A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.

Users with no vCenter Server permissions can log in to the vSphere Web Client

Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.

Users with no permissions can no longer log in to the vSphere Web Client.

To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.

This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.

With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.

Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.

If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!

6 thoughts on “vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

  1. Thank you for great post! ..was curious to test this “allow.user.without.permissions.login = false” on 6.0.0U3b but it didn’t work… So looks like there is no way to achieve the same restriction on the VC 6.0 version? Or any ideas? Thank you!

  2. How about his for a comment:

    Brand new vCenter 6.5 deployment on windows with AD integration ID source, can’t add permissions to any inventory object from our AD source, only allows adding permissions via global permissions. Wait, don’t tell me, another web client issue??

    • This should not be the case. I would recommend you file an SR and GSS can help you out. You should be able to assign standard permissions using the regular method and/or Global Permissions

Thanks for the comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.