Pages

Wednesday, November 9, 2016

Upgrading VMware Horizon View to 7.0.x causes vCenter Server Status to be red with “Untrusted Certificate” but clicking on the “Verify” button does nothing

Problem

I’ve had a several clients call me in regards to a common issue when upgrading VMware Horizon View to veresion 7.0.x where their vCenter Servers status is labeled with the red colour and the Status is listed as Untrusted Certificate but clicking on the Verify button does nothing:

Status: Untrusted Certificate Verify

For self-signed certificate, click ‘Verify’. If the vCenter Server certificate can be validated, make sure that the trusted store on the Connection Server system has the correct Certification Authorities.

SSL Certificate: Invalid

image

image

I find that this issue throws a lot of administrators off because previous versions simply allow you to click on the Verify button, accept the self-signed certificate, and you’re on your way but version 7 appears to render the button clickable but does nothing when you click on it other than give you a click symbol as if it was doing something:

image

Solution

The reason why this would happen is if the vCenter in the environment is running an earlier release of vCenter Server 5.0, 5.1, and 5.5 where only TLSv1.0 is supported. VMware Horizon 7 and later components have TLSv1.0 disabled and thus causes this strange behavior to occur.  More information can be found in the deployment guide here:

View Installation
VMware Horizon 7 Version 7.0
VMware Horizon 7 Version 7.0.1
VMware Horizon 7 Version 7.0.2

http://pubs.vmware.com/horizon-7-view/topic/com.vmware.ICbase/PDF/view-70-installation.pdf

clip_image002

To resolve this issue, either upgrade vCenter Server to 6.0 Update 1B or workaround the issue by re-enabling TLSv1.0 on the VMware View Composer as outlined in the following KB:

Unable to verify vCenter certificate in VMware View Administrator (2144967)
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144967

Re-enable TLSv1.0 on enable VMware View Composer

To re-enable TLSv1.0 on enable VMware View Composer:

1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens.

2. Navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\Client
Note: If this key does not already exist, create the key.

3. Delete the value Enabled if it exists.

4. Edit the DWORD value DisabledByDefault and set it to 0.

clip_image002[5]

5. Restart the VMware View Composer service. TLSv1.0 connections from View Composer to vCenter are now enabled.

6. Navigate to HKLM\SOFTWARE\VMware,Inc.\VMware View Composer.

7. Create or edit the String value EnableTLS1.0 and set it to 1.

8. If the View Composer host is a 64-bit machine, navigate to HKLM\SOFTWARE\WOW6432Node\VMware,Inc\VMware View Composer.

9. Create or edit the String value EnableTLS1.0 and set it to 1.

clip_image002[7]

10. Restart the VMware Horizon View Composer service.TLSv1.0 connections from View Composer to ESXi hosts are now enabled.

Re-enable TLSv1.0 on enable VMware Connection Server

To re-enable TLSv1.0 on enable VMware Connection Server:

1. Start the ADSI Edit utility on your View Connection Server host.

2. In the console tree, select Connect to.

3. In the Select or type a Distinguished Name, type the distinguished name DC=vdi,DC=vmware, DC=int.

4. In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server host followed by port 389.

clip_image002[9]

5. Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click CN=Common.

6. In the Properties dialog box, edit the pae-ClientSSLSecureProtocols attribute to add this entry:
\LIST:TLSv1.2,TLSv1.1,TLSv1

imageclip_image002[11]

7. Click OK.

8. Restart the VMware Horizon View Connection Server service on each connection server instance.

clip_image002[13]

1 comment:

dlgardiner said...

Hi Terence,

I am having a similar problem in my environment. I am trying to use your suggestion in this article to fix it but when I use ADSI edit and drill down to the CN=Common folder, the pae-ClientSSLSecureProtocols attribute is not listed. Is there a way to add this attribute? Thanks for your help.