VMM 2012 Cannot deploy Virtual Machines using Self Service Users

• Tuesday, January 08, 2013 8:52 PM

   

   
  

  0

  Hello,

  I am having a strange issue using VMM 2012 ( SP1 ) and since I tried everything I could , any help would be appreciated.

  We are in the process of building our private cloud . The first part is to setup VMM 2012 along with App Controller so Self Service Users could deploy their Virtual Machines themselves, using the App Controller Portal.

  VMM 2012 Sp1 and App Controller SP1 are installed on the same VMM server . I have created several user roles within the VMM Console. One is a Tenant Administrator User role, the other one is a Self Service User role.

  The problem is that , if I add the same domain user to these 2 roles, he is only able to deploy a VM ( using App Controller) when he logs in as a Tenant Administrator ( or delegated administrator as well), but not using the Self Service Role. Which is what I am trying to achieve. The 2 User roles are using the same Run As account.

  When trying to deploy a VM with the Self Service Role , the job will end with the message  The operation has timed out.

  If I go in the VMM server Event Viewer I find error messages in the Security part:

  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          1/8/2013 2:53:13 PM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      SCVMM.testdomain
  Description:
  An account failed to log on.

  Subject:
   Security ID:  testdomain\Sc12vmmSvc
   Account Name:  Sc12vmmSvc
   Account Domain:  testdomain
   Logon ID:  0x22708C

  Logon Type:   3

  Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  
   Account Domain:  

  Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xC000006D
   Sub Status:  0xC0000064

  Process Information:
   Caller Process ID: 0x3ec
   Caller Process Name: D:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\vmmservice.exe

  Network Information:
   Workstation Name: SCVMM
   Source Network Address: -
   Source Port:  -

  Detailed Authentication Information:
   Logon Process:  Authz  
   Authentication Package: Kerberos
   Transited Services: -
   Package Name (NTLM only): -
   Key Length:  0

  Again , if I connect using the same Active Directory account, but as a Tenant Administrator , it works fine and I am able to deploy the VM.

  I have also installed DEbug view tool , in order to trace the SCVMM logs as per the following procedure:

  http://support.microsoft.com/kb/970066?wa=wsignin1.0

  Below is a small part of the logs I got using this tool, while trying to deploy a VM with a Sel Service account.

  00000370 41.38204575 [1536] 0600.001C::01/08-14:16:38.851#20ObjectAuthorizationManager.cs(112): Accessibile=False, Profile=SelfServiceUser, Object Type=UserRole, ID=75700cd5-893e-4f68-ada7-50ef4668acc6 
  00000371 41.38215637 [1536] 0600.001C::01/08-14:16:38.851#18ClientConnection.cs(314): Exception during context of an indigo call, carmine error code returned 11418 
  00000372 41.38243866 [1536] 0600.001C::01/08-14:16:38.851#18ClientConnection.cs(314): Microsoft.VirtualManager.Utils.ObjectNotAccessibleException: You do not have permission to access one or more of the objects required by this operation.  
  00000373 41.38243866 [1536] Contact the Virtual Machine Manager administrator to obtain the appropriate permissions.  
  00000374 41.38243866 [1536]    at Microsoft.VirtualManager.Engine.Remoting.ClientConnection.FetchObjectInternal(CarmineObjectType type, Guid id, ConnectionProperties conn)  

   It says that it does not have the permission required but the Self Service User role uses the same Run As account as the Tenant Administrator.

  Thanks for your help.

   

   

   

  • Reply
  • Quote