User does not have permissions to access the Service Management API

When playing with Windows Azure Pack I received this error. When searching on the Internet the solution is to add the user to the local “MgmtSvc Operators” security group. That is a bit difficult, as Microsoft removed that group in Update 1. Instead you should use PowerShell “Add-MgmtSvcAdminUser” to assign users permissions. When I ran get-MgmtSvcAdminUser I had the WAP server local administrator’s group member of the WAP Admin role, and my user was member of that local administrator group. Normally a member of a group has all permissions that the group has, but not in this case, instead I needed to add my user account direct to the admin role. Thanks to the oracle Patrik Sundqvist who enlighten me about that. I ran the following PowerShell line and then it worked

Add-MgmtSvcAdminUser –ConnectionString ‘Server=SCDB01;Initial Catalog=Microsoft.MgmtSvc.Store;Trusted_Connection=True;’ –principal ‘demo\anders.bengtsson’

SCDB01 is the database server hosting the Microsoft.MgmtSvc.Store database. DEMO is the domain name.

About

Microsoft

7 thoughts on “User does not have permissions to access the Service Management API

  1. Wanted to chime in here. I found isn’t that there’s some problem with the format “DOMAIN\groupname”. The problem is that might not be what you think it is. At least for me that was it. Here’s an example.

    In a lot of enterprises, the fully qualified domain name might be america.enterprise.company.com. Usually a domain also has a short name that you usually use when you see the format “DOMAIN\groupname”. Maybe [AM-ENT\groupname] in this case. You are used to “AM-ENT being synonymous and interchangeable with “america.enterprise.company.com.” So you type in Add-MgmtSvcUser -Principal = “AM-ENT\groupname” and it doesn’t work. As noted here, you can add individual users using their SAMName format as a workaround but the real trick is that in an ADFS token, your group names are formatted as america\groupname. Notice it’s not the familiar “short name” of your domain but rather the leftmost string in your fully qualified domain name. Often those are the same string, but maybe not, as in my example. So do: Add-MgmtSvcUser -Principal = “america\groupname” and it works.

    Hope that makes sense and helps someone.

    Tom

  2. Thanks for posting this; this is a really difficult system to get working in distributed mode. I am getting the same error, and when I tried the solution per the suggestion above I get an error “namespace ‘adminAPI not found’ Do you have any suggestions for me?

  3. Thank you so much for this! A lot of information and blogposts are pointing the “MgmtSvc Operators”-group which is a bit confusing… 🙂

    Finally got passed this issue!

  4. I could nearly hug you right now…. I’m trying to POC Azure Pack and was able to install express in a home lab no problem, when I tried to bring it into my corporate lab I keep getting this dumb permission denied error! So glad you shared this information! Thanks!

  5. Hi Anders,

    Just curious, are you using ADFS for authentication to the admin site in this configuration? I had this exact same problem after implementing ADFS on a deployment I was doing and stumbled upon your site. I was actually able to get mine to work with just group membership and ADFS but I needed to add a new claim rule to the Active Directory claims provider that would map “Token-Groups – Qualified by Domain Name” to an outgoing claim of “Group”. Once I got this working ADFS would send claims to WAP admin site that would include group membership in addition to the UPN.

    In this case the only thing added to my WAP configuration is:

    Add-MgmtSvcAdminUser -Principal NETBIOS\WAP Admins -ConnectionString $ConnectionString

    Just curious if this applied to your issue as well.

    -Nick

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.