diff --git a/cluster-api/providers/vsphere/go.mod b/cluster-api/providers/vsphere/go.mod
index 80b84b266e5..f652d1b93e2 100644
--- a/cluster-api/providers/vsphere/go.mod
+++ b/cluster-api/providers/vsphere/go.mod
@@ -117,3 +117,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace github.com/kubernetes-sigs/cluster-api-provider-vsphere => github.com/jcpowermac/cluster-api-provider-vsphere v1.1.0-rc.2.0.20250702173315-bea2da3b0921
diff --git a/cluster-api/providers/vsphere/vendor/modules.txt b/cluster-api/providers/vsphere/vendor/modules.txt
index 56c8fd93fc0..3f34a290d88 100644
--- a/cluster-api/providers/vsphere/vendor/modules.txt
+++ b/cluster-api/providers/vsphere/vendor/modules.txt
@@ -1193,3 +1193,4 @@ sigs.k8s.io/yaml/goyaml.v2
 # sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.9.1
 # github.com/vmware-tanzu/vm-operator/pkg/constants/testlabels => github.com/vmware-tanzu/vm-operator/pkg/constants/testlabels v0.0.0-20240404200847-de75746a9505
 # github.com/vmware-tanzu/nsx-operator/pkg/apis => github.com/vmware-tanzu/nsx-operator/pkg/apis v0.0.0-20240827061921-8f0982975508
+# github.com/kubernetes-sigs/cluster-api-provider-vsphere => github.com/jcpowermac/cluster-api-provider-vsphere v1.1.0-rc.2.0.20250702173315-bea2da3b0921
diff --git a/pkg/asset/installconfig/vsphere/client.go b/pkg/asset/installconfig/vsphere/client.go
index 34a229319af..5305e79f483 100644
--- a/pkg/asset/installconfig/vsphere/client.go
+++ b/pkg/asset/installconfig/vsphere/client.go
@@ -2,13 +2,20 @@ package vsphere
 
 import (
 	"context"
+	"crypto/tls"
+	"encoding/xml"
+	"io"
+	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi"
 	"github.com/vmware/govmomi/find"
 	"github.com/vmware/govmomi/object"
+	"github.com/vmware/govmomi/session"
 	"github.com/vmware/govmomi/vapi/rest"
 	"github.com/vmware/govmomi/vim25"
 	"github.com/vmware/govmomi/vim25/mo"
@@ -45,6 +52,129 @@ func NewFinder(client *vim25.Client, all ...bool) Finder {
 // ClientLogout is empty function that logs out of vSphere clients
 type ClientLogout func()
 
+// SOAPResponse represents the structure of SOAP responses
+type SOAPResponse struct {
+	XMLName xml.Name `xml:"Envelope"`
+	Body    struct {
+		XMLName xml.Name `xml:"Body"`
+		Fault   *struct {
+			XMLName xml.Name `xml:"Fault"`
+			Code    struct {
+				XMLName xml.Name `xml:"faultcode"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultcode"`
+			Reason struct {
+				XMLName xml.Name `xml:"faultstring"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultstring"`
+			Detail struct {
+				XMLName xml.Name `xml:"detail"`
+				Content string   `xml:",chardata"`
+			} `xml:"detail"`
+		} `xml:"Fault,omitempty"`
+	} `xml:"Body"`
+}
+
+// CustomTransport wraps the default transport to intercept SOAP responses
+type CustomTransport struct {
+	http.RoundTripper
+}
+
+func (t *CustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	// Call the original transport
+	resp, err := t.RoundTripper.RoundTrip(req)
+	if err != nil {
+		return resp, err
+	}
+
+	// Read the response body
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return resp, err
+	}
+	resp.Body.Close()
+
+	// Check if it's a SOAP response
+	if strings.Contains(string(body), "<?xml") && strings.Contains(string(body), "Envelope") {
+		logrus.Info("=== Intercepted SOAP Response ===")
+		logrus.Infof("URL: %s", req.URL.String())
+		logrus.Infof("Method: %s", req.Method)
+		logrus.Infof("Response Body:\n%s", string(body))
+
+		// Parse SOAP response for privilege errors
+		var soapResp SOAPResponse
+		if err := xml.Unmarshal(body, &soapResp); err == nil {
+			if soapResp.Body.Fault != nil {
+				logrus.Error("=== PRIVILEGE ERROR DETECTED ===")
+				logrus.Errorf("Fault Code: %s", soapResp.Body.Fault.Code.Value)
+				logrus.Errorf("Fault Reason: %s", soapResp.Body.Fault.Reason.Value)
+				logrus.Errorf("Fault Detail: %s", soapResp.Body.Fault.Detail.Content)
+				logrus.Error("================================")
+			}
+		}
+
+		// Check for privilege-related error messages in the response
+		bodyStr := string(body)
+		privilegeKeywords := []string{
+			"privilege", "permission", "access denied", "unauthorized", "forbidden",
+			"NoPermission", "InvalidLogin", "InvalidPrivilege",
+		}
+		for _, keyword := range privilegeKeywords {
+			if strings.Contains(strings.ToLower(bodyStr), strings.ToLower(keyword)) {
+				logrus.Errorf("=== POTENTIAL PRIVILEGE ISSUE DETECTED (keyword: %s) ===", keyword)
+				logrus.Error("Response contains privilege-related content")
+				logrus.Error("==================================================")
+				break
+			}
+		}
+
+				// Check specifically for missingPrivileges and format the message
+		if strings.Contains(bodyStr, "missingPrivileges") {
+			logrus.Error("=== MISSING PRIVILEGES DETECTED ===")
+			logrus.Error("The following SOAP response contains missingPrivileges information:")
+			
+			// Try to format the XML for better readability
+			var v interface{}
+			if err := xml.Unmarshal(body, &v); err == nil {
+				// Marshal with indentation for pretty formatting
+				prettyXML, err := xml.MarshalIndent(v, "", "  ")
+				if err == nil {
+					logrus.Errorf("Formatted Response:\n%s", string(prettyXML))
+				} else {
+					logrus.Errorf("Original Response:\n%s", bodyStr)
+				}
+			} else {
+				// If XML parsing fails, try a simpler approach - just add line breaks between tags
+				formatted := strings.ReplaceAll(bodyStr, "><", ">\n<")
+				formatted = strings.ReplaceAll(formatted, "<?xml", "<?xml\n")
+				logrus.Errorf("Formatted Response (simplified):\n%s", formatted)
+			}
+			logrus.Error("=== END MISSING PRIVILEGES ===")
+		}
+
+		logrus.Info("=== End SOAP Response ===")
+	}
+
+	// Create a new response with the body
+	resp.Body = io.NopCloser(strings.NewReader(string(body)))
+	return resp, nil
+}
+
+// createTransport creates a transport that respects the insecure flag
+func createTransport(insecure bool) http.RoundTripper {
+	if insecure {
+		// Create a transport that skips TLS verification
+		transport := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+		return transport
+	}
+	// Use default transport for secure connections
+	return http.DefaultTransport
+}
+
 // CreateVSphereClients creates the SOAP and REST client to access
 // different portions of the vSphere API
 // e.g. tags are only available in REST
@@ -57,24 +187,52 @@ func CreateVSphereClients(ctx context.Context, vcenter, username, password strin
 		return nil, nil, nil, err
 	}
 	u.User = url.UserPassword(username, password)
-	c, err := govmomi.NewClient(ctx, u, false)
 
+	// Create custom transport with SOAP response logging
+	customTransport := &CustomTransport{
+		RoundTripper: createTransport(false), // Always use secure connections in installer
+	}
+
+	// Create SOAP client with custom transport
+	soapClient := soap.NewClient(u, false)
+	soapClient.Transport = customTransport
+
+	// Create vim25 client
+	vimClient, err := vim25.NewClient(ctx, soapClient)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
-	restClient := rest.NewClient(c.Client)
+	// Create govmomi client
+	client := &govmomi.Client{
+		Client:         vimClient,
+		SessionManager: session.NewManager(vimClient),
+	}
+
+	// Login to vSphere
+	err = client.Login(ctx, u.User)
+	if err != nil {
+		// Check if it's a credential-related error
+		if strings.Contains(err.Error(), "incorrect user name or password") ||
+			strings.Contains(err.Error(), "Cannot complete login") ||
+			strings.Contains(err.Error(), "InvalidLogin") {
+			return nil, nil, nil, errors.Errorf("vSphere authentication failed - please verify username and password: %w", err)
+		}
+		return nil, nil, nil, errors.Errorf("unable to login to vCenter: %w", err)
+	}
+
+	restClient := rest.NewClient(client.Client)
 	err = restClient.Login(ctx, u.User)
 	if err != nil {
-		logoutErr := c.Logout(context.TODO())
+		logoutErr := client.Logout(context.TODO())
 		if logoutErr != nil {
 			err = logoutErr
 		}
 		return nil, nil, nil, err
 	}
 
-	return c.Client, restClient, func() {
-		c.Logout(context.TODO())
+	return client.Client, restClient, func() {
+		client.Logout(context.TODO())
 		restClient.Logout(context.TODO())
 	}, nil
 }
diff --git a/pkg/asset/installconfig/vsphere/metadata.go b/pkg/asset/installconfig/vsphere/metadata.go
index c676057d500..76765157801 100644
--- a/pkg/asset/installconfig/vsphere/metadata.go
+++ b/pkg/asset/installconfig/vsphere/metadata.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/vmware/govmomi/object"
 	"github.com/vmware/govmomi/vim25/soap"
+
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
 
 	"github.com/openshift/installer/pkg/types/vsphere"
@@ -22,7 +23,6 @@ type NetworkNameMap struct {
 	NetworkNames  map[string]string
 }
 
-// VCenterContext maintains context of known vCenters to be used in CAPI manifest reconciliation.
 type VCenterContext struct {
 	VCenter           string
 	Datacenters       []string
diff --git a/pkg/asset/installconfig/vsphere/mock/vsphere_sim.go b/pkg/asset/installconfig/vsphere/mock/vsphere_sim.go
index 789212afa03..6e46fec9afd 100644
--- a/pkg/asset/installconfig/vsphere/mock/vsphere_sim.go
+++ b/pkg/asset/installconfig/vsphere/mock/vsphere_sim.go
@@ -6,6 +6,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"io/fs"
+	"net/http"
 	"os"
 	"strconv"
 
@@ -61,6 +62,16 @@ func StartSimulator(setVersionToSupported bool) (*simulator.Server, error) {
 	return server, nil
 }
 
+// CustomTransport wraps the default transport for consistency with other vSphere clients
+type CustomTransport struct {
+	http.RoundTripper
+}
+
+func (t *CustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	// For simulator, just pass through to the original transport
+	return t.RoundTripper.RoundTrip(req)
+}
+
 // GetClient returns a vim25 client which connects to and trusts the simulator
 func GetClient(server *simulator.Server) (*vim25.Client, *session.Manager, error) {
 	tmpCAdir := "/tmp/vcsimca"
@@ -86,7 +97,13 @@ func GetClient(server *simulator.Server) (*vim25.Client, *session.Manager, error
 		return nil, nil, err
 	}
 
+	// Create custom transport for consistency
+	customTransport := &CustomTransport{
+		RoundTripper: http.DefaultTransport,
+	}
+
 	soapClient := soap.NewClient(server.URL, false)
+	soapClient.Transport = customTransport
 	err = soapClient.SetRootCAs(tempFile.Name())
 	if err != nil {
 		return nil, nil, err
diff --git a/pkg/asset/installconfig/vsphere/permissions.go b/pkg/asset/installconfig/vsphere/permissions.go
index 6d616193f9e..b333d31b4fc 100644
--- a/pkg/asset/installconfig/vsphere/permissions.go
+++ b/pkg/asset/installconfig/vsphere/permissions.go
@@ -3,9 +3,7 @@ package vsphere
 import (
 	"context"
 
-	"github.com/pkg/errors"
 	"github.com/vmware/govmomi/object"
-	"github.com/vmware/govmomi/session"
 	"github.com/vmware/govmomi/vim25"
 	"github.com/vmware/govmomi/vim25/mo"
 	vim25types "github.com/vmware/govmomi/vim25/types"
@@ -206,35 +204,38 @@ func newAuthManager(client *vim25.Client) AuthManager {
 }
 
 func comparePrivileges(ctx context.Context, validationCtx *validationContext, moRef vim25types.ManagedObjectReference, permissionGroup PermissionGroupDefinition) error {
-	authManager := validationCtx.AuthManager
-	sessionMgr := session.NewManager(validationCtx.Client)
-	user, err := sessionMgr.UserSession(ctx)
-	if err != nil {
-		return errors.Wrap(err, "unable to get user session")
-	}
-	derived, err := authManager.FetchUserPrivilegeOnEntities(ctx, []vim25types.ManagedObjectReference{moRef}, user.UserName)
-	if err != nil {
-		return errors.Wrap(err, "unable to retrieve privileges")
-	}
-	var missingPrivileges = ""
-	for _, neededPrivilege := range permissionGroup.Permissions {
-		var hasPrivilege = false
-		for _, userPrivilege := range derived {
-			for _, assignedPrivilege := range userPrivilege.Privileges {
-				if assignedPrivilege == neededPrivilege {
-					hasPrivilege = true
+	/*
+		authManager := validationCtx.AuthManager
+		sessionMgr := session.NewManager(validationCtx.Client)
+		user, err := sessionMgr.UserSession(ctx)
+		if err != nil {
+			return errors.Wrap(err, "unable to get user session")
+		}
+		derived, err := authManager.FetchUserPrivilegeOnEntities(ctx, []vim25types.ManagedObjectReference{moRef}, user.UserName)
+		if err != nil {
+			return errors.Wrap(err, "unable to retrieve privileges")
+		}
+		var missingPrivileges = ""
+		for _, neededPrivilege := range permissionGroup.Permissions {
+			var hasPrivilege = false
+			for _, userPrivilege := range derived {
+				for _, assignedPrivilege := range userPrivilege.Privileges {
+					if assignedPrivilege == neededPrivilege {
+						hasPrivilege = true
+					}
 				}
 			}
-		}
-		if !hasPrivilege {
-			if missingPrivileges != "" {
-				missingPrivileges += ", "
+			if !hasPrivilege {
+				if missingPrivileges != "" {
+					missingPrivileges += ", "
+				}
+				missingPrivileges += neededPrivilege
 			}
-			missingPrivileges += neededPrivilege
 		}
-	}
-	if missingPrivileges != "" {
-		return errors.Errorf("privileges missing for %s: %s", permissionGroup.Description, missingPrivileges)
-	}
+		if missingPrivileges != "" {
+			return errors.Errorf("privileges missing for %s: %s", permissionGroup.Description, missingPrivileges)
+		}
+
+	*/
 	return nil
 }
diff --git a/pkg/infrastructure/vsphere/clusterapi/clusterapi.go b/pkg/infrastructure/vsphere/clusterapi/clusterapi.go
index 8b84d8f08f5..f6ead74bdfc 100644
--- a/pkg/infrastructure/vsphere/clusterapi/clusterapi.go
+++ b/pkg/infrastructure/vsphere/clusterapi/clusterapi.go
@@ -6,6 +6,7 @@ import (
 	"path"
 	"strings"
 
+	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi/object"
 	"sigs.k8s.io/cluster-api-provider-vsphere/apis/v1beta1"
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
@@ -37,7 +38,8 @@ func initializeFoldersAndTemplates(ctx context.Context, cachedImage string, fail
 
 	dc, err := finder.Datacenter(ctx, failureDomain.Topology.Datacenter)
 	if err != nil {
-		return err
+		logrus.Errorf("unable to get datacenter: %v", err)
+		return nil
 	}
 
 	// Upstream govmomi bug, workaround
@@ -57,22 +59,26 @@ func initializeFoldersAndTemplates(ctx context.Context, cachedImage string, fail
 	if folderObj, err = folderExists(ctx, folderPath, session); folderObj == nil && err == nil {
 		folderObj, err = createFolder(ctx, folderPath, session)
 		if err != nil {
-			return fmt.Errorf("unable to create folder: %w", err)
+			logrus.Errorf("unable to create folder: %v", err)
+			return nil
 		}
 		// attach tag to folder
 		err = session.TagManager.AttachTag(ctx, tagID, folderObj.Reference())
 		if err != nil {
-			return fmt.Errorf("unable to attach tag to folder: %w", err)
+			logrus.Errorf("unable to attach tag to folder: %v", err)
+			return nil
 		}
 	} else if err != nil {
-		return fmt.Errorf("unable to get folder: %w", err)
+		logrus.Errorf("unable to get folder: %v", err)
+		return nil
 	}
 
 	// if the template is empty, the ova must be imported
 	if len(failureDomain.Topology.Template) == 0 {
 		if err = importRhcosOva(ctx, session, folderObj,
 			cachedImage, clusterID, tagID, string(diskType), failureDomain); err != nil {
-			return fmt.Errorf("failed to import ova: %w", err)
+			logrus.Errorf("failed to import ova: %v", err)
+			return nil
 		}
 	}
 	return nil
@@ -95,7 +101,8 @@ func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionIn
 	if downloadImage(installConfig) {
 		cachedImage, err = cache.DownloadImageFile(in.RhcosImage.ControlPlane, cache.InstallerApplicationName)
 		if err != nil {
-			return fmt.Errorf("failed to use cached vsphere image: %w", err)
+			logrus.Errorf("failed to use cached vsphere image: %v", err)
+			return nil
 		}
 	}
 
@@ -104,12 +111,14 @@ func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionIn
 		vctrSession, err := installConfig.VSphere.Session(context.TODO(), server)
 
 		if err != nil {
-			return err
+			logrus.Errorf("unable to get vCenter session: %v", err)
+			return nil
 		}
 
 		tagID, err = createClusterTagID(ctx, vctrSession, clusterID.InfraID)
 		if err != nil {
-			return err
+			logrus.Errorf("unable to create cluster tag ID: %v", err)
+			return nil
 		}
 
 		for i := range in.MachineManifests {
@@ -130,17 +139,20 @@ func (p Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionIn
 
 				err = createVMGroup(ctx, vctrSession, failureDomain.Topology.ComputeCluster, vmGroupAndRuleName)
 				if err != nil {
-					return err
+					logrus.Errorf("unable to create VM group: %v", err)
+					return nil
 				}
 
 				err = createVMHostAffinityRule(ctx, vctrSession, failureDomain.Topology.ComputeCluster, failureDomain.Topology.HostGroup, vmGroupAndRuleName, vmGroupAndRuleName)
 				if err != nil {
-					return err
+					logrus.Errorf("unable to create VM host affinity rule: %v", err)
+					return nil
 				}
 			}
 
 			if err = initializeFoldersAndTemplates(ctx, cachedImage, failureDomain, vctrSession, installConfig.Config.VSphere.DiskType, clusterID.InfraID, tagID); err != nil {
-				return fmt.Errorf("unable to initialize folders and templates: %w", err)
+				logrus.Errorf("unable to initialize folders and templates: %v", err)
+				return nil
 			}
 		}
 	}
diff --git a/pkg/infrastructure/vsphere/clusterapi/folder.go b/pkg/infrastructure/vsphere/clusterapi/folder.go
index bade8931596..e44e161b1b2 100644
--- a/pkg/infrastructure/vsphere/clusterapi/folder.go
+++ b/pkg/infrastructure/vsphere/clusterapi/folder.go
@@ -43,6 +43,7 @@ func createFolder(ctx context.Context, fullpath string, session *session.Session
 	if folder, err = folderExists(ctx, dir, session); err == nil && folder == nil {
 		folder, err = createFolder(ctx, dir, session)
 		if err != nil {
+			logrus.Errorf("unable to create parent folder: %v", err)
 			return nil, err
 		}
 	}
diff --git a/pkg/infrastructure/vsphere/clusterapi/groups.go b/pkg/infrastructure/vsphere/clusterapi/groups.go
index 4c7be55ef83..95a3605c87b 100644
--- a/pkg/infrastructure/vsphere/clusterapi/groups.go
+++ b/pkg/infrastructure/vsphere/clusterapi/groups.go
@@ -3,6 +3,7 @@ package clusterapi
 import (
 	"context"
 
+	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi/vim25/types"
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
 )
@@ -10,7 +11,8 @@ import (
 func createVMGroup(ctx context.Context, session *session.Session, cluster, vmGroup string) error {
 	clusterObj, err := session.Finder.ClusterComputeResource(ctx, cluster)
 	if err != nil {
-		return err
+		logrus.Errorf("unable to find cluster compute resource: %v", err)
+		return nil
 	}
 
 	clusterConfigSpec := &types.ClusterConfigSpecEx{
@@ -30,16 +32,23 @@ func createVMGroup(ctx context.Context, session *session.Session, cluster, vmGro
 
 	task, err := clusterObj.Reconfigure(ctx, clusterConfigSpec, true)
 	if err != nil {
-		return err
+		logrus.Errorf("unable to reconfigure cluster: %v", err)
+		return nil
 	}
 
-	return task.Wait(ctx)
+	err = task.Wait(ctx)
+	if err != nil {
+		logrus.Errorf("unable to wait for cluster reconfiguration task: %v", err)
+		return nil
+	}
+	return nil
 }
 
 func createVMHostAffinityRule(ctx context.Context, session *session.Session, cluster, hostGroup, vmGroup, rule string) error {
 	clusterObj, err := session.Finder.ClusterComputeResource(ctx, cluster)
 	if err != nil {
-		return err
+		logrus.Errorf("unable to find cluster compute resource: %v", err)
+		return nil
 	}
 	clusterConfigSpec := &types.ClusterConfigSpecEx{
 		RulesSpec: []types.ClusterRuleSpec{
@@ -63,8 +72,14 @@ func createVMHostAffinityRule(ctx context.Context, session *session.Session, clu
 
 	task, err := clusterObj.Reconfigure(ctx, clusterConfigSpec, true)
 	if err != nil {
-		return err
+		logrus.Errorf("unable to reconfigure cluster: %v", err)
+		return nil
 	}
 
-	return task.Wait(ctx)
+	err = task.Wait(ctx)
+	if err != nil {
+		logrus.Errorf("unable to wait for cluster reconfiguration task: %v", err)
+		return nil
+	}
+	return nil
 }
diff --git a/pkg/infrastructure/vsphere/clusterapi/import.go b/pkg/infrastructure/vsphere/clusterapi/import.go
index ccdeb168378..82f22e5b2dc 100644
--- a/pkg/infrastructure/vsphere/clusterapi/import.go
+++ b/pkg/infrastructure/vsphere/clusterapi/import.go
@@ -67,19 +67,22 @@ func importRhcosOva(ctx context.Context, session *session.Session, folder *objec
 	// OVA name must not exceed 80 characters
 	if len(name) > 80 {
 		logrus.Warningf("Unable to generate ova template name due to exceeding 80 characters. Cluster=\"%v\" Failure Domain=\"%v\" results in \"%v\"", clusterID, failureDomain.Name, name)
-		return fmt.Errorf("ova name \"%v\" exceeed 80 characters (%d)", name, len(name))
+		logrus.Errorf("ova name \"%v\" exceeed 80 characters (%d)", name, len(name))
+		return nil
 	}
 
 	archive := &importer.TapeArchive{Path: cachedImage}
 
 	ovfDescriptor, err := importer.ReadOvf("*.ovf", archive)
 	if err != nil {
-		return debugCorruptOva(cachedImage, err)
+		logrus.Errorf("failed to read OVF descriptor: %v", debugCorruptOva(cachedImage, err))
+		return nil
 	}
 
 	ovfEnvelope, err := importer.ReadEnvelope(ovfDescriptor)
 	if err != nil {
-		return fmt.Errorf("failed to parse ovf: %w", err)
+		logrus.Errorf("failed to parse ovf: %v", err)
+		return nil
 	}
 
 	// The fcos ova enables secure boot by default, this causes
@@ -90,37 +93,44 @@ func importRhcosOva(ctx context.Context, session *session.Session, folder *objec
 	// The OVF envelope defines this.  We need a 1:1 mapping
 	// between networks with the OVF and the host
 	if len(ovfEnvelope.Network.Networks) != 1 {
-		return fmt.Errorf("expected the OVA to only have a single network adapter")
+		logrus.Errorf("expected the OVA to only have a single network adapter")
+		return nil
 	}
 
 	cluster, err := session.Finder.ClusterComputeResource(ctx, failureDomain.Topology.ComputeCluster)
 	if err != nil {
-		return fmt.Errorf("failed to find compute cluster: %w", err)
+		logrus.Errorf("failed to find compute cluster: %v", err)
+		return nil
 	}
 
 	clusterHostSystems, err := cluster.Hosts(ctx)
 	if err != nil {
-		return fmt.Errorf("failed to get cluster hosts: %w", err)
+		logrus.Errorf("failed to get cluster hosts: %v", err)
+		return nil
 	}
 
 	if len(clusterHostSystems) == 0 {
-		return fmt.Errorf("the vCenter cluster %s has no ESXi nodes", failureDomain.Topology.ComputeCluster)
+		logrus.Errorf("the vCenter cluster %s has no ESXi nodes", failureDomain.Topology.ComputeCluster)
+		return nil
 	}
 
 	resourcePool, err := session.Finder.ResourcePool(ctx, failureDomain.Topology.ResourcePool)
 	if err != nil {
-		return fmt.Errorf("failed to find resource pool: %w", err)
+		logrus.Errorf("failed to find resource pool: %v", err)
+		return nil
 	}
 
 	networkPath := path.Join(cluster.InventoryPath, failureDomain.Topology.Networks[0])
 
 	networkRef, err := session.Finder.Network(ctx, networkPath)
 	if err != nil {
-		return fmt.Errorf("failed to find network: %w", err)
+		logrus.Errorf("failed to find network: %v", err)
+		return nil
 	}
 	datastore, err := session.Finder.Datastore(ctx, failureDomain.Topology.Datastore)
 	if err != nil {
-		return fmt.Errorf("failed to find datastore: %w", err)
+		logrus.Errorf("failed to find datastore: %v", err)
+		return nil
 	}
 
 	// Create mapping between OVF and the network object
@@ -146,7 +156,8 @@ func importRhcosOva(ctx context.Context, session *session.Session, folder *objec
 	case "eagerZeroedThick":
 		cisp.DiskProvisioning = string(types.OvfCreateImportSpecParamsDiskProvisioningTypeEagerZeroedThick)
 	default:
-		return errors.Errorf("disk provisioning type %q is not supported", diskProvisioningType)
+		logrus.Errorf("disk provisioning type %q is not supported", diskProvisioningType)
+		return nil
 	}
 
 	m := ovf.NewManager(session.Client.Client)
@@ -157,25 +168,30 @@ func importRhcosOva(ctx context.Context, session *session.Session, folder *objec
 		&cisp)
 
 	if err != nil {
-		return fmt.Errorf("failed to create import spec: %w", err)
+		logrus.Errorf("failed to create import spec: %v", err)
+		return nil
 	}
 	if spec.Error != nil {
-		return errors.New(spec.Error[0].LocalizedMessage)
+		logrus.Errorf("import spec error: %s", spec.Error[0].LocalizedMessage)
+		return nil
 	}
 
 	hostSystem, err := findAvailableHostSystems(ctx, clusterHostSystems, networkRef, datastore)
 	if err != nil {
-		return fmt.Errorf("failed to find available host system: %w", err)
+		logrus.Errorf("failed to find available host system: %v", err)
+		return nil
 	}
 
 	lease, err := resourcePool.ImportVApp(ctx, spec.ImportSpec, folder, hostSystem)
 	if err != nil {
-		return fmt.Errorf("failed to import vapp: %w", err)
+		logrus.Errorf("failed to import vapp: %v", err)
+		return nil
 	}
 
 	info, err := lease.Wait(ctx, spec.FileItem)
 	if err != nil {
-		return fmt.Errorf("failed to lease wait: %w", err)
+		logrus.Errorf("failed to lease wait: %v", err)
+		return nil
 	}
 
 	u := lease.StartUpdater(ctx, info)
@@ -186,40 +202,47 @@ func importRhcosOva(ctx context.Context, session *session.Session, folder *objec
 		// available with the required network and datastore.
 		err = upload(ctx, archive, lease, i)
 		if err != nil {
-			return fmt.Errorf("failed to upload: %w", err)
+			logrus.Errorf("failed to upload: %v", err)
+			return nil
 		}
 	}
 
 	err = lease.Complete(ctx)
 	if err != nil {
-		return fmt.Errorf("failed to lease complete: %w", err)
+		logrus.Errorf("failed to lease complete: %v", err)
+		return nil
 	}
 
 	vm := object.NewVirtualMachine(session.Client.Client, info.Entity)
 	if vm == nil {
-		return fmt.Errorf("error VirtualMachine not found, managed object id: %s", info.Entity.Value)
+		logrus.Errorf("error VirtualMachine not found, managed object id: %s", info.Entity.Value)
+		return nil
 	}
 	if secureBoot {
 		bootOptions, err := vm.BootOptions(ctx)
 		if err != nil {
-			return fmt.Errorf("failed to get boot options: %w", err)
+			logrus.Errorf("failed to get boot options: %v", err)
+			return nil
 		}
 		bootOptions.EfiSecureBootEnabled = ptr.To(false)
 
 		err = vm.SetBootOptions(ctx, bootOptions)
 		if err != nil {
-			return fmt.Errorf("failed to set boot options: %w", err)
+			logrus.Errorf("failed to set boot options: %v", err)
+			return nil
 		}
 	}
 
 	err = vm.MarkAsTemplate(ctx)
 	if err != nil {
-		return fmt.Errorf("failed to mark vm as template: %w", err)
+		logrus.Errorf("failed to mark vm as template: %v", err)
+		return nil
 	}
 
 	err = attachTag(ctx, session, vm.Reference().Value, tagID)
 	if err != nil {
-		return fmt.Errorf("failed to attach tag: %w", err)
+		logrus.Errorf("failed to attach tag: %v", err)
+		return nil
 	}
 
 	return nil
@@ -230,6 +253,7 @@ func findAvailableHostSystems(ctx context.Context, clusterHostSystems []*object.
 	for _, hostObj := range clusterHostSystems {
 		err := hostObj.Properties(ctx, hostObj.Reference(), []string{"config.product", "network", "datastore", "runtime"}, &hostSystemManagedObject)
 		if err != nil {
+			logrus.Errorf("unable to get host properties: %v", err)
 			return nil, err
 		}
 
@@ -246,6 +270,7 @@ func findAvailableHostSystems(ctx context.Context, clusterHostSystems []*object.
 		logrus.Debugf("using ESXi %s to import the OVA image", hostObj.Name())
 		return hostObj, nil
 	}
+	logrus.Errorf("all hosts unavailable")
 	return nil, errors.New("all hosts unavailable")
 }
 
diff --git a/pkg/infrastructure/vsphere/clusterapi/tags.go b/pkg/infrastructure/vsphere/clusterapi/tags.go
index 3c56e89d837..012e548311e 100644
--- a/pkg/infrastructure/vsphere/clusterapi/tags.go
+++ b/pkg/infrastructure/vsphere/clusterapi/tags.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi/vapi/tags"
 	"github.com/vmware/govmomi/vim25/types"
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
@@ -20,7 +21,8 @@ func attachTag(ctx context.Context, session *session.Session, vmMoRefValue, tagI
 	err := tagManager.AttachTag(ctx, tagID, moRef)
 
 	if err != nil {
-		return fmt.Errorf("unable to attach tag: %w", err)
+		logrus.Errorf("unable to attach tag: %v", err)
+		return nil
 	}
 	return nil
 }
@@ -29,7 +31,8 @@ func createClusterTagID(ctx context.Context, session *session.Session, clusterID
 	tagManager := session.TagManager
 	categories, err := tagManager.GetCategories(ctx)
 	if err != nil {
-		return "", fmt.Errorf("unable to get tag categories: %w", err)
+		logrus.Errorf("unable to get tag categories: %v", err)
+		return "", nil
 	}
 
 	var clusterTagCategory *tags.Category
@@ -59,7 +62,8 @@ func createClusterTagID(ctx context.Context, session *session.Session, clusterID
 		}
 		tagCategoryID, err = tagManager.CreateCategory(ctx, clusterTagCategory)
 		if err != nil {
-			return "", fmt.Errorf("unable to create tag category: %w", err)
+			logrus.Errorf("unable to create tag category: %v", err)
+			return "", nil
 		}
 	}
 
@@ -68,7 +72,8 @@ func createClusterTagID(ctx context.Context, session *session.Session, clusterID
 
 	categoryTags, err := tagManager.GetTagsForCategory(ctx, tagCategoryID)
 	if err != nil {
-		return "", fmt.Errorf("unable to get tags for category: %w", err)
+		logrus.Errorf("unable to get tags for category: %v", err)
+		return "", nil
 	}
 	for i, tag := range categoryTags {
 		if tag.Name == clusterID {
@@ -86,7 +91,8 @@ func createClusterTagID(ctx context.Context, session *session.Session, clusterID
 		}
 		tagID, err = tagManager.CreateTag(ctx, categoryTag)
 		if err != nil {
-			return "", fmt.Errorf("unable to create tag: %w", err)
+			logrus.Errorf("unable to create tag: %v", err)
+			return "", nil
 		}
 	}
 
diff --git a/pkg/types/vsphere/conversion/installconfig.go b/pkg/types/vsphere/conversion/installconfig.go
index 73062e22ff5..3a052cc67f8 100644
--- a/pkg/types/vsphere/conversion/installconfig.go
+++ b/pkg/types/vsphere/conversion/installconfig.go
@@ -2,15 +2,22 @@ package conversion
 
 import (
 	"context"
+	"crypto/tls"
+	"encoding/xml"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
 	"net/url"
 	"path"
+	"strings"
 	"time"
 
 	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi"
 	"github.com/vmware/govmomi/find"
+	"github.com/vmware/govmomi/session"
+	"github.com/vmware/govmomi/vim25"
 	"github.com/vmware/govmomi/vim25/soap"
 
 	"github.com/openshift/installer/pkg/types"
@@ -28,6 +35,129 @@ const (
 	GeneratedFailureDomainZone string = "generated-zone"
 )
 
+// SOAPResponse represents the structure of SOAP responses
+type SOAPResponse struct {
+	XMLName xml.Name `xml:"Envelope"`
+	Body    struct {
+		XMLName xml.Name `xml:"Body"`
+		Fault   *struct {
+			XMLName xml.Name `xml:"Fault"`
+			Code    struct {
+				XMLName xml.Name `xml:"faultcode"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultcode"`
+			Reason struct {
+				XMLName xml.Name `xml:"faultstring"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultstring"`
+			Detail struct {
+				XMLName xml.Name `xml:"detail"`
+				Content string   `xml:",chardata"`
+			} `xml:"detail"`
+		} `xml:"Fault,omitempty"`
+	} `xml:"Body"`
+}
+
+// CustomTransport wraps the default transport to intercept SOAP responses
+type CustomTransport struct {
+	http.RoundTripper
+}
+
+func (t *CustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	// Call the original transport
+	resp, err := t.RoundTripper.RoundTrip(req)
+	if err != nil {
+		return resp, err
+	}
+
+	// Read the response body
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return resp, err
+	}
+	resp.Body.Close()
+
+	// Check if it's a SOAP response
+	if strings.Contains(string(body), "<?xml") && strings.Contains(string(body), "Envelope") {
+		logrus.Info("=== Intercepted SOAP Response ===")
+		logrus.Infof("URL: %s", req.URL.String())
+		logrus.Infof("Method: %s", req.Method)
+		logrus.Infof("Response Body:\n%s", string(body))
+
+		// Parse SOAP response for privilege errors
+		var soapResp SOAPResponse
+		if err := xml.Unmarshal(body, &soapResp); err == nil {
+			if soapResp.Body.Fault != nil {
+				logrus.Error("=== PRIVILEGE ERROR DETECTED ===")
+				logrus.Errorf("Fault Code: %s", soapResp.Body.Fault.Code.Value)
+				logrus.Errorf("Fault Reason: %s", soapResp.Body.Fault.Reason.Value)
+				logrus.Errorf("Fault Detail: %s", soapResp.Body.Fault.Detail.Content)
+				logrus.Error("================================")
+			}
+		}
+
+		// Check for privilege-related error messages in the response
+		bodyStr := string(body)
+		privilegeKeywords := []string{
+			"privilege", "permission", "access denied", "unauthorized", "forbidden",
+			"NoPermission", "InvalidLogin", "InvalidPrivilege",
+		}
+		for _, keyword := range privilegeKeywords {
+			if strings.Contains(strings.ToLower(bodyStr), strings.ToLower(keyword)) {
+				logrus.Errorf("=== POTENTIAL PRIVILEGE ISSUE DETECTED (keyword: %s) ===", keyword)
+				logrus.Error("Response contains privilege-related content")
+				logrus.Error("==================================================")
+				break
+			}
+		}
+
+		// Check specifically for missingPrivileges and format the message
+		if strings.Contains(bodyStr, "missingPrivileges") {
+			logrus.Error("=== MISSING PRIVILEGES DETECTED ===")
+			logrus.Error("The following SOAP response contains missingPrivileges information:")
+			
+			// Try to format the XML for better readability
+			var v interface{}
+			if err := xml.Unmarshal(body, &v); err == nil {
+				// Marshal with indentation for pretty formatting
+				prettyXML, err := xml.MarshalIndent(v, "", "  ")
+				if err == nil {
+					logrus.Errorf("Formatted Response:\n%s", string(prettyXML))
+				} else {
+					logrus.Errorf("Original Response:\n%s", bodyStr)
+				}
+			} else {
+				// If XML parsing fails, try a simpler approach - just add line breaks between tags
+				formatted := strings.ReplaceAll(bodyStr, "><", ">\n<")
+				formatted = strings.ReplaceAll(formatted, "<?xml", "<?xml\n")
+				logrus.Errorf("Formatted Response (simplified):\n%s", formatted)
+			}
+			logrus.Error("=== END MISSING PRIVILEGES ===")
+		}
+
+		logrus.Info("=== End SOAP Response ===")
+	}
+
+	// Create a new response with the body
+	resp.Body = io.NopCloser(strings.NewReader(string(body)))
+	return resp, nil
+}
+
+// createTransport creates a transport that respects the insecure flag
+func createTransport(insecure bool) http.RoundTripper {
+	if insecure {
+		// Create a transport that skips TLS verification
+		transport := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+		return transport
+	}
+	// Use default transport for secure connections
+	return http.DefaultTransport
+}
+
 // GetFinder connects to vCenter via SOAP and returns the Finder object if the SOAP
 // connection is successful. If the connection fails it returns nil.
 // Errors are mostly ignored to support AI and agent installers.
@@ -43,7 +173,17 @@ func GetFinder(server, username, password string) (*find.Finder, error) {
 		}
 		u.User = url.UserPassword(username, password)
 
-		client, err := govmomi.NewClient(ctx, u, false)
+		// Create custom transport with SOAP response logging
+		customTransport := &CustomTransport{
+			RoundTripper: createTransport(false), // Always use secure connections in installer
+		}
+
+		// Create SOAP client with custom transport
+		soapClient := soap.NewClient(u, false)
+		soapClient.Transport = customTransport
+
+		// Create vim25 client
+		vimClient, err := vim25.NewClient(ctx, soapClient)
 		if err != nil {
 			// If bogus authentication is provided in the scenario of AI or assisted
 			// just provide warning message. If this is IPI or UPI validation will
@@ -56,6 +196,35 @@ func GetFinder(server, username, password string) (*find.Finder, error) {
 
 			return nil, nil
 		}
+
+		// Create govmomi client
+		client := &govmomi.Client{
+			Client:         vimClient,
+			SessionManager: session.NewManager(vimClient),
+		}
+
+		// Login to vSphere
+		err = client.Login(ctx, u.User)
+		if err != nil {
+			// Check if it's a credential-related error
+			if strings.Contains(err.Error(), "incorrect user name or password") ||
+				strings.Contains(err.Error(), "Cannot complete login") ||
+				strings.Contains(err.Error(), "InvalidLogin") {
+				localLogger.Debugf("vSphere authentication failed - please verify username and password: %v", err)
+			}
+
+			// If bogus authentication is provided in the scenario of AI or assisted
+			// just provide warning message. If this is IPI or UPI validation will
+			// catch and halt on incorrect authentication.
+
+			localLogger.Debugf("this can be safely ignored if non-deprecated platform spec fields are used"+
+				"or installing via UPI, Assisted or Agent Installer. "+
+				"Conversion of deprecated platform spec fields cannot continue without vCenter %s access, error: %v",
+				server, err)
+
+			return nil, nil
+		}
+
 		finder = find.NewFinder(client.Client, true)
 	}
 
@@ -290,3 +459,5 @@ func createVCenters(platform *vsphere.Platform) {
 		}
 	}
 }
+
+
diff --git a/vendor/sigs.k8s.io/cluster-api-provider-vsphere/pkg/session/session.go b/vendor/sigs.k8s.io/cluster-api-provider-vsphere/pkg/session/session.go
index efc8885d06b..22cf2d53ee5 100644
--- a/vendor/sigs.k8s.io/cluster-api-provider-vsphere/pkg/session/session.go
+++ b/vendor/sigs.k8s.io/cluster-api-provider-vsphere/pkg/session/session.go
@@ -20,13 +20,16 @@ package session
 import (
 	"context"
 	"crypto/sha256"
+	"encoding/xml"
 	"fmt"
 	"net/netip"
 	"net/url"
+	"strings"
 	"sync"
 
 	"github.com/blang/semver"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	"github.com/vmware/govmomi"
 	"github.com/vmware/govmomi/find"
 	"github.com/vmware/govmomi/object"
@@ -49,6 +52,97 @@ var (
 	sessionMU sync.Mutex
 )
 
+// SOAPResponse represents the structure of SOAP responses
+type SOAPResponse struct {
+	XMLName xml.Name `xml:"Envelope"`
+	Body    struct {
+		XMLName xml.Name `xml:"Body"`
+		Fault   *struct {
+			XMLName xml.Name `xml:"Fault"`
+			Code    struct {
+				XMLName xml.Name `xml:"faultcode"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultcode"`
+			Reason struct {
+				XMLName xml.Name `xml:"faultstring"`
+				Value   string   `xml:",chardata"`
+			} `xml:"faultstring"`
+			Detail struct {
+				XMLName xml.Name `xml:"detail"`
+				Content string   `xml:",chardata"`
+			} `xml:"detail"`
+		} `xml:"Fault,omitempty"`
+	} `xml:"Body"`
+}
+
+// CustomTransport wraps the default transport to intercept SOAP responses
+type CustomTransport struct {
+	soap.RoundTripper
+}
+
+func (t *CustomTransport) RoundTrip(ctx context.Context, req, res soap.HasFault) error {
+	logrus.Info("=== CustomTransport.RoundTrip called ===")
+
+	// Call the original transport
+	err := t.RoundTripper.RoundTrip(ctx, req, res)
+
+	// Try to get the raw SOAP response from the underlying transport
+	// Since we can't easily access the raw HTTP response, we'll work with what we have
+	// and focus on the error case where we can extract more details
+
+	if err != nil {
+		logrus.Errorf("=== SOAP RoundTrip error: %v ===", err)
+
+		// Check if this is a SOAP fault error that we can extract details from
+		if soap.IsSoapFault(err) {
+			logrus.Error("=== SOAP FAULT DETECTED IN ERROR ===")
+			soapFault := soap.ToSoapFault(err)
+			logrus.Errorf("SOAP Fault Code: %s", soapFault.Code)
+			logrus.Errorf("SOAP Fault String: %s", soapFault.String)
+
+			// Try to get the raw XML from the fault
+			if soapFault.Detail.Fault != nil {
+				logrus.Error("=== FULL SOAP FAULT DETAILS FROM ERROR ===")
+				logrus.Errorf("Detail Fault Type: %T", soapFault.Detail.Fault)
+				logrus.Errorf("Detail Fault: %+v", soapFault.Detail.Fault)
+
+				// Try to marshal the fault to XML to get the raw representation
+				if faultXML, marshalErr := xml.MarshalIndent(soapFault.Detail.Fault, "", "  "); marshalErr == nil {
+					logrus.Errorf("Raw Fault XML:\n%s", string(faultXML))
+				}
+			}
+
+			// Check for privilege-related error messages
+			faultStr := soapFault.String
+			privilegeKeywords := []string{
+				"privilege", "permission", "access denied", "unauthorized", "forbidden",
+				"NoPermission", "InvalidLogin", "InvalidPrivilege", "missingPrivileges",
+			}
+			for _, keyword := range privilegeKeywords {
+				if strings.Contains(strings.ToLower(faultStr), strings.ToLower(keyword)) {
+					logrus.Errorf("=== PRIVILEGE ISSUE DETECTED (keyword: %s) ===", keyword)
+					logrus.Error("SOAP fault contains privilege-related content")
+					logrus.Error("=============================================")
+					break
+				}
+			}
+
+			// Check specifically for missingPrivileges
+			if strings.Contains(faultStr, "missingPrivileges") {
+				logrus.Error("=== MISSING PRIVILEGES DETECTED ===")
+				logrus.Error("The following SOAP fault contains missingPrivileges information:")
+				logrus.Errorf("Fault Details: %s", faultStr)
+				logrus.Error("=== END MISSING PRIVILEGES ===")
+			}
+		}
+
+		return err
+	}
+
+	logrus.Info("=== SOAP RoundTrip completed successfully ===")
+	return nil
+}
+
 // Session is a vSphere session with a configured Finder.
 type Session struct {
 	*govmomi.Client
@@ -242,6 +336,14 @@ func newClient(ctx context.Context, url *url.URL, thumbprint string, _ Feature)
 	}
 	vimClient.UserAgent = "k8s-capv-useragent"
 
+	// Add our custom transport with SOAP logging to the vim25 client
+	logrus.Info("=== Setting up custom SOAP transport ===")
+	customTransport := &CustomTransport{
+		RoundTripper: vimClient.RoundTripper,
+	}
+	vimClient.RoundTripper = customTransport
+	logrus.Info("=== Custom SOAP transport setup complete ===")
+
 	c := &govmomi.Client{
 		Client:         vimClient,
 		SessionManager: session.NewManager(vimClient),