/Unable to remove permissions in vCenter Appliance 6.0 U2, how to fix.

Unable to remove permissions in vCenter Appliance 6.0 U2, how to fix.

Today, our new vCenter Appliance 6.0(VCSA) had a very strange problem, and in this, Unable to remove permissions in vCenter Appliance 6.0 U2, how to fix, I will try to explain how to fix it.

First query users and Groups in the Domain(searching to add in the permissions) was very slow, and in the Web Client, sometimes we see the Domain with double entries or could not find the users/groups.

Also, when we look at the vCenter permissions(vCenter level, or just Folder / Cluster level), we see the user/group with double entries(like domain.com\user and domain\user) and then try to remove any of these permissions one was always resident and will not be deleted. No errors, no warnings, just can’t delete.
Note: vsphere.local users and groups did not show this behavior. So my focus needs to be on the AD and Identify Sources to troubleshoot.

Try to Stop/restart the Services to see if it fixes the issue, but no luck. Rebooting the VCSA also did not work. While troubleshooting the issue, and knowing that there were double AD entries, somehow Domain alias and Domain Full Name were set in the system identity. Checking logs did not find anything related that could help(just some references to domain and domain.com), not the issue itself.

Googling the issue did not find anything related to the same issue(exactly), but did find a VMware KB regarding some VCSA upgrade(that was not the case here, since it is a new installation), but it shows a workaround to fix the issue regarding vCenter Server Appliance database to have the full domain name instead of an alias. Since we had both, it makes sense that this could fix the issue.

How to fix the issue:

Before starting, do a full backup of your VCSA, or at least do a Snapshot. In case of problems, you can always roll back.

So login to your VCSA using shell and root user.
Note: Don’t forget that after you log in, you need to enable and run the BASH shell. If you get: Shell is disabled, you need to run the shell.set to enabled.

After you are inside your VCSA console, you need to connect to the postgress database and set your DB to use Full Domain Name.

Note: Just replace the ‘DOMAIN’ for your alias Domain and ‘DOMAIN.COM’ for your Domain Full Name.

Just reboot your VCSA, and the issue is fixed.

Final Note:

What did trigger this issue? In this particular case, I could not identify the problem’s source. Still, I suspect that changing our Identity Sources to a different LDAP(that is in a different location and a different country) could have a different trust in the Forest and trigger the issue. Since VMware informs us that one of the sources for this type of issue could be problems connecting to the LDAP server and updating the changes that we make in our permissions.

I hope this can help you bypass this issue.

Share this article if you think it is worth sharing. If you have any questions or comments, comment here or contact me on Twitter.

©2016 ProVirtualzone. All Rights Reserved
By | 2022-09-13T19:36:12+02:00 September 23rd, 2016|vCenter, VMware Posts|0 Comments

About the Author:

I am over 20 years’ experience in the IT industry. Working with Virtualization for more than 10 years (mainly VMware). I am an MCP, VCP6.5-DCV, VMware vSAN Specialist, Veeam Vanguard 2018/2019, vExpert vSAN 2018/2019 and vExpert for the last 4 years. Specialties are Virtualization, Storage, and Virtual Backups. I am working for Elits a Swedish consulting company and allocated to a Swedish multinational networking and telecommunications company as a Teach Lead and acting as a Senior ICT Infrastructure Engineer. I am a blogger and owner of the blog ProVirtualzone.com

Leave A Comment