VMware ESX/ESXi Account Discovery and RPC Configuration

Please see the Discovery Platform Specifics for a comprehensive guide to configuring and using discovery.

Overview

The ESX/ESXi (API) password changer verifies (using heartbeat) and changes VMware ESX/ESXi passwords via the vSphere API. Password changing and discovery for Secret Server 10.6 and later requires PowerCLI 6.5.1 or higher.

Either PowerCLI 6.5.1 or higher must be installed on the servers running discovery or your local Secret Server machine or machines running distributed engine. Earlier versions of the password changer are now deprecated.

Important: If you get an error about not being able to load file or assembly VMware.Binding.WsTrust.dll, you can copy that file from location:

C:\Program Files\WindowsPowerShell\Modules\VMware.VimAutomation.Common\X.X.X.X\net45 - where X.X.X.X is the number of version installed on your system,

and paste it to the location:

C:\Program Files\WindowsPowerShell\Modules\VMware.Vim\X.X.X.X\net45 - where X.X.X.X is the number of version installed on your system.

Details

Secret Server searches the machine's Windows path PATH for the VMWare SDK, therefore installing the correct version of it is all that is needed. On the machine you install VMware PowerCLI, update the Windows "Path" environment variable to include the folder where the file VMware.Vim.dll is located.

After installing the VMware PowerCLI, the default installation path is: C:\Program Files\WindowsPowerShell\Modules\VMware.Vim\[version]\net45. The PowerCLI installation path must be in the system PATH variable.

To edit your PATH:

Add C:\Program Files\WindowsPowerShell\Modules\VMware.Vim\[version]\net45 to the PATH using the system panel (sysdm.cpl).
From the System Properties dialog, select Advanced tab
Click Environment Variables…
Under the System Variables section, highlight Path then Edit. The Edit Environment Variable dialog box appears:
Click the New button
Type C:\Program Files\WindowsPowerShell\Modules\VMware.Vim\[version]\net45, similar to the example above:
Click the OK button when done.

Download Locations

Download supported versions of PowerCLI from VMware:

VMware PowerCLI

After installing PowerCLI, run the following PowerShell command:

Install-Module -Name VMware.PowerCLI -Force

Troubleshooting and Issues

The error "The VMware VIM API is not installed or is the wrong version" indicates that PowerCLI needs to be installed.
We recommend not using an outdated SDK with an updated version of VMWare.
Secret Server's VMWare password changer rejects self-signed SSL certificates. Make sure your VMWare servers have valid SSL certificates (see below for settings).
The error "Exception: The remote certificate is invalid according to the validation procedure" indicates that vCenter server root certificates needs to be installed. More info here.
For Secret Server installed editions, you may need to restart the Secret Server website after installing PowerCLI. Do this by recycling the Secret Server application pool or performing an IIS reset.
For distributed engines, the distributed engine service may need to be restarted after PowerCLI is installed.

ESXi Certificate Settings

VMware recommends not including a CRL/CDP in certificate templates. To that end, we recommend adding the X509RevocationMode.NoCheck option to the ESXi.CertificateChainPolicyOptions setting.

Delinea added a configuration option for Secret Server to allow ESXi TLS connections to ignore self-signed certificates, allow certificates from specific issuers (even if issuer is not in trusted certificate lists), or completely skip certificate validation when using ESXi password changer, heartbeat, or discovery.

For security reasons, we do not encourage customers to use self-signed certificates. Therefore, the new configuration settings listed below are not accessible through the UI. If you need to alter the default ESXi certificate validation settings, submit a case through Delinea's Support Portal for assistance.

New advanced configuration settings include:

ESXi: Enable TLS Debugging and Connection Tracking: Identical to TLS Audit option, but specifically for ESXi. If set to true and Secret Server (or DE) auditing is set to DEBUG, detailed debug messages about the certificate chain will be written to the log file.
ESXi: Certificate Chain Policy Options: Identical to TLS Audit option, but specifically for ESXi. Allows setting X509 options to be applied to certificate validation. This is a comma-delimited list of options. See TLS Auditing or the Details section for more information.
ESXi: Allow Sertificates Issued By: Semi-colon delimited list of issuer names (in format shown on certificate---such as "O=Issuer Name"). Ignores partial chain errors due to certificate being issued by any issuer in this list when that issuer is not in the trusted root or intermediate CAs lists on the server.
ESXi: Client Certificate Thumbprints: Identical to TLS Audit option, but specifically for ESXi. If ESXi host requires the client to present a valid certificate, this is a semi-colon delimited list of client certificates on the server to try to present.
ESXi: Ignore All Certificate Errors: If true, certificate validation will not be performed. All certificate errors will be ignored.
ESXi: Allow Default Host Certificates: Sets all the TLS configuration options necessary to not fail due to a default ESXi host certificate and its issuer not being in the trusted certificates lists. This is a combination of setting the issuer to ignore and not performing a revocation check. Setting this to false should be the first change to make when attempting to resolve heartbeat, RPC, or discovery issues to ESXi hosts when using PowerCLI versions later than 5.5.

ESXi: Ignore Self-Signed Certs: If true, ignores any self-signed certs (subject = issuer) from ESXi hosts during heartbeat, RPC, and discovery.

Issues with self-signed certificates previously implemented by customers were caused by a security update to the VMware vSphere PowerCLI in versions after 5.5 that no longer permits the use of self-signed certificates.