In some cases, the above steps used to configure the VMware Enterprise Systems Connector may not be sufficient to establish the proper permissions required to log in to the server. To ensure adequate permissions are set, the following steps need to be taken on the VMware Enterprise Systems Connector.

Step 1: Create Service Account with Full Permissions

A service account will be required to run the VMware Enterprise Systems Connector service. Current service account permissions are as follows but are subject to change if the permission levels can be successfully lowered.

Certs_CertEnroll-ADCS-DCOM_63

  1. Member of the following groups in AD
    • Domain Users
    • Enterprise Admins
    • Remote Desktop Users

      For example, the screen to the right displays the permissions for the Service Account 'caadmin'. This can be the same Service Account mentioned in Other System Requirements.

 

  1. On the CA Server
    • Member of Local Administrator Group

      For example, the screen to the right displays Local Administrator Group permissions on the CA Server.

      Certs_CertEnroll-ADCS-DCOM_64

    • Full permissions on the Certification Authority
    • For example, the screen below displays the full compliment of available permissions for 'caadmin'.

      Certs_CertEnroll-ADCS-DCOM_65

 

Step 2: Use Alternate VMware Enterprise Systems Connector Configuration

  1. On the VMware Enterprise Systems Connector server, run services.msc
  2. Locate and stop the VMware Enterprise Systems Connector service.
  3. Right-click the VMware Enterprise Systems Connector service.
  4. Select Properties.
  5. Select the Log On tab.
  6. Under Log on as:, choose This account and Browse for the Service Account you created in Step 1.

  7. Enter and confirm the password.

    Certs_CertEnroll-ADCS-DCOM_66

  8. Launch the Microsoft Management Console (mmc.exe) and open the personal certificate store of the local computer.

    Ensure you are logged in with an account that has admin permissions for both the VMware Enterprise Systems Connector server and the domain, otherwise you may not be able to access MMC and also add a domain user to manager the private key.

  9. Select the Restricted Enrollment Agent created and installed earlier in Step 4 of this guide.
  10. In MMC, right-click the Restricted Enrollment Certificate you added and select All Tasks and then Manage Private Keys.
  11. Add the Service Account created in Step 1 and set read permissions.

    Certs_CertEnroll-ADCS-DCOM_67

  12. Click OK to save settings and close the Properties page.
  13. Repeat steps 10-12 for both the VMware Enterprise Systems Connector and the Secure Channel Certificates.
    • Both these certificates will be issued by the Device Services Child Certificate.
    • Issued to AW Cloud Connector - VMware Enterprise Systems Connector and AW Cloud Connector - [OG Name].
  14. From services.msc, manually start the VMware Enterprise Systems Connector service.