This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
nagaeendra
Level 6
ā€ŽSep 16, 2019 06:46 AM

Fail to run discovery on VMware vCenter

We are getting this error when querying vCenter server 

Failed to retrieve contents from web service https://vcenterserver:443/sdk

An error occured in HTTP processing
In fsend call to WinHttpSendRequest: A security error occurred (12175)
One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server: The application experienced an internal error loading the SSL libraries.

 

Checked https://IPAddress:PortNumber/sdk/vimService.wsdl  and   https://IPAddress:PortNumber/MOB

Ports are open verified with MgsIPScan.

Appreciate if any other inputs / suggestion 

0 Kudos
9 Replies
statler
Level 6
ā€ŽSep 16, 2019 07:58 AM

Hi Nagaeendra,

Looks as if your vCenter is running on a newer OS that is not supporting TLS 1.0 anymore and your Beacon is running on Windows 7 still?

Windows 7 requires TLS 1.0 or SSL3 to be supported. See the following URLs for documentation and a fix from Microsoft:

https://social.technet.microsoft.com/Forums/en-US/e07aa2b7-abd4-4212-94b9-56cf73a91323/certificate-e...
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-sec...

stefange
Level 6
ā€ŽSep 16, 2019 08:07 AM

Hi,

This is probably to due the security settings on your server.

Can you verify the following setting in the registry?

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"

If value is dword:00000800, than TLS 1.2 is only enabled. When you change the value to dword:00000200 (TLS 1.1 enabled) than the scan will work probably again after a beacon engine restart.

Can you give this a try?

0 Kudos
nagaeendra
Level 6
In response to stefange
ā€ŽSep 16, 2019 10:48 PM

Thanks @ stefangeerars

It's a win 2012 server and don't have this keyword DefaultSecureProtocols  under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp 

It only has Passport Test and Tracing Keys

0 Kudos
stefange
Level 6
ā€ŽSep 17, 2019 02:49 AM

Hi,

Can you verify if you are using the SchUseStrongCrypto?

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\vx.x.xxxx]
"SchUseStrongCrypto"=dword:00000001

and did you set the Windows Schannel to disable for example TLS 1.0 and TLS 1.1?

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\

Stefan

0 Kudos
nagaeendra
Level 6
In response to stefange
ā€ŽSep 17, 2019 04:16 AM

Hi @stefange 

Yes, verified SchUseStrongCrypto it is set to dword:00000001

No TLS 1.0 and TLS 1.1 are set to enable.

should SSL 2.0 and 3.0 be enabled or disabled.

Thanx

0 Kudos
stefange
Level 6
In response to nagaeendra
ā€ŽSep 17, 2019 06:09 AM

Try adding the registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]"DefaultSecureProtocols"

with value: dword:00000200

Stefan

0 Kudos
nagaeendra
Level 6
In response to stefange
ā€ŽSep 18, 2019 03:51 AM

Hi @stefange 


Checked by adding dword:00000200
Doesn't throw me SSL error now by doesn't do discovery also
But  on ESXquery I see  
" Decryption operation failed 
In fsend call to WinHttpSendRequest : A connection with the server could not be established (12029) 
An error occured in HTTP processing 
Failed to retrieve contents from web service https://vCenter server:443/sdk
BindingServer(ServerIP, proto=https, port=0) failed. "

0 Kudos
mgunnels
Moderator Moderator
Moderator
ā€ŽSep 17, 2019 09:10 AM

Question, Is the certificate on the vCenter server still valid?

0 Kudos
nagaeendra
Level 6
In response to mgunnels
ā€ŽSep 17, 2019 09:41 PM

Hi @ mgunnels 

Yes, certificate on vCenter is valid. though root certificate authority are different between these 2 server (vCenter & FNMS server) 

0 Kudos