WilliamLam.com

vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

by // 8 Comments

A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.

Users with no vCenter Server permissions can log in to the vSphere Web Client

Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.

Users with no permissions can no longer log in to the vSphere Web Client.

To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.

This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.

With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.


Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.


If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!

Exploring new VCSA VAMI API w/PowerCLI: Part 10

by // 2 Comments

In Part 10, we are going to take a look at local user management for the VAMI interface. By default, only the root local user exists but customers have the option of creating additional accounts. In vSphere 6.5, the VAMI has been enhanced to support different roles such as Admin, Operator and SuperAdmin. You can refer to the VAMI documentation on what each of the roles provides.

VAMI UI Area of Focus

There is not a VAMI UI for user management, this is currently only available using the VAMI REST APIs.

VAMI APIs Used

  • GET /appliance/techpreview/localaccounts/user
  • POST /appliance/techpreview/localaccounts/user
  • DELETE /appliance/techpreview/localaccounts/user/{user-id}

PowerCLI Function

Sample Output

To retrieve all VAMI users, use the Get-VAMIUser function. By default, your system will probably only have the root user unless you have already added additional VAMI users.


To create a new user, we will use the New-VAMIUser which requires a few input parameter that should be pretty self explanatory. The role parameter can be one of three values: admin, operator or superAdmin as defined in the VAMI documentation.

Here is an example of creating a new user called lamw:

New-VAMIUser -name lamw -fullname "William Lam" -role "operator" -email "*protected email*" -password "VMware1!"


If we now re-run our Get-VAMIUser command, we should see the new user that we had just created.


To remove a VAMI user, you simply use the Remove-VAMIUser and specify the name of the user you wish to remove. Below is an example of deleting the user we had just created.


One thing to note is that when using the Connect-CisServer cmdlet to interact with the VAMI REST API, it currently does not support connecting with local VAMI users, only SSO users. This is a limitation with the PowerCLI implementation and does not affect direct use of the VAMI REST API or using it through other SDKs. This is something that will be resolved in a future update of PowerCLI, so something to keep in mind as I was scratching my head when trying to use a local user to authenticate.

Installing the Horizon View Agent on a Domain Controller

by // Leave a Comment

A couple of weeks back, a fellow colleague needed to install the Horizon View Agent on a Microsoft Windows Domain Controller to be able to take advantage of the Direct Connect feature to efficiently connect into a lab environment. In general, this is not a recommended practice. In fact, by default the Horizon View Agent includes several pre-checks, one of which that prevents the installation if it detects the underlining system is a Domain Controller.

In this particular scenario, the Domain Controller was not being used for a real production environment but rather as part of a vPod that is hosted in a Hands-On-Lab type of environment. I could also see another use case where this might occur in personal home labs where you might consolidate several types of roles on a single Windows system and wish to be able to use the Direct Connect feature of the Horizon View Client.

The individual had searched extensively online but all the suggested command-line flags were not applicable to the Horizon View Agent. After pinging me for ideas, I reached out to a few of our End-User Computing folks and thanks to them, we found a neat little work around by tweaking the MSI installer.

Disclaimer: This is not officially supported by VMware, please use at your own risk. There are no guarantees that the behavior described here will continue to function going forward and it can change without notice.

[Read more...]