Last week I had the task to update our VMware View environment from 7.0 to 7.11, a sizeable dot release upgrade. 7.11 was released in December 2019. This included the upgrade of Connection Server, Security Servers, Composer and the View Agent installed on desktop pools.
The issue I run into was post upgrade. The View Connection Server could not validate the certificate from View Composer. Composer is installed side by side with the Windows version of VCenter (in the VCSA deployment of VCenter composer is standalone). Upon logging into VCS and clicking on the View Composer status, you get a message box with “There was an error indentifying the validity of the server”. When you try to accept the thumbprint like in past versions you get another error message saying that the certificate is unable to be read at this time.
This issue is related to how the View Composer installer works. The newer installer will replace the existing View Composer certificate with a newly generated certificate with the FQDN of the host you have it installed on. So if my View Composer cert CN was SERVER01 before upgrading, the installer will replace it with SERVER01.company.com (the fqdn of the server). This means that VCS cant connect to the composer because the server name in the VCS ldap database does not match the new CN of the newly generated cert.
I spent about an hour or so trying to find this fix, which has been blogged about across the web a fair bit. I also tried to re-enable TLS 1.0 within View Composer which with the newer version you cannot do because the registry key is locked down (you get a permissions access denied error message).
So heres how to fix the issue:
Before making any changes make sure you have a valid backup of your View environment.
First off find the name of the existing composer cert in the View LDAP databse:
1. Stop the Composer service.
2. Open CMD and change directory to the Composer installation directory.
3. sviconfig -operation=ReplaceCertificate -delete=false
4. Press 0 to abort.
The composer cert will have the NETBIOS name of the VCenter Server instead of the FQDN. Such has https://SERVER01:18443
Update the ldap attribute for the View Composer host URL:
1. On the View Connection Server, Start -> run -> adsiedit.msc
2. In the connection settings:
Name: anything you want.
Connection Point: dc=vdi,dc=vmware,dc=int
Computer: localhost:389
Press Ok.
3. Expand the directory
4. Expand OU=Properties then the OU=VirtualCenter
5 Right-click on chose properties on the object within VirtualCenter
6 Locate an attribute pae-SVIURL edit this attribute and put the name found when viewing the Composer certificate. (In this example it would be https://server01.company.com:18443)
7. Click ok and exit ADSIEdit.
8. Co to the Connection Server and refresh, you’ll notice the Composer value has changed to that which we have modified and you’ll be able to validate the certificate normally.
I hope this helps anyone else who has ran into this issue. Some other links about this issue are here and here.
Comments