', --> privilegeIds = (string) [ --> "Cryptographer.Clone" --> ] --> } --> ] --> msg = "" --> } --> Args: -->
The session is null when using REST API which will lead to the privilege check failing.
Cannot clone a using REST API with vTPM enabled.
Currently, there is no resolution to the issue. This will be fixed in the future release.
To workaround the issue, use the vSphere-ui to complete the cloning process.
This REST API is documented here https://developer.vmware.com/apis/vsphere-automation/latest/vcenter/api/vcenter/vmactionclone/post/
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
