VMware Enhanced Authentication Plug-in 6.5 conflicts

The issue

After deploying vCenter 6.5 in a test environment I had to install the VMware Enhanced Authentication Plug-in (EAP). The EAP is the successor of the Client Integration plug-in (CIP) used for the Web Client in vSphere 6.
I had trouble to get the EAP to work, and it finally worked after I removed all other plug-ins installed on my local workstation.
As I still need to use the CIP in parallel, I tried to reinstall it, only to discover that it did not work any more.

After playing a bit un-installing/re-installing of the plug-ins and the C# client of vSphere 6.0, it became clear to me that the 6.5 EAP cannot coexist on the same workstation as the vSphere 6.0 C# client or the 6.0 CIP. (I used the latest build of each version when testing: EAP and CIP
I also tried to see if the EAP would be backwards compatible, but I was not able to connect to the vSphere 6.0 Web Client with only the EAP installed.

Official statement from VMware

VMware support analysed the situation and they managed to reproduce the issue. After testing internally, they finally confirmed my findings and a KB was created for the issue (2149885).
The official cause VMware support state in the KB is:

Both CIP and EAP plugin generate self-signed certs during installation and add them in the browser. They use the same folder to store the certs (C:\ProgramData\VMware\CIP\csd\ssl). The second plugin installation checks the folder ( C:\ProgramData\VMware\CIP\csd\ssl) and finds the certs are already there and does not install its certs and causing the browser to not trust the second plugin.

When checking the vSphere 6.5 documentation center (here), one can see that initially both plug-ins were supposed to work on the same machine:

The Enhanced Authentication Plug-in can function seamlessly if you already have the Client Integration Plug-in installed on your system from a vSphere release prior to 6.5. There are no conflicts if both plug-ins are installed.

Currently no resolution

At the time of writing, there is no workaround to this issue. This means that if you need to manage vSphere 6 and 6.5 environments in parallel, and you need both the EAP and CIP for the Web Clients, you’ll need an extra machine for management.

Let’s hope that there will be a fix soon.

Thanks for sharing!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.