Chris_Nodak
Enthusiast
Enthusiast

Client integration plugin issue with Chrome 57

Sometime in the last week and a half my Chrome browser updated to 57.0.2987.110. Since then the option to login to the web GUI for vCenter server with Windows Session Credentials is grayed out.

I attempted to uninstall and reinstall the Client Integration Plugin with no luck.

When I go to help > about in the web GUI it shows the version of the plugin as 6.0.0 Build 4275819, which is correct with our current version of vSphere.

Is anyone else seeing this issue or have an idea of how to resolve it? I realize it's a minor annoyance, but it's a nice convenience to have.

Thanks,

Chris

38 Replies
tim_841
Enthusiast
Enthusiast

I have a bit of script for the lazy people out there with 6.5. Make the changes to one config file and put it up on your network. Then make a login script to run:

mkdir C:\ProgramData\VMware\CIP\csd\ssl\backup\

move C:\ProgramData\VMware\CIP\csd\ssl\cert.der C:\ProgramData\VMware\CIP\csd\ssl\backup\

move C:\ProgramData\VMware\CIP\csd\ssl\cert.pem C:\ProgramData\VMware\CIP\csd\ssl\backup\

move C:\ProgramData\VMware\CIP\csd\ssl\server.pem C:\ProgramData\VMware\CIP\csd\ssl\backup\

move C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg C:\ProgramData\VMware\CIP\csd\ssl\backup\

copy \\<networklocation>\csd-openssl.cfg C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg

icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr

"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions

copy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem

"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der

certutil -delstore "root" vmware-plugin

certutil -addstore "root" C:\ProgramData\VMware\CIP\csd\ssl\cert.der

icacls C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

icacls C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

icacls C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

net stop CipMsgProxyService

net start CipMsgProxyService

adamjg
Hot Shot
Hot Shot

I'm basically giving up here.  The support rep was unable to read a simple email and reply, much less begin to try and troubleshoot anything.  I built a fresh Windows 10 image directly from the MS ISO and IE, Edge and Chrome all fail with the CIP and EAP, flash and html5.  Dennis was very responsive via emails but in the end his answer was "upgrade to 6.5."  I appreciate the work you guys are doing with the workaround, but as far as I'm concerned that's not an acceptable fix in an enterprise environment, so I'm not going to try pursuing it.

I have one machine that somehow still has Chrome 55 on it, so I can deploy OVAs from there when needed. Until then I'm waiting on vendors to upgrade their stuff to support 6.5 and I'm testing 6.0 to 6.5 upgrades in my test environment.

0 Kudos
tim_841
Enthusiast
Enthusiast

Hi adamjg,

I'm in the same boat with my support guy, he tried claiming the only workaround was to uninstall and reinstall the application, and it was on me that it didn't work. He did tell me that it will be resolved in the vCenter update in June/July, but I do not know if that will be including version 6.0 as they are trying to give that the strong-arm out.

Out of curiosity, what is it telling you with Chrome and Firefox (from the console tab in F12)? I have not been able to get IE/Edge working (somehow it was working for about two days after chrome stopped working) and F12 is just telling me that it errors out with no plug-in available.

0 Kudos
adamjg
Hot Shot
Hot Shot

I haven't tried Firefox.  That was how the case started.  I wrote that it doesn't work in Chrome, IE or Edge.  The rep first asked if it worked in Firefox, then asked me if I could downgrade my version of IE. Then he was a no-show for a call, didn't reply for a few days, refused/was unable to read and comprehend my emails, and I finally told him to just close the ticket.

I believe like you do that the main issues lie with custom certs.  Due to still having legacy systems in our environment, our MS CA is only able to provide a SHA-1 cert which Chrome (and Edge) no longer accept as secure. I'm getting errors due to that.  Yesterday I reset the certs in my Dev environment (6.5) to self-signed, and now I get an untrusted root CA error, which is expected.  However, even after adding the root certs to the trusted cert store, the EAP still didn't work.

Hopefully the issue is really fixed in the upcoming version.

0 Kudos
Chris_Nodak
Enthusiast
Enthusiast

Just got back to this and realized how many people had responded after I posted. I had opened a case with VMware and it took over a month for the tech to actually get back to me, after multiple attempts to get his attention. I finally had to flag it to a manager and he finally called me back.

I got the same run around as the rest of you. Use IE (won't work), downgrade Chrome, have you tried Firefox? Well it's just not working for me and he told me the "fix" isn't due until SEPTEMBER. He said that more than once. A fix is coming in SEPTEMBER... :smileyconfused:

0 Kudos
ZipTx2
Contributor
Contributor

Huge THANKS to TheVElement for the clear instructions and to Tim_841 for the legwork.

This worked for me on Win2012R2 with Chrome 58.0.3029.110 (64-bit).

In addition to OVF being inoperable,  a person cannot deploy a new VCSA from the ISO html start unless CIP is working.

If support is listening,  please use this as a fast publish for a quick fix.   VMWARE implementations are not possible without this fix in place.

0 Kudos
adamjg
Hot Shot
Hot Shot

That's ok, because if you follow VMware's recommendation/best practices for security and update your vCenters regularly, you can't upgrade to 6.5 because their own software doesn't support upgrading to their own software.

0 Kudos
kbulgrien4freed
Enthusiast
Enthusiast

Realizing this is a "Chrome" thread, but as there seems to be no clear resolution with Chrome, and having experienced similar issues upon updating to a current Firefox version, perhaps notes posted in Regarding Firefox revisions &gt;= 39 and related 6.0 U3 Client Integration Plug-in issues​​ may be helpful. In summary, using the Firefox 52 ESR version has resolved what seem to be similar issues, and the browser version is not the only concern as it has been necessary to avoid setting the vmware-csd plug-in settings away from "Always ask".

0 Kudos
ndolsontts
Contributor
Contributor

I'm having this same issue in every browser (Chrome, IE, Firefox).  I've uninstalled and reinstalled the CIP, uninstalled the browsers and reinstalled, tried different computers and user accounts, nothing.  I'll try some of the fixes mentioned on the second page.

Frustrating...

0 Kudos
ndolsontts
Contributor
Contributor

Installing Firefox 52 ESR fixed it for me.  Chrome still won't work, but at least I have a "work around" for the moment.

tim_841
Enthusiast
Enthusiast

VMware issued a Patch last week, 6.5.0e, but it does not list any fixes for the certificate issue in their plugin. However, they do specify a workaround for IE.

You need to add the full URL of the vCenter into the "Local Intranet" group (I had it in "Trusted sites"). Confirmed working on top of my other fixes.

Seriously though, this whole issue is pretty much caused by two lines missing from their installer. How could they not address this in this last release? I will try and install the update and see if they silently fixed this.

andya201110141
Enthusiast
Enthusiast

Hi,

When I upgraded my vCenter server from 6 to 6.5, I again had the vSphere Web Client issue.

In Chrome, or I my case Vivaldi, go to chrome://flags or vivaldi://flags. Find "Extensions on chrome://URLs". (#extensions-on-chrome-urls) Then Enable it.

Not sure why, but each time I've upgraded my vCenter server I have to remember to go do this... I don't recall any browser updates causing the setting to become disabled again. Or at least, Vivaldi does not dump the setting, but Chrome may.

vSphere Web Client: Version 6.5.0 Build 4602587

Client Integration Plug-in: No longer required

Browser: Chrome Version 59.0.3071.90

Flash Player: WIN 26,0,0,131

Vivaldi: 1.10.867.38 (Stable channel) (32-bit)

JavaScript: V8 5.9.211.31

Andy

0 Kudos
adamjg
Hot Shot
Hot Shot

FWIW - I'm stuck on vCenter 6.0 U3b, and there's no current upgrade path to 6.5.  I finally gave up and opened another ticket with VMware earlier this week because I have to deploy multiple OVA files that have vApp options and I have no way to deploy them.  (The C# client won't work because without the options the appliances won't power on properly).

VMware gave me the "work around" that is listed earlier in this thread, basically re-doing the SSL cert for the client integration plugin. The rep said there was no PR for the issue, so at least according to him, VMware is not acknowledging this as an issue on their end and is instead putting the blame on the client and the browsers. They do have an internal KB article with this work around, but since it's internal he couldn't share it with me and there's no information on internal updates.

We're not a large company, 6000 employees and 1500 VMs, but at least for now, there's 1 single computer in the company that can deploy an OVA file.

0 Kudos
BenLiebowitz
Expert
Expert

adamjg​ - I'm in a similar boat.  We're on the same version and just deployed a new Win2016 system and installed Chrome... Running into this out of the gate.  Yet, on my 2012 R2 server, it's fine.  Strange!

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.
0 Kudos
sapreaper
Contributor
Contributor

Agreed, a big pile of poo. Force something that does not work on 90% of any version of windows. I even built brand new Windows 7, 8.1, 10 desktops/vm's, and also Server 2012, JUST to get the VMware CIP to work, and guess what, it STILL does not work!.    Gonna go back to XEN and save $$ lol

0 Kudos
Elcheco
Contributor
Contributor

i had the problem problem with the 'Client integration plugin' after installed the new versions of chrome, firefox and opera. I couldn't deploy a OVF file beacuse i always had the same notification: "The Client Integration Plug-in must be installed to enable OVF functionality. Click the link below to download the installer."

i just downgraded the chrome from version 60 to version 56 (Download older versions of Google Chrome for Windows, Linux and Mac)

and its working now.:smileycool:

0 Kudos
dennisluvm
Enthusiast
Enthusiast

Have you tried the workaround steps in this post (post 19 of this thread): Re: Client integration plugin issue with Chrome 57

0 Kudos
sapreaper
Contributor
Contributor

or just upgrade to 6.5 like I just did, and now I can use the vsphere web client right in firefox 54.0.1 (even using the original flash version and not the html5 version, no more plugin.

However Chrome 60 does NOT work using flash (could be my older flash), unless you use the html5 version or "/ui" Chrome 60 works fine

0 Kudos
AndAnd
Contributor
Contributor

hi,  use IE as a workaround....

in my case vC 6.0, CIP installed  and working

ova just installed...

0 Kudos