Chris_Nodak
Enthusiast
Enthusiast

Client integration plugin issue with Chrome 57

Sometime in the last week and a half my Chrome browser updated to 57.0.2987.110. Since then the option to login to the web GUI for vCenter server with Windows Session Credentials is grayed out.

I attempted to uninstall and reinstall the Client Integration Plugin with no luck.

When I go to help > about in the web GUI it shows the version of the plugin as 6.0.0 Build 4275819, which is correct with our current version of vSphere.

Is anyone else seeing this issue or have an idea of how to resolve it? I realize it's a minor annoyance, but it's a nice convenience to have.

Thanks,

Chris

38 Replies
jselover16
Contributor
Contributor

I am having the exact same problem. I have 2 environments and one was on version 56 and one on 57. The version 56 environment allowed the client integration plugin to work as expected but the version 57 environment the plugin doesn't seem to work at all.

It's also more than just an annoyance because it doesn't allow downloading of files from the datastores through the webclient. I would also guess that it won't allow OVA deployments as that relies on the client integration plugin.

0 Kudos
tcommander
Contributor
Contributor

We are having the same issue with vCenter 6.5.0 and the Enhanced Authentication Plugin

0 Kudos
JeremyLCrabtree
Contributor
Contributor

Chrome 57 removes end-user control over plugins, and drops support for third party plugins completely.

615738 - Deprecate chrome://plugins - chromium - Monorail

0 Kudos
NorthVandea
Contributor
Contributor

Unfortunately as far as Google is concerned this would seem to be permanently broken as mentioned by JeremyLCrabtreeDigging around deeper I found a workaround on another forum; it's not great; it's not permanent; and it may raise more issues then it solves; but it can be found here: https://www.reddit.com/r/vmware/comments/5zmnia/client_integration_plugin_60_flash_25_chrome_57/

To get a permanent fix (which may not even be possible anymore) VMware will need to redesign how the Client Integration Plugin works... again... I remember when VMware decided to force the vCenter Web Client down our collective throats it was explained as being because "it takes too many resources to develop a thick client and web client, so we'd rather focus on the 'universal client' (ie web) because it's OS agnostic"  I wonder if they realized they would have to develop said Web Client to support all the different browser's quirks (or maybe not as it were).  Still standing by that questionable decision?

The true HTML client can't come soon enough, this current version is just horrible, slow, unreliable, buggy.

AS102195
Contributor
Contributor

I raised a case about this. Apparently VMware are working on a fix and will be released shortly.

0 Kudos
JeremyLCrabtree
Contributor
Contributor

Excellent! Please keep us updated. I've found this to be increasingly frustrating as, apparently, I can't upload files into our datastores without the plugin.

0 Kudos
Varoon_p
Contributor
Contributor

I used Firefox for now. it works.

0 Kudos
LokeshHK
VMware Employee
VMware Employee

Vmware Internally identified the issue and working on a it.Fix for this issue will be included in upcoming update releases.

0 Kudos
Stephen_Amos
Contributor
Contributor

2 months on, any progress on this?

We're onto Chrome 58 now, with the exact same issue.

0 Kudos
tim_841
Enthusiast
Enthusiast

I have a similar issue and have found a work around that works for me and my environment. I have found that the certificate that is self-generated with the EAP plug-in is getting rejected by Chrome, you can see this if you hit F12 and look at the "Console" and "Security" tabs.

The simple work around is to manually navigate to https://vmware-plugin:8094 (your hosts file is edited as part of the installation) and select "Advanced" and "Proceed to https://vmware-plugin:8094".

This will work as long as the exception is remembered by Chrome. A better solution would be to regenerate the certificate with the appropriate missing information, but VMware is just telling everyone to wait for the next vCenter release.

mateuszd
Contributor
Contributor

Hi everyone

Thanks for this, I've reproduced the steps that tim_841mentioned and managed to get the certificate to issue correctly.

I've created my own version of the MSI with the csd-openssl.cfg file modified to include the SAN section.

I've uploaded the modified MSI to save time to those who want a quick fix and the csd-openssl.cfg file for those who don't trust my MSI Smiley Wink

Hashes:

SHA256: 723235A3AAB67874682420E3C76C9D9DCFD859DEE7F4210DFE13875D41351B7

SHA1: 5412CAC08E27B43266652F9EBCE0D1CDB0C08E87

I can also create a transform file if needed.

Please test it out and let me know if you have any issues

Regards

Matt

0 Kudos
JeremyLCrabtree
Contributor
Contributor

"vmware-plugin" is, apparently, not in my hosts file. (or the hosts file on any of the other machines on which I have it installed)

tim_841
Enthusiast
Enthusiast

It's not so much that we don't trust you, it's more that VMware (support) gives the run around when trying to get these things resolved. They could easily make an official patch file (or script) that modifies the CFG, runs OpenSSL, and reapplies ICACLS. Boom! DONE! The response I get is that it will be resolved with vCenter update in June/July (which has already been affecting us for about one-two months now).

It's great that VMware has such a knowledgeable and talented community, but it's sad when I get better solutions than the support that I am paying a pretty penny for.

0 Kudos
tim_841
Enthusiast
Enthusiast

Hey Jeremy,

From what I've witnessed, there is a script on the vCenter login page that will try to make a call to 'wss://vmware-plugin:8094/?src=client&sessionId=<insertSessionIDhere>&appName=ui&version=2016'

Hit F12 and look at the "Network" tab, do you see a bunch of pending connections to that address?

The additions made by the program (EAP 6.5) were:

::1     vmware-plugin

127.0.0.1     vmware-plugin

Have you tried adding them manually?

I can't guarantee that the same changes will work in the 6.0 branch, but I think that they use 'wss://vmware-localhost:8093/' instead.

0 Kudos
JeremyLCrabtree
Contributor
Contributor

It looks like there's nobody listening on that port on my machine. The vmware-localhost entries are already in the hosts file, though. For now I can, through a convoluted work around, use IE11 to access the few features that absolutely require the plugin.

0 Kudos
adamjg
Hot Shot
Hot Shot

Running into the same thing, Chrome 58, IE 11, Edge on Win10, multiple machines, desktops, laptops, VMs, etc. I don't have a way to properly deploy an OVA.

I opened up SR 17459548405 but per typical VMware support these past few years I'm struggling to even get a reply, much less something useful.

0 Kudos
wayne10879
Contributor
Contributor

We are having the same issue. We have tried every browser, Chrome, Firefox, IE, Edge, Opera on multiple machines, win10, win7, mac. They all have the same issue. Have we heard anything from Vmware on this yet?

0 Kudos
adamjg
Hot Shot
Hot Shot

VMware technical support has been, shall we say, less than stellar. I wrote in the case that this is happening on multiple machines, 6.0, 6.5, flash web client, HTML5 client, Chrome, IE, Edge...  the first thing the rep asked me is if I tried Firefox. Then he asked for vCenter logs, which is a standard stall tactic for support.  In the latest reply I received he told me that it's a known issue in Chrome but it "should work" in IE and asked me to downgrade the version of IE on my Windows 10 machine.

I wrote up a detailed post in the HTML5 fling community/feedback page 3 days ago and have yet to receive a response.  I just replied to the engineer who owns my support case asking him to escalate it to another engineer. I'm expecting a response on or around the 4th of never.

0 Kudos
TheVElement
VMware Employee
VMware Employee

There's actually a couple issues in the present version of Chrome that could keep the CIP/EAP from working. Building off what tim_841 and mateuszd have contributed, I was able to put together a set of instructions to work around these issues:

  1. Backup the following files:
    C:\ProgramData\VMware\CIP\csd\ssl\cert.der
    C:\ProgramData\VMware\CIP\csd\ssl\cert.pem
    C:\ProgramData\VMware\CIP\csd\ssl\server.pem
  2. Add the following to C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg file:
    CIP
    Add the following to the end of the [ req ] section:
    req_extentions = v3_req
    Add the following section and entry at the end of the file:
    [ v3_req ]

    subjectAltName = DNS:vmware-localhost

    EAP
    Add the following to the end of the [ req_req_extensions ] and [ req_x509_extensions ] sections:
    subjectAltName = @alt_names
    Add the following section and entry at the end of the file:
    [ alt_names ]
    DNS.1 = vmware-plugin
  3. Create a new Certificate Signing Request:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
  4. Sign the Certificate Signing Request:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions v3_req
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions
  5. Combine the new certificate and private key into the server.pem file:
    CIP/EAP
    copy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem
  6. Create the binary DER certificate:
    CIP
    "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
    EAP
    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
  7. Remove the vmware-localhost (CIP) or vmware-plugin (EAP) certificate from the Trusted Root Certification Authorities store for the Local Computer, and Import the new one we just made (C:\ProgramData\VMware\CIP\csd\ssl\cert.pem)
  8. Add the Friendly Name "VMware-CSD Cert" to the new vmware-localhost/vmware-plugin certificate
  9. Modify permissions for the new "cert.der", "cert.pem", and "server.pem":
    CIP
    C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F
    EAP
    C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

Some notes:

  1. Despite replacing the certificate, I could not get the EAP to work in IE or Edge, nor the CIP to work in Edge.
  2. If your vCenter connects to an external PSC, Chrome will still show the "Use Windows session authentication" option as disabled on vCenter, but will be available on the PSC. The reason is because of the same-origin security policy. I believe the official fix will utilize CORS so that this will not be an issue. There is a way to work around it, but I will not post it here as it can introduce a security vulnerability.
  3. For me, Firefox automatically had the CIP certificate added to its certificate store, I just had to restart the browser. For the EAP, I had to add a manual exception for https://vmware-plugin:8094 and restart the browser.
  4. This was tested on Windows 7 and 10 in Chrome 58, Firefox 53, IE 11, and Edge.