The domain user or its AD group should be assigned at least a read-only role at the target vCenter server.