WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / vSphere 6.5 / vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

03.14.2017 by William Lam // 8 Comments

A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.

Users with no vCenter Server permissions can log in to the vSphere Web Client

Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.

Users with no permissions can no longer log in to the vSphere Web Client.

To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.

This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.

With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.


Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.


If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!

More from my site

  • Monitoring vSphere account password & permission changes 
  • Quick Tip - vSphere Permission to view vSphere with Tanzu Namespaces
  • How to restrict vSphere UI access while maintaining vSphere API functionality?
  • Why does Deploy OVF Template operation show vpxd-extension-[uuid]?
  • Adding a customized notification banner in the vSphere UI

Categories // vSphere 6.5, vSphere Web Client Tags // permission, vSphere 6.5, vsphere web client

Comments

  1. feffrey says

    03/14/2017 at 10:45 pm

    Glad they made that change. Less time fighting security over this.

    Reply
  2. Andrew GR says

    05/03/2017 at 9:39 pm

    Thank you for great post! ..was curious to test this "allow.user.without.permissions.login = false" on 6.0.0U3b but it didn't work... So looks like there is no way to achieve the same restriction on the VC 6.0 version? Or any ideas? Thank you!

    Reply
  3. Angry Customer, but who cares over at VMware says

    05/18/2017 at 7:39 am

    How about his for a comment:

    Brand new vCenter 6.5 deployment on windows with AD integration ID source, can't add permissions to any inventory object from our AD source, only allows adding permissions via global permissions. Wait, don't tell me, another web client issue??

    Reply
    • William Lam says

      05/18/2017 at 1:44 pm

      This should not be the case. I would recommend you file an SR and GSS can help you out. You should be able to assign standard permissions using the regular method and/or Global Permissions

      Reply
    • Stephen says

      05/21/2017 at 11:48 am

      I am also struggling with this, Vsphere 6.0 I can add permissions users groups Licensing, Vsphere 6.5 you can add them but nothing works except the *protected email* account
      How does this slip past QC?

      Reply
  4. Ramkulov says

    09/13/2017 at 9:40 pm

    Many thanks, that helped.

    Reply
  5. morcos Samuel says

    08/08/2018 at 11:58 am

    can we do that in 6.0 ???

    Reply
    • Oleg says

      08/09/2018 at 6:11 am

      I have the same question!
      Especially in last 6.0 Update3g ?
      I tried “allow.user.without.permissions.login = false” on 6.0.0U3g but it didn’t work 🙁

      Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Self-Contained & Automated VMware Cloud Foundation (VCF) deployment using new VLC Holodeck Toolkit 03/29/2023
  • ESXi configstorecli enhancement in vSphere 8.0 Update 1 03/28/2023
  • ESXi on Intel NUC 13 Pro (Arena Canyon) 03/27/2023
  • Quick Tip - Enabling ESXi Coredumps to be stored on USB 03/26/2023
  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...