WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / vSphere 6.5 / vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

03.14.2017 by William Lam // 8 Comments

A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.

Users with no vCenter Server permissions can log in to the vSphere Web Client

Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.

Users with no permissions can no longer log in to the vSphere Web Client.

To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.

This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.

With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.


Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.


If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!

More from my site

  • Quick Tip - Audit vCenter Server Role & Permission Usage
  • Exploring the new vSphere Privilege Recorder in vSphere 8.0 Update 1
  • Monitoring vSphere account password & permission changes 
  • Quick Tip - vSphere Permission to view vSphere with Tanzu Namespaces
  • How to restrict vSphere UI access while maintaining vSphere API functionality?

Categories // vSphere 6.5, vSphere Web Client Tags // permission, vSphere 6.5, vsphere web client

Comments

  1. *protectedfeffrey says

    03/14/2017 at 10:45 pm

    Glad they made that change. Less time fighting security over this.

    Reply
  2. *protectedAndrew GR says

    05/03/2017 at 9:39 pm

    Thank you for great post! ..was curious to test this "allow.user.without.permissions.login = false" on 6.0.0U3b but it didn't work... So looks like there is no way to achieve the same restriction on the VC 6.0 version? Or any ideas? Thank you!

    Reply
  3. *protectedAngry Customer, but who cares over at VMware says

    05/18/2017 at 7:39 am

    How about his for a comment:

    Brand new vCenter 6.5 deployment on windows with AD integration ID source, can't add permissions to any inventory object from our AD source, only allows adding permissions via global permissions. Wait, don't tell me, another web client issue??

    Reply
    • William Lam says

      05/18/2017 at 1:44 pm

      This should not be the case. I would recommend you file an SR and GSS can help you out. You should be able to assign standard permissions using the regular method and/or Global Permissions

      Reply
    • *protectedStephen says

      05/21/2017 at 11:48 am

      I am also struggling with this, Vsphere 6.0 I can add permissions users groups Licensing, Vsphere 6.5 you can add them but nothing works except the *protected email* account
      How does this slip past QC?

      Reply
  4. *protectedRamkulov says

    09/13/2017 at 9:40 pm

    Many thanks, that helped.

    Reply
  5. *protectedmorcos Samuel says

    08/08/2018 at 11:58 am

    can we do that in 6.0 ???

    Reply
    • *protectedOleg says

      08/09/2018 at 6:11 am

      I have the same question!
      Especially in last 6.0 Update3g ?
      I tried “allow.user.without.permissions.login = false” on 6.0.0U3g but it didn’t work 🙁

      Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...