- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Client integration plugin issue with Chrome 57
Sometime in the last week and a half my Chrome browser updated to 57.0.2987.110. Since then the option to login to the web GUI for vCenter server with Windows Session Credentials is grayed out.
I attempted to uninstall and reinstall the Client Integration Plugin with no luck.
When I go to help > about in the web GUI it shows the version of the plugin as 6.0.0 Build 4275819, which is correct with our current version of vSphere.
Is anyone else seeing this issue or have an idea of how to resolve it? I realize it's a minor annoyance, but it's a nice convenience to have.
Thanks,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the exact same problem. I have 2 environments and one was on version 56 and one on 57. The version 56 environment allowed the client integration plugin to work as expected but the version 57 environment the plugin doesn't seem to work at all.
It's also more than just an annoyance because it doesn't allow downloading of files from the datastores through the webclient. I would also guess that it won't allow OVA deployments as that relies on the client integration plugin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having the same issue with vCenter 6.5.0 and the Enhanced Authentication Plugin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chrome 57 removes end-user control over plugins, and drops support for third party plugins completely.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately as far as Google is concerned this would seem to be permanently broken as mentioned by JeremyLCrabtree. Digging around deeper I found a workaround on another forum; it's not great; it's not permanent; and it may raise more issues then it solves; but it can be found here: https://www.reddit.com/r/vmware/comments/5zmnia/client_integration_plugin_60_flash_25_chrome_57/
To get a permanent fix (which may not even be possible anymore) VMware will need to redesign how the Client Integration Plugin works... again... I remember when VMware decided to force the vCenter Web Client down our collective throats it was explained as being because "it takes too many resources to develop a thick client and web client, so we'd rather focus on the 'universal client' (ie web) because it's OS agnostic" I wonder if they realized they would have to develop said Web Client to support all the different browser's quirks (or maybe not as it were). Still standing by that questionable decision?
The true HTML client can't come soon enough, this current version is just horrible, slow, unreliable, buggy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I raised a case about this. Apparently VMware are working on a fix and will be released shortly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent! Please keep us updated. I've found this to be increasingly frustrating as, apparently, I can't upload files into our datastores without the plugin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used Firefox for now. it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vmware Internally identified the issue and working on a it.Fix for this issue will be included in upcoming update releases.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 months on, any progress on this?
We're onto Chrome 58 now, with the exact same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar issue and have found a work around that works for me and my environment. I have found that the certificate that is self-generated with the EAP plug-in is getting rejected by Chrome, you can see this if you hit F12 and look at the "Console" and "Security" tabs.
The simple work around is to manually navigate to https://vmware-plugin:8094 (your hosts file is edited as part of the installation) and select "Advanced" and "Proceed to https://vmware-plugin:8094".
This will work as long as the exception is remembered by Chrome. A better solution would be to regenerate the certificate with the appropriate missing information, but VMware is just telling everyone to wait for the next vCenter release.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone
Thanks for this, I've reproduced the steps that tim_841mentioned and managed to get the certificate to issue correctly.
I've created my own version of the MSI with the csd-openssl.cfg file modified to include the SAN section.
I've uploaded the modified MSI to save time to those who want a quick fix and the csd-openssl.cfg file for those who don't trust my MSI ![]()
Hashes:
SHA256: 723235A3AAB67874682420E3C76C9D9DCFD859DEE7F4210DFE13875D41351B7
SHA1: 5412CAC08E27B43266652F9EBCE0D1CDB0C08E87
I can also create a transform file if needed.
Please test it out and let me know if you have any issues
Regards
Matt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"vmware-plugin" is, apparently, not in my hosts file. (or the hosts file on any of the other machines on which I have it installed)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not so much that we don't trust you, it's more that VMware (support) gives the run around when trying to get these things resolved. They could easily make an official patch file (or script) that modifies the CFG, runs OpenSSL, and reapplies ICACLS. Boom! DONE! The response I get is that it will be resolved with vCenter update in June/July (which has already been affecting us for about one-two months now).
It's great that VMware has such a knowledgeable and talented community, but it's sad when I get better solutions than the support that I am paying a pretty penny for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jeremy,
From what I've witnessed, there is a script on the vCenter login page that will try to make a call to 'wss://vmware-plugin:8094/?src=client&sessionId=<insertSessionIDhere>&appName=ui&version=2016'
Hit F12 and look at the "Network" tab, do you see a bunch of pending connections to that address?
The additions made by the program (EAP 6.5) were:
::1 vmware-plugin
127.0.0.1 vmware-plugin
Have you tried adding them manually?
I can't guarantee that the same changes will work in the 6.0 branch, but I think that they use 'wss://vmware-localhost:8093/' instead.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like there's nobody listening on that port on my machine. The vmware-localhost entries are already in the hosts file, though. For now I can, through a convoluted work around, use IE11 to access the few features that absolutely require the plugin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running into the same thing, Chrome 58, IE 11, Edge on Win10, multiple machines, desktops, laptops, VMs, etc. I don't have a way to properly deploy an OVA.
I opened up SR 17459548405 but per typical VMware support these past few years I'm struggling to even get a reply, much less something useful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having the same issue. We have tried every browser, Chrome, Firefox, IE, Edge, Opera on multiple machines, win10, win7, mac. They all have the same issue. Have we heard anything from Vmware on this yet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VMware technical support has been, shall we say, less than stellar. I wrote in the case that this is happening on multiple machines, 6.0, 6.5, flash web client, HTML5 client, Chrome, IE, Edge... the first thing the rep asked me is if I tried Firefox. Then he asked for vCenter logs, which is a standard stall tactic for support. In the latest reply I received he told me that it's a known issue in Chrome but it "should work" in IE and asked me to downgrade the version of IE on my Windows 10 machine.
I wrote up a detailed post in the HTML5 fling community/feedback page 3 days ago and have yet to receive a response. I just replied to the engineer who owns my support case asking him to escalate it to another engineer. I'm expecting a response on or around the 4th of never.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's actually a couple issues in the present version of Chrome that could keep the CIP/EAP from working. Building off what tim_841 and mateuszd have contributed, I was able to put together a set of instructions to work around these issues:
- Backup the following files:
C:\ProgramData\VMware\CIP\csd\ssl\cert.der
C:\ProgramData\VMware\CIP\csd\ssl\cert.pem
C:\ProgramData\VMware\CIP\csd\ssl\server.pem - Add the following to C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg file:
CIP
Add the following to the end of the [ req ] section:req_extentions = v3_req
Add the following section and entry at the end of the file:[ v3_req ]
EAPsubjectAltName = DNS:vmware-localhost
Add the following to the end of the [ req_req_extensions ] and [ req_x509_extensions ] sections:subjectAltName = @alt_names
Add the following section and entry at the end of the file:[ alt_names ]
DNS.1 = vmware-plugin - Create a new Certificate Signing Request:
CIP"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
EAP"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
- Sign the Certificate Signing Request:
CIP"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions v3_req
EAP"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions
- Combine the new certificate and private key into the server.pem file:
CIP/EAPcopy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem
- Create the binary DER certificate:
CIP"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
EAP"C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
- Remove the vmware-localhost (CIP) or vmware-plugin (EAP) certificate from the Trusted Root Certification Authorities store for the Local Computer, and Import the new one we just made (C:\ProgramData\VMware\CIP\csd\ssl\cert.pem)
- Add the Friendly Name "VMware-CSD Cert" to the new vmware-localhost/vmware-plugin certificate
- Modify permissions for the new "cert.der", "cert.pem", and "server.pem":
CIPC:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F
EAPC:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F
Some notes:
- Despite replacing the certificate, I could not get the EAP to work in IE or Edge, nor the CIP to work in Edge.
- If your vCenter connects to an external PSC, Chrome will still show the "Use Windows session authentication" option as disabled on vCenter, but will be available on the PSC. The reason is because of the same-origin security policy. I believe the official fix will utilize CORS so that this will not be an issue. There is a way to work around it, but I will not post it here as it can introduce a security vulnerability.
- For me, Firefox automatically had the CIP certificate added to its certificate store, I just had to restart the browser. For the EAP, I had to add a manual exception for https://vmware-plugin:8094 and restart the browser.
- This was tested on Windows 7 and 10 in Chrome 58, Firefox 53, IE 11, and Edge.