Symptoms
  • Trusted signed certificate from vCenter server is incorrect and untrusted in VMware View 7.x administrator dashboard
  • Clicking on VERIFY button does not perform the verification of certificates
  • In the DriveLetter:ProgramData\VMware\VDM\logs, you see entries similar to:

ERROR (0C94-07AC) <VirtualCenterDriver-c2ff399a-e8dc-49d3-8eec-6482fa1fe046> [ServiceConnection25] Problem connecting to VirtualCenter at https://vcenter.com:443/sdk (javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.)
WARN (0C94-07AC) <VirtualCenterDriver-c2ff399a-e8dc-49d3-8eec-6482fa1fe046> [VirtualCenterDriver] Unable to establish a connection with VC <https://vcenter.com:443/sdk> using VIM 2.5 binding

ERROR (0C94-17C8) <ajp-nio-8009-exec-3> [Connection4] Connection to the vCenter Server https://vcenter.com:443/sdk failed.
DEBUG (0C94-17C8) <ajp-nio-8009-exec-3> [Connection4] [EXCEPTION] Connection to the vCenter Server https://vcenter.com:443/sdk failed.
DEBUG (0C94-17C8) <ajp-nio-8009-exec-3> [Connection4] [EXCEPTION] javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

DEBUG (0C94-17C8) <ajp-nio-8009-exec-3> [Connection4] [EXCEPTION] com.vmware.vdi.admin.be.common.Util.reportException(SourceFile:88)
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

DEBUG (0C94-17C8) <ajp-nio-8009-exec-3> [VCServerBean] Non SSL error while validating cert. Ignoring com.vmware.vdi.admin.ui.bean.VCServerBean.validateCertificate(SourceFile:1613)
com.vmware.vdi.adamwrapper.exceptions.VCConnectionFailedException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

 Cause
This issue is occurs because the TLSv1.0 security protocol is disabled by default in Horizon 7 and later. Deployment includes an older version of vCenter Server that supports only TLSv1.0.
 Resolution
To resolve this issue, upgrade to vCenter Server 6.0 Update 1b, available at VMware Downloads. For more information, see VMware vCenter Server 6.0 Update 1b Release Notes.

To work around this issue when you do not want to upgrade, use one of these options:
  • Enable TLSv1.0 on VMware View Composer

To enable TLSv1.0 on VMware View Composer:

  1. Click StartRun, type regedit, and click OK. The Registry Editor window opens.
  2. Navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

    Note
    If this key does not already exist, create the key.
     
  3. Delete the value Enabled if it exists.
  4. Edit the DWORD value DisabledByDefault and set it to 0.
  5. Restart the VMware View Composer service. TLSv1.0 connections from View Composer to vCenter are now enabled.
  6. Navigate to HKLM\SOFTWARE\VMware,Inc.\VMware View Composer.
  7. Create or edit the String value EnableTLS1.0 and set it to 1.
  8. If the View Composer host is a 64-bit machine, navigate to HKLM\SOFTWARE\WOW6432Node\VMware,Inc\VMware View Composer.
  9. Create or edit the String value EnableTLS1.0 and set it to 1.
  10. Restart the VMware Horizon View Composer service.TLSv1.0 connections from View Composer to ESXi hosts are now enabled.
  • Enable TLSv1.0 on VMware Connection Server

To enable TLSv1.0 on VMware Connection Server:

  1. Start the ADSI Edit utility on your View Connection Server host.
  2. In the console tree, select Connect to.
  3. In the Select or type a Distinguished Name, type the distinguished name DC=vdi,DC=vmware, DC=int.
  4. In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server host followed by port 389.
  5. Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click CN=Common.
  6. In the Properties dialog box, edit the pae-ClientSSLSecureProtocols attribute to add this entry:

    \LIST:TLSv1.2,TLSv1.1,TLSv1
     
  7. Click OK.
  8. Restart the VMware Horizon View Connection Server service on each connection server instance.