Win2012 - PowerCLI is unable to login to the vCenter
search cancel

Win2012 - PowerCLI is unable to login to the vCenter

book

Article ID: 345408

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

PowerCLI in Win2012 is unable to login to the vCenter while the later versions of Windows OS are able to login. 

You may receive error as below. 

connect-viserver : 4/2/2023 4:22:01 PM Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a permanent exception for this server.
Additional Information: Could not establish secure channel for SSL/TLS with authority 'vcentername'.
At line:1 char:1
+ connect-viserver "vcentername"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.Cmdlets.Commands.ConnectVIServer


The InvalidCertificateAction is already set to Ignore
 

PS C:\> Get-PowerCLIConfiguration

Scope    ProxyPolicy     DefaultVIServerMode InvalidCertificateAction  DisplayDeprecationWarnings WebOperationTimeout
                                                                                                  Seconds
-----    -----------     ------------------- ------------------------  -------------------------- -------------------
Session  UseSystemProxy  Multiple            Ignore                    True                       -1
User                     Multiple            Ignore                                               -1
AllUsers



Environment

VMware vCenter Server 7.0.x

Cause

When the cipher restrictions are configured in the vCenter's rhttpproxy and if the highest level cipher suite in win2012 is also not allowed in the vCenter, the win2012 will be denied to establish an SSL handshake with the below error. 

Could not establish secure channel for SSL/TLS with authority 'vcentername'.

A packet capture can help you to understand what cipher is being used to establish the handshake. 

Temporarily remove the cipher restriction in the rhttpproxy config file by removing the line mentioned in the Disabling static ciphers for TLS in the vCenter Server appliance

Enable the packetcapture with the below command in the vCenter

tcpdump host <Windows_host_IP> and port 443 -vv -w tcpdump.pcap


Use a tool like Wireshark or equivalent to decode the packet capture file and understand the ciphers being used for the handshake. Look out for Client Hello for the list of ciphers being sent to the vCenter by the Windows host and check "Server Hello" to check for the cipher being chosen. This is the most secured cipher suite available in common between the client and the vCenter.

Such packet decodes can be done for working and non-working host and validated for the ciphers being used. 

Client Hello packet decode: 

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 320
        Handshake Protocol: Client Hello
<Text_Truncated>
            Cipher Suites (30 suites)  <<<<<< 
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
<Text_Truncated>


Server Hello Decode: 

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 61
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 57
            Version: TLS 1.2 (0x0303)
            Random: f574803172e7a07ae1b733c43ebefdab4d5e2edd0cd4471a5fe52a3b4634c768
            Session ID Length: 0
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   <<<< This is the selected Cipher for the communication
<Text_Truncated>

 

If the server and client doesn't have a common cipher to establish a communication, the server will return fatal message as below.

Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

Resolution

Configure the required ciphers in windows 2012 (Client).

Workaround:
Allow the ciphers that are supported by Win2012 OS (Client OS)

Powered by Wolken Software