Home » Windows Azure Pack » User does not have permissions to access the Service Management API

Contoso.se

Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP
MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
OMS
Inside the Microsoft Operations Management Suite

User does not have permissions to access the Service Management API

When playing with Windows Azure Pack I received this error. When searching on the Internet the solution is to add the user to the local “MgmtSvc Operators” security group. That is a bit difficult, as Microsoft removed that group in Update 1. Instead you should use PowerShell “Add-MgmtSvcAdminUser” to assign users permissions. When I ran get-MgmtSvcAdminUser I had the WAP server local administrator’s group member of the WAP Admin role, and my user was member of that local administrator group. Normally a member of a group has all permissions that the group has, but not in this case, instead I needed to add my user account direct to the admin role. Thanks to the oracle Patrik Sundqvist who enlighten me about that. I ran the following PowerShell line and then it worked

Add-MgmtSvcAdminUser –ConnectionString ‘Server=SCDB01;Initial Catalog=Microsoft.MgmtSvc.Store;Trusted_Connection=True;’ –principal ‘demo\anders.bengtsson’

SCDB01 is the database server hosting the Microsoft.MgmtSvc.Store database. DEMO is the domain name.


7 Comments

  1. Wanted to chime in here. I found isn’t that there’s some problem with the format “DOMAIN\groupname”. The problem is that might not be what you think it is. At least for me that was it. Here’s an example.

    In a lot of enterprises, the fully qualified domain name might be america.enterprise.company.com. Usually a domain also has a short name that you usually use when you see the format “DOMAIN\groupname”. Maybe [AM-ENT\groupname] in this case. You are used to “AM-ENT being synonymous and interchangeable with “america.enterprise.company.com.” So you type in Add-MgmtSvcUser -Principal = “AM-ENT\groupname” and it doesn’t work. As noted here, you can add individual users using their SAMName format as a workaround but the real trick is that in an ADFS token, your group names are formatted as america\groupname. Notice it’s not the familiar “short name” of your domain but rather the leftmost string in your fully qualified domain name. Often those are the same string, but maybe not, as in my example. So do: Add-MgmtSvcUser -Principal = “america\groupname” and it works.

    Hope that makes sense and helps someone.

    Tom

  2. Thanks for posting this; this is a really difficult system to get working in distributed mode. I am getting the same error, and when I tried the solution per the suggestion above I get an error “namespace ‘adminAPI not found’ Do you have any suggestions for me?

  3. Thank you so much for this! A lot of information and blogposts are pointing the “MgmtSvc Operators”-group which is a bit confusing… 🙂

    Finally got passed this issue!

  4. I could nearly hug you right now…. I’m trying to POC Azure Pack and was able to install express in a home lab no problem, when I tried to bring it into my corporate lab I keep getting this dumb permission denied error! So glad you shared this information! Thanks!

  5. Hi Anders,

    Just curious, are you using ADFS for authentication to the admin site in this configuration? I had this exact same problem after implementing ADFS on a deployment I was doing and stumbled upon your site. I was actually able to get mine to work with just group membership and ADFS but I needed to add a new claim rule to the Active Directory claims provider that would map “Token-Groups – Qualified by Domain Name” to an outgoing claim of “Group”. Once I got this working ADFS would send claims to WAP admin site that would include group membership in addition to the UPN.

    In this case the only thing added to my WAP configuration is:

    Add-MgmtSvcAdminUser -Principal NETBIOS\WAP Admins -ConnectionString $ConnectionString

    Just curious if this applied to your issue as well.

    -Nick

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.