Azure pack VM provisioning not working & ID 26726 “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

When using the Azure pack Tenant Portal, all users (except Administrator) were unable to create VMs. In my case, when the user tried to create new VM, it failed with none specific error.

After some digging, I was able to find following error in my Azure Pack Tenant Hub server:

Potential version mismatch between WAP and SPF, please verify both component’s versions and if they’re compatible, Exception: ‚System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. —> System.Data.Services.Client.DataServiceClientException: <Error xmlns:i=“http://www.w3.org/2001/XMLSchema-instance“ xmlns=“http://schemas.microsoft.com/windowsazure“><Code>InternalError</Code><Message>The server encountered an internal error, please retry. If the problem persists, contact support.

I checked all my Azure pack, VMM and SPF servers – are all were up to date with latest updates.

 

So I was suspecting something is wrong with SPF. I followed instructions in this link:

http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azure-pack-spf-amp-vmm.aspx

In my case there were no issues with SPF.

I also found following error in VMM Jobs History:

ID 26726: “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

My SPF account was member of Administrator role in VMM, so, I tried to login on to SPF server with SPF service account and open VMM console.

I got following error:

SCVMM console error „could not update managed code add-in pipeline due to the following error

Quick fix:

I fixed it with granting „authenticated users“ read/execute rights to the folder „C:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\AddInPipeline“ and all subfolders and files

 

Than I reopened VMM console and tried to create new VM, but it again failed with following error:

spf-svc access error

I reviewed my SPF service account permissions to make sure nothing is missing:

Group name

Purpose

Members

<DOMAIN>\ SPF-Admins Service Provider Administrators domain group used to provide domain accounts administrative rights to all Service Provider Foundation components and web services. <DOMAIN>\ SPF-SVC
<DOMAIN>\ SPF-Provider Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Provider web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-VMM Service Provider domain group used to provide domain accounts access to the Service Provider Foundation VMM web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-Usage Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Usage web service. Appropriate domain accounts to be delegated permissions to services
<SPF Server>\SPF_Admin Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

 

<Service Provider Foundation Server>\SPF_Provider Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Provider

 

<Service Provider Foundation Server>\SPF_VMM Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-VMM

 

<Service Provider Foundation Server>\SPF_Usage Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Usage

 

 

Solution:

One thing which helped me to get VM provisioning with SPF service account working was adding the VMM Service account to the Windows Authorization Access group in Active Directory. Once I did it, I was able to provision VMs logged as SPF service account. It also worked in Azure Pack Tenant portal.

 

 

 

 

Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *