Tuesday, January 08, 2013 8:52 PM
I am having a strange issue using VMM 2012 ( SP1 ) and since I tried everything I could , any help would be appreciated.
We are in the process of building our private cloud . The first part is to setup VMM 2012 along with App Controller so Self Service Users could deploy their Virtual Machines themselves, using the App Controller Portal.
VMM 2012 Sp1 and App Controller SP1 are installed on the same VMM server . I have created several user roles within the VMM Console. One is a Tenant Administrator User role, the other one is a Self Service User role.
The problem is that , if I add the same domain user to these 2 roles, he is only able to deploy a VM ( using App Controller) when he logs in as a Tenant Administrator ( or delegated administrator as well), but not using the Self Service Role. Which is what I am trying to achieve. The 2 User roles are using the same Run As account.
When trying to deploy a VM with the Self Service Role , the job will end with the message The operation has timed out.
If I go in the VMM server Event Viewer I find error messages in the Security part:
Log Name: Security
Date: 1/8/2013 2:53:13 PM
Event ID: 4625
Task Category: Logon
Keywords: Audit Failure
An account failed to log on.
Security ID: testdomain\Sc12vmmSvc
Account Name: Sc12vmmSvc
Account Domain: testdomain
Logon ID: 0x22708C
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Failure Reason: Unknown user name or bad password.
Sub Status: 0xC0000064
Caller Process ID: 0x3ec
Caller Process Name: D:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\vmmservice.exe
Workstation Name: SCVMM
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Again , if I connect using the same Active Directory account, but as a Tenant Administrator , it works fine and I am able to deploy the VM.
I have also installed DEbug view tool , in order to trace the SCVMM logs as per the following procedure:
Below is a small part of the logs I got using this tool, while trying to deploy a VM with a Sel Service account.
00000370 41.38204575  0600.001C::01/08-14:16:38.851#20ObjectAuthorizationManager.cs(112): Accessibile=False, Profile=SelfServiceUser, Object Type=UserRole, ID=75700cd5-893e-4f68-ada7-50ef4668acc6
00000371 41.38215637  0600.001C::01/08-14:16:38.851#18ClientConnection.cs(314): Exception during context of an indigo call, carmine error code returned 11418
00000372 41.38243866  0600.001C::01/08-14:16:38.851#18ClientConnection.cs(314): Microsoft.VirtualManager.Utils.ObjectNotAccessibleException: You do not have permission to access one or more of the objects required by this operation.
00000373 41.38243866  Contact the Virtual Machine Manager administrator to obtain the appropriate permissions.
00000374 41.38243866  at Microsoft.VirtualManager.Engine.Remoting.ClientConnection.FetchObjectInternal(CarmineObjectType type, Guid id, ConnectionProperties conn)
It says that it does not have the permission required but the Self Service User role uses the same Run As account as the Tenant Administrator.
Thanks for your help.
Wednesday, January 09, 2013 2:19 PM
No answer to this thread. However I finally found the solution to make it works. So if anyone runs into that issue , the fix was to add the VMM service account I had set to the Built In AD Windows Authorization Access Group.
Once it is set the VMM server is able to get the User information from the Active Directory, and therefore to let the user connect.
In the procedure I found on TechNet it was said to add the VMM server computer account to this group, but it would not work until I add the VMM service account too.