vCenter

 View Only
Expand all | Collapse all

Client integration plugin issue with Chrome 57

  • 1.  Client integration plugin issue with Chrome 57

    Posted Mar 24, 2017 05:44 PM

    Sometime in the last week and a half my Chrome browser updated to 57.0.2987.110. Since then the option to login to the web GUI for vCenter server with Windows Session Credentials is grayed out.

    I attempted to uninstall and reinstall the Client Integration Plugin with no luck.

    When I go to help > about in the web GUI it shows the version of the plugin as 6.0.0 Build 4275819, which is correct with our current version of vSphere.

    Is anyone else seeing this issue or have an idea of how to resolve it? I realize it's a minor annoyance, but it's a nice convenience to have.

    Thanks,

    Chris



  • 2.  RE: Client integration plugin issue with Chrome 57

    Posted Mar 29, 2017 03:47 PM

    I am having the exact same problem. I have 2 environments and one was on version 56 and one on 57. The version 56 environment allowed the client integration plugin to work as expected but the version 57 environment the plugin doesn't seem to work at all.

    It's also more than just an annoyance because it doesn't allow downloading of files from the datastores through the webclient. I would also guess that it won't allow OVA deployments as that relies on the client integration plugin.



  • 3.  RE: Client integration plugin issue with Chrome 57

    Posted Mar 31, 2017 11:21 AM

    We are having the same issue with vCenter 6.5.0 and the Enhanced Authentication Plugin



  • 4.  RE: Client integration plugin issue with Chrome 57

    Posted Apr 04, 2017 01:47 PM

    Chrome 57 removes end-user control over plugins, and drops support for third party plugins completely.

    615738 - Deprecate chrome://plugins - chromium - Monorail



  • 5.  RE: Client integration plugin issue with Chrome 57

    Posted Apr 10, 2017 07:01 PM

    Unfortunately as far as Google is concerned this would seem to be permanently broken as mentioned by JeremyLCrabtreeDigging around deeper I found a workaround on another forum; it's not great; it's not permanent; and it may raise more issues then it solves; but it can be found here: https://www.reddit.com/r/vmware/comments/5zmnia/client_integration_plugin_60_flash_25_chrome_57/

    To get a permanent fix (which may not even be possible anymore) VMware will need to redesign how the Client Integration Plugin works... again... I remember when VMware decided to force the vCenter Web Client down our collective throats it was explained as being because "it takes too many resources to develop a thick client and web client, so we'd rather focus on the 'universal client' (ie web) because it's OS agnostic"  I wonder if they realized they would have to develop said Web Client to support all the different browser's quirks (or maybe not as it were).  Still standing by that questionable decision?

    The true HTML client can't come soon enough, this current version is just horrible, slow, unreliable, buggy.



  • 6.  RE: Client integration plugin issue with Chrome 57

    Posted Aug 23, 2017 04:08 PM

    Agreed, a big pile of poo. Force something that does not work on 90% of any version of windows. I even built brand new Windows 7, 8.1, 10 desktops/vm's, and also Server 2012, JUST to get the VMware CIP to work, and guess what, it STILL does not work!.    Gonna go back to XEN and save $$ lol



  • 7.  RE: Client integration plugin issue with Chrome 57

    Posted May 02, 2017 12:51 AM

    I raised a case about this. Apparently VMware are working on a fix and will be released shortly.



  • 8.  RE: Client integration plugin issue with Chrome 57

    Posted May 02, 2017 07:39 PM

    Excellent! Please keep us updated. I've found this to be increasingly frustrating as, apparently, I can't upload files into our datastores without the plugin.



  • 9.  RE: Client integration plugin issue with Chrome 57

    Posted May 05, 2017 02:53 PM

    I used Firefox for now. it works.



  • 10.  RE: Client integration plugin issue with Chrome 57

    Broadcom Employee
    Posted May 06, 2017 12:45 PM

    Vmware Internally identified the issue and working on a it.Fix for this issue will be included in upcoming update releases.



  • 11.  RE: Client integration plugin issue with Chrome 57

    Posted May 12, 2017 11:35 AM

    2 months on, any progress on this?

    We're onto Chrome 58 now, with the exact same issue.



  • 12.  RE: Client integration plugin issue with Chrome 57

    Posted May 12, 2017 01:37 PM

    I have a similar issue and have found a work around that works for me and my environment. I have found that the certificate that is self-generated with the EAP plug-in is getting rejected by Chrome, you can see this if you hit F12 and look at the "Console" and "Security" tabs.

    The simple work around is to manually navigate to https://vmware-plugin:8094 (your hosts file is edited as part of the installation) and select "Advanced" and "Proceed to https://vmware-plugin:8094".

    This will work as long as the exception is remembered by Chrome. A better solution would be to regenerate the certificate with the appropriate missing information, but VMware is just telling everyone to wait for the next vCenter release.



  • 13.  RE: Client integration plugin issue with Chrome 57

    Posted May 13, 2017 02:10 PM

    Hi everyone

    Thanks for this, I've reproduced the steps that tim_841​mentioned and managed to get the certificate to issue correctly.

    I've created my own version of the MSI with the csd-openssl.cfg file modified to include the SAN section.

    I've uploaded the modified MSI to save time to those who want a quick fix and the csd-openssl.cfg file for those who don't trust my MSI :smileywink:

    Hashes:

    SHA256: 723235A3AAB67874682420E3C76C9D9DCFD859DEE7F4210DFE13875D41351B7

    SHA1: 5412CAC08E27B43266652F9EBCE0D1CDB0C08E87

    I can also create a transform file if needed.

    Please test it out and let me know if you have any issues

    Regards

    Matt



  • 14.  RE: Client integration plugin issue with Chrome 57

    Posted May 15, 2017 04:32 PM

    It's not so much that we don't trust you, it's more that VMware (support) gives the run around when trying to get these things resolved. They could easily make an official patch file (or script) that modifies the CFG, runs OpenSSL, and reapplies ICACLS. Boom! DONE! The response I get is that it will be resolved with vCenter update in June/July (which has already been affecting us for about one-two months now).

    It's great that VMware has such a knowledgeable and talented community, but it's sad when I get better solutions than the support that I am paying a pretty penny for.



  • 15.  RE: Client integration plugin issue with Chrome 57

    Broadcom Employee
    Posted Jun 01, 2017 02:58 PM

    There's actually a couple issues in the present version of Chrome that could keep the CIP/EAP from working. Building off what tim_841 and mateuszd have contributed, I was able to put together a set of instructions to work around these issues:

    1. Backup the following files:
      C:\ProgramData\VMware\CIP\csd\ssl\cert.der
      C:\ProgramData\VMware\CIP\csd\ssl\cert.pem
      C:\ProgramData\VMware\CIP\csd\ssl\server.pem
    2. Add the following to C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg file:
      CIP
      Add the following to the end of the [ req ] section:
      req_extentions = v3_req
      Add the following section and entry at the end of the file:
      [ v3_req ]

      subjectAltName = DNS:vmware-localhost

      EAP
      Add the following to the end of the [ req_req_extensions ] and [ req_x509_extensions ] sections:
      subjectAltName = @alt_names
      Add the following section and entry at the end of the file:
      [ alt_names ]
      DNS.1 = vmware-plugin
    3. Create a new Certificate Signing Request:
      CIP
      "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
      EAP
      "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr
    4. Sign the Certificate Signing Request:
      CIP
      "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions v3_req
      EAP
      "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions
    5. Combine the new certificate and private key into the server.pem file:
      CIP/EAP
      copy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem
    6. Create the binary DER certificate:
      CIP
      "C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
      EAP
      "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der
    7. Remove the vmware-localhost (CIP) or vmware-plugin (EAP) certificate from the Trusted Root Certification Authorities store for the Local Computer, and Import the new one we just made (C:\ProgramData\VMware\CIP\csd\ssl\cert.pem)
    8. Add the Friendly Name "VMware-CSD Cert" to the new vmware-localhost/vmware-plugin certificate
    9. Modify permissions for the new "cert.der", "cert.pem", and "server.pem":
      CIP
      C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r *S-1-5-11:R /grant:r *S-1-5-32-544:F /grant:r "SYSTEM":F
      EAP
      C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F C:\Windows\System32\icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

    Some notes:

    1. Despite replacing the certificate, I could not get the EAP to work in IE or Edge, nor the CIP to work in Edge.
    2. If your vCenter connects to an external PSC, Chrome will still show the "Use Windows session authentication" option as disabled on vCenter, but will be available on the PSC. The reason is because of the same-origin security policy. I believe the official fix will utilize CORS so that this will not be an issue. There is a way to work around it, but I will not post it here as it can introduce a security vulnerability.
    3. For me, Firefox automatically had the CIP certificate added to its certificate store, I just had to restart the browser. For the EAP, I had to add a manual exception for https://vmware-plugin:8094 and restart the browser.
    4. This was tested on Windows 7 and 10 in Chrome 58, Firefox 53, IE 11, and Edge.


  • 16.  RE: Client integration plugin issue with Chrome 57

    Posted Jun 01, 2017 08:54 PM

    I have a bit of script for the lazy people out there with 6.5. Make the changes to one config file and put it up on your network. Then make a login script to run:

    mkdir C:\ProgramData\VMware\CIP\csd\ssl\backup\

    move C:\ProgramData\VMware\CIP\csd\ssl\cert.der C:\ProgramData\VMware\CIP\csd\ssl\backup\

    move C:\ProgramData\VMware\CIP\csd\ssl\cert.pem C:\ProgramData\VMware\CIP\csd\ssl\backup\

    move C:\ProgramData\VMware\CIP\csd\ssl\server.pem C:\ProgramData\VMware\CIP\csd\ssl\backup\

    move C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg C:\ProgramData\VMware\CIP\csd\ssl\backup\

    copy \\<networklocation>\csd-openssl.cfg C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg

    icacls.exe C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" req -new -config C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -key C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\server.csr

    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -req -days 3650 -in C:\ProgramData\VMware\CIP\csd\ssl\server.csr -signkey C:\ProgramData\VMware\CIP\csd\ssl\key.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -extfile C:\ProgramData\VMware\CIP\csd\ssl\csd-openssl.cfg -extensions req_x509_extensions

    copy /b C:\ProgramData\VMware\CIP\csd\ssl\cert.pem+C:\ProgramData\VMware\CIP\csd\ssl\key.pem C:\ProgramData\VMware\CIP\csd\ssl\server.pem

    "C:\Program Files (x86)\VMware\Plug-in Service\openssl.exe" x509 -outform der -in C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -out C:\ProgramData\VMware\CIP\csd\ssl\cert.der

    certutil -delstore "root" vmware-plugin

    certutil -addstore "root" C:\ProgramData\VMware\CIP\csd\ssl\cert.der

    icacls C:\ProgramData\VMware\CIP\csd\ssl\cert.der /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

    icacls C:\ProgramData\VMware\CIP\csd\ssl\cert.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r *S-1-5-11:R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

    icacls C:\ProgramData\VMware\CIP\csd\ssl\server.pem /inheritance:r /grant:r "LOCAL SERVICE":R /grant:r "SERVICE":R /grant:r "SYSTEM":F /grant:r *S-1-5-32-544:F

    net stop CipMsgProxyService

    net start CipMsgProxyService



  • 17.  RE: Client integration plugin issue with Chrome 57

    Posted Jun 19, 2017 05:14 PM

    Huge THANKS to TheVElement for the clear instructions and to Tim_841 for the legwork.

    This worked for me on Win2012R2 with Chrome 58.0.3029.110 (64-bit).

    In addition to OVF being inoperable,  a person cannot deploy a new VCSA from the ISO html start unless CIP is working.

    If support is listening,  please use this as a fast publish for a quick fix.   VMWARE implementations are not possible without this fix in place.



  • 18.  RE: Client integration plugin issue with Chrome 57

    Posted Jun 19, 2017 05:40 PM

    That's ok, because if you follow VMware's recommendation/best practices for security and update your vCenters regularly, you can't upgrade to 6.5 because their own software doesn't support upgrading to their own software.



  • 19.  RE: Client integration plugin issue with Chrome 57

    Posted May 15, 2017 03:22 PM

    "vmware-plugin" is, apparently, not in my hosts file. (or the hosts file on any of the other machines on which I have it installed)



  • 20.  RE: Client integration plugin issue with Chrome 57

    Posted May 15, 2017 05:01 PM

    Hey Jeremy,

    From what I've witnessed, there is a script on the vCenter login page that will try to make a call to 'wss://vmware-plugin:8094/?src=client&sessionId=<insertSessionIDhere>&appName=ui&version=2016'

    Hit F12 and look at the "Network" tab, do you see a bunch of pending connections to that address?

    The additions made by the program (EAP 6.5) were:

    ::1     vmware-plugin

    127.0.0.1     vmware-plugin

    Have you tried adding them manually?

    I can't guarantee that the same changes will work in the 6.0 branch, but I think that they use 'wss://vmware-localhost:8093/' instead.



  • 21.  RE: Client integration plugin issue with Chrome 57

    Posted May 15, 2017 08:21 PM

    It looks like there's nobody listening on that port on my machine. The vmware-localhost entries are already in the hosts file, though. For now I can, through a convoluted work around, use IE11 to access the few features that absolutely require the plugin.



  • 22.  RE: Client integration plugin issue with Chrome 57

    Posted May 23, 2017 03:39 PM

    Running into the same thing, Chrome 58, IE 11, Edge on Win10, multiple machines, desktops, laptops, VMs, etc. I don't have a way to properly deploy an OVA.

    I opened up SR 17459548405 but per typical VMware support these past few years I'm struggling to even get a reply, much less something useful.



  • 23.  RE: Client integration plugin issue with Chrome 57

    Posted May 25, 2017 11:23 PM

    We are having the same issue. We have tried every browser, Chrome, Firefox, IE, Edge, Opera on multiple machines, win10, win7, mac. They all have the same issue. Have we heard anything from Vmware on this yet?



  • 24.  RE: Client integration plugin issue with Chrome 57

    Posted May 26, 2017 03:34 PM

    VMware technical support has been, shall we say, less than stellar. I wrote in the case that this is happening on multiple machines, 6.0, 6.5, flash web client, HTML5 client, Chrome, IE, Edge...  the first thing the rep asked me is if I tried Firefox. Then he asked for vCenter logs, which is a standard stall tactic for support.  In the latest reply I received he told me that it's a known issue in Chrome but it "should work" in IE and asked me to downgrade the version of IE on my Windows 10 machine.

    I wrote up a detailed post in the HTML5 fling community/feedback page 3 days ago and have yet to receive a response.  I just replied to the engineer who owns my support case asking him to escalate it to another engineer. I'm expecting a response on or around the 4th of never.



  • 25.  RE: Client integration plugin issue with Chrome 57

    Posted Jun 01, 2017 09:09 PM

    I'm basically giving up here.  The support rep was unable to read a simple email and reply, much less begin to try and troubleshoot anything.  I built a fresh Windows 10 image directly from the MS ISO and IE, Edge and Chrome all fail with the CIP and EAP, flash and html5.  Dennis was very responsive via emails but in the end his answer was "upgrade to 6.5."  I appreciate the work you guys are doing with the workaround, but as far as I'm concerned that's not an acceptable fix in an enterprise environment, so I'm not going to try pursuing it.

    I have one machine that somehow still has Chrome 55 on it, so I can deploy OVAs from there when needed. Until then I'm waiting on vendors to upgrade their stuff to support 6.5 and I'm testing 6.0 to 6.5 upgrades in my test environment.



  • 26.  RE: Client integration plugin issue with Chrome 57

    Posted Jun 01, 2017 10:22 PM