In certain networks and environments, additional permissions and settings are required. Please follow the steps below and refer to the troubleshooting list if required.

Settings and Configuration

A service account will be required to run the VMware Enterprise Systems Connector service. Current service account permissions are as follows but are subject to change if the permissions can be successfully lowered.

  • Member of the following groups in AD
    • Domain Users
    • Enterprise Admins
    • Remote Desktop Users
  • On the CA Server
    • Member of Local Administrator Group
    • Full permissions on the Certification Authority
  • On the VMware Enterprise Systems Connector Server
    • Logon User for the VMware Enterprise Systems Connector Service

Permissions Settings

The following permissions have been set for the service account ‘caadmin’.

Certs_CertEnroll-ADCS-DCOM_68

CA Server Local Administrator Group Permissions

Certs_CertEnroll-ADCS-DCOM_69

Certification Authority Permissions

Certs_CertEnroll-ADCS-DCOM_70

VMware Enterprise Systems Connector Configuration

  1. Run Services.msc
  2. Stop VMware Enterprise Systems Connector Service
  3. Right Click VMware Enterprise Systems Connector service.
  4. Select Properties
  5. Click on Log On
    • For 2008 R2 Enterprise
      • Logon as Local System account
      • Select Allow Service to Interact with Desktop
    • For 2012 R2 Standard:
      • Logon as This Account
      • Browse for the user of the service account created
      • Enter and confirm the password

        Certs_CertEnroll-ADCS-DCOM_71

  6. Open the personal certificate store of the local computer
    • Make sure you are logged in with an account that has admin permissions both on the VMware Enterprise Systems Connector server and on the domain, or you may not be able to access the computer store and also add a domain user to manage the private keys.
  7. Select the Certificate Request Agent certificate created and installed in the original set up guide.
    • Refer Chapter 4 of the Setting up Certificate Enrollment on-Behalf-of with ADCS with DCOM guide.
  8. Right Click, select All Tasks, select Manage Private Keys
  9. Add the service account and set read permissions

    Certs_CertEnroll-ADCS-DCOM_72

  10. Repeat Steps 8-9 for both the VMware Enterprise Systems Connector and Secure Channel Certificates
    • Both these certificates will be issued by Device Services Child Certificate
    • Issued to AW Cloud Connector – VMware Enterprise Systems Connector and AW Cloud Connector – [OG Name]
  11. Start the VMware Enterprise Systems Connector service