Webclient: permission errors after upgrading or installing vCenter 6.0

After installing or upgrading VMware vCenter 6.0 you experience permission errors like the following when using the webclient:

no permission webclient vSphere 6
You do not have permissions to view this object or this object does not exist.
no permission webclient vSphere 6
This action is not available for any of the selected objects at this time.

If you take a look into the following logs at your vCenter Server (Platform Service Controller), you will find entries similar to:

LookupServer.log:

Path to log:
%ProgramData%\VMware\vCenterServer\runtime\VMwareSTSService\logs\lookupServer.log

Error messages similar:
Unable to load library ‘vmafdclient’: The specified module could not be found.
Method ‘list’ completed with undeclared fault of type ‘LookupFaultServiceFault’

Endpoint.log

Path to log:
%ProgramData%\VMware\vCenterServer\logs\vapi\endpoint\endpoint.log

Error messages similar:
ComponentManagerClientWrapper  | Service lookup failed.
java.util.concurrent.ExecutionException: (cis.cm.fault.ComponentManagerFault)

CM.log:

Path to log:
%ProgramData%\VMware\vCenterServer\logs\cm\cm.log

Error messages similar:
Call to lookup service failed;
search v1: Failed to search
(vmodl.fault.SystemError)

There is a KB article describing this (known) issue, too:
After Installing or Upgrading to vCenter Server 6.0, logging in to the vSphere Web Client for all users reports the error: You do not have permissions to view this object or this object does not exist (2125229)

In this KB you can find two different workarounds. In my case option 2 was working very well. It was my first choice as option 1 has the requirement that the Local System Path registry remains unique for the windows system.

Resolution:

The workaround is not really tricky – here is a step-by-step description:

  • connect to your vCenter Server
  • Start -> Run -> regedit
  • navigate to the registry path:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
  • on the right side right-click “Path” and select “Modify”
  • search for the MIT\kerberos path (should be: c:\Program Files\MIT\Kerberos\bin)
  • copy the path (eg. c:\Program Files\MIT\Kerberos\bin)
  • navigate to the registry path:
    HKEY_USERS\S-1-5-18\Environment
  • on the right side right-click “Path” and select “Modify”
  • append the path copied before to the registry key’s value data field
    eg: C:\Program Files\Blabla;c:\Program Files\MIT\Kerberos\bin
  • click OK
  • restart the server
  • Done – check if the problem is solved

3 Comments

  1. Halilul

    Using FQDN whlle login vcenter web client solve this issue. ex (administrator@vsphere.local)

  2. Marcus

    Also works for new deployments of vCenter 6

  3. Todd

    I don’t have a Path in HKEY_USERS\S-1-5-18\Environment. So what then?

Leave a Comment

Your email address will not be published. Required fields are marked *