One of the coolest feature that I have been personally looking forward to is the ability to access a virtual machine's remote console on a Mac OS X system which is now available as part of the vSphere 5.5 release. When you launch the VM's remote console using the vSphere Web Client on a Mac OS X system, instead of using the regular VMRC, it launches an HTML5 based console for your VM.
One thing that you might have noticed when performing this same action on a Windows desktop using the vSphere Web Client is that VMRC is used instead of the HTML5 console (notice the generated URLs are different). My understanding is that the VMRC is currently more performant than the HTML5 console and hence it is preferred when possible. I have been using the HTML5 based console for quite sometime now and I have not had any issues with it. I really hope to see us use the HTML5 console as the default console in the future!
Having said all this, there is a way for all users can benefit from this new HTML5 based VM console which is to automatically generate the URL which can then be loaded into any HTML5 supported web browser on either a Mac OS X, Windows or even Linux system. I used a similar method in generating the VM Remote Console for the vSphere Web Client which is VMRC specific.
UPDATE (07/26/17): I have just published a PowerCLI script called GenerateVMConsoleURL.ps1 which runs against a vSphere 6.5 environment and supports generating the HTML5 VM Console, Standalone VMRC and WebMKS URLs. As noted by several folks in the comments below, the pre-auth mechanism no longer works post-6.0, so you will need to have logged already for the console to automatically load OR you will be prompted to login before being re-directed. For those that wish to generate VM Console URLs for older vSphere versions, you can modify the script to handle those other scenarios.
The really cool part about this solution is that you can provide a one time pre-authenticated HTML5 based VM console URL that can then be given to your end users to access their VM. This of course can be automatically generated through a custom portal without needing to provide direct access to the vSphere Web Client.
Here is an example of what the HTML5 VM console URL looks like in vSphere 5.5:
http://reflex.primp-industries.com:7331/console/?vmId=vm-23&vmName=VCSA&host=reflex.primp-industries.com&sessionTicket=cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07
In vSphere 5.5 Update 2, the HTML5 VM Console now defaults to a secure connection and the two components of the URL that needs to be modified is from HTTP to HTTPS and from port 7331 to port 7343. The script has been updated to support a new command-line option called isvSphere55u2 which by default is set to false but can be set to true to generate an updated URL if you are running vSphere 5.5 Update 2
There are basically seven important components to the URL:
- Hostname of the vCenter Server - reflex.primp-industries.com
- The HTML5 console port, default is 7331 but can automatically change depending on available ports on the system (for vSphere 5.5 Update 2 the port has changed to 7343 for a secure connection)
- The MoRef ID of the virtual machine - vm-23
- The virtual machine name - VCSA
- The vCenter Server advanced setting "VirtualCenter.FQDN" - reflex.primp-industries.com
- The session ticket generated from vCenter Server - cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07
- The vCenter Server SHA1 SSL Thumbprint - 4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07
Disclaimer: The HTML5 VM console URL format/behavior is not guaranteed and may change in the future. The only officially supported method of accessing the console is by launching it through the vSphere Web Client.
Here is a vSphere SDK for Perl script called generateHTML5VMConsole.pl that given a VM name as input, will automatically generate a one-time pre-authetnicated HTML5 VM console URL that can be loaded into any supported web browser.
Note: To ensure the URL is valid, you will need to make sure your application is setup to run like a daemon or agent. To simulate this in my sample script, I just sleep for 60 seconds before disconnecting the session. I also used the openssl utility to extract the SHA1 thumbprint, so you will need a system that has that installed along with the vSphere SDK for Perl if you wish to use the script. The quickest way is to leverage vMA.
To load the HTML5 VM console, take the URL that is generated and point it to a browser:
Since this is an HTML5 based VM console, I can even load this into my iPad!
Hopefully this article will give you new ideas on how you can leverage and integrate the new HTML5 VM Console within your environment and hopefully this will be the defacto console in the future!
Here is an example of what the URL looks like for vSphere 5.1 & 5.5:
https://reflex.primp-industries.com:9443/vsphere-clien/vmrc/vmrc.jsp?vm=urn:vmomi:VirtualMachine:vm-1506:EE26E7F6-591B-4256-BD7A-402E5AC9E0A8
There are basicallythree important components to the URL:
- Hostname of the vCenter Server - reflex.primp-industries.com
- The vCenter instanceUUID which used to uniquely identify a vCenter Server - EE26E7F6-591B-4256-BD7A-402E5AC9E0A8
- The MoRef ID of the virtual machine - vm-1506
Hi William
Thanks for the great blog article and the nice script - it is working perfectly!!
The only disadvantage is, that a user can modify "MoRef ID" and have access to all other VMs if they find out the right ID.
Sure, you can restrict this by creating a vCenter user for every single user with the specific permissions, but this is a little extravagant 🙂
Do you know an different way to restrict the access to a specific VM?
Thanks and best regards
Reto
The MoRef ID is not something a user can easily guess and even if you were to figure it out, simply replacing it with another will not make it work. There is a unique session ticket that must be requested from a given VM so this would prevent someone from just changing one of the parameters. Also you wouldn't create a user for every single user, but a generic service account that can provide this URL through some type of custom portal
Hi William,
Thanks for the great post and the many replies as well. I have a question to this one in particular though:
You say that "There is a unique session ticket that must be requested from a given VM", but the perl scripta above retrieves the script from the general session manager, independent of any specific VM.
I'm trying to set up a HML5-based console to a VCenter 5.5 using the VMware HTML Console SDK (https://www.vmware.com/support/developer/html-console/index.html) and so far your article was very helpful but I haven't been able to provide a connection valid only for one specific VM so far. I've seen that there are several Ticket Types I can get from the vSphere5.5-API (I've tried VirtualMachineMKSTicket and VirtualMachineTicket) but the string-output looks quite different from the Clone-Ticket and I haven't been able to convince VCenter to accept one of them. I wanted to give the GenericServiceTicket a try but this doesn't seem to accept any restriction on a single VM neither. Do you have any idea of how to use another ticket type in the request or how to restrict the clone ticket to a single resource?
Thanks and best regards
Tobias
If you're using the HTML5 Console SDK, you'll need to to request the "webmks" VirtualMachineTicketType type (http://pubs.vmware.com/vsphere-60/index.jsp?topic=/com.vmware.wssdk.apiref.doc/index.html&single=true) given this is using the HTML5 VM Console. I've not personally used the SDK, so I can't comment on what you're seeing but webmks ticket should do it. If you have any other questions/feedback, feel free to post on the VMware Developer Center community https://developercenter.vmware.com/resources
Many thanks for the swift reply. From what I see in the documentation, the "webkms" VirtualMachineTicketType is only available in VCenter 6.0 and the VCenter 5.5 API rejects the new ticket type (not really a surprise). Does that mean that with VCenter 5.5 only clone-ticket works, unless I connect to the single hosts returned by the MKS-Ticket (which should as well work with with sockets but would make the proxy configation a bit more difficult I guess)?
Hello everybody. I'm so happy to be here with you.
I have some problem on VMware Sphere Client 5.5. I want to generate some URL with Javascript/HTML
I have used this VMware HTML Console SDK Programming Guide. pdf but didn't have the good result.
This is my code
Console
var wmks = WMKS.createWMKS("wmksContainer",{}).register(WMKS.CONST.Events.CONNECTION_STATE_CHANGE,
function(event,data){
if(data.state == WMKS.CONST.ConnectionState.CONNECTED)
{
console.log("connection state change : connected");
}else{console.log("connection state change : not connected")};
});
wmks.connect("wss://vc05.t4.local:9443/console/authd?vmId=vm-95&vmName=B2172XB1_0000&host=10.68.22.167&sessionTicket=cst-VCT-52a37e09-cd2e-0989-abf7-ec6859546f61--tp-C9-75-18-8E-0A-97-1C-D5-EA-77-F0-7E-E1-12-76-23-3F-1F-5A-6B&thumbprint=C9:75:18:8E:0A:97:1C:D5:EA:77:F0:7E:E1:12:76:23:3F:1F:5A:6B");
//wmks.connect("ws://10.68.22.144:7331/console/?vmId=vm-100&vmName=B2172XA1_0000&host=10.68.22.144&sessionTicket=cst-VCT-52800c93-b4ee-c236-e3c9-cbdc2000694a--tp-C9-75-18-8E-0A-97-1C-D5-EA-77-F0-7E-E1-12-76-23-3F-1F-5A-6B&thumbprint=C9:75:18:8E:0A:97:1C:D5:EA:77:F0:7E:E1:12:76:23:3F:1F:5A:6B");
Please I need you help an advise
Hey William
Thanks for a great post.
One thing though:
When I try to run 'generateHTML5VMConsole.pl' I get a bunch of errors. I guess something is missing.
Here's the message:
./generateHTML5VMConsole.pl
Can't locate VMware/VILib.pm in @INC (@INC contains: /Library/Perl/5.16/darwin-thread-multi-2level /Library/Perl/5.16 /Network/Library/Perl/5.16/darwin-thread-multi-2level /Network/Library/Perl/5.16 /Library/Perl/Updates/5.16.2 /System/Library/Perl/5.16/darwin-thread-multi-2level /System/Library/Perl/5.16 /System/Library/Perl/Extras/5.16/darwin-thread-multi-2level /System/Library/Perl/Extras/5.16 .) at /Users/kurt/Downloads/generateHTML5VMConsole.pl line 34.
BEGIN failed--compilation aborted at /Users/kurt/Downloads/generateHTML5VMConsole.pl line 34.
What do I need to install?
Thanks
Q
You will need a system that has the vSphere SDK for Perl installed OR you can download vMA which is a virtual appliance that already has it installed
I am trying to replicate this in powershell. I am generating URLs that look like this (faked data):
http://myserver.com:7331/console/?vmId=vm-475&vmName=Testing&host=myserver.com&sessionTicket=
cst-VCT-525a1f35-ea5d-29a5-58e0-d6cfae60b5b5--tp-92-3C-D1-AA-D1-39-D4-A0-B8-68-7E-46-E3-4C-85-FE-48-32-D0-BC&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07
Currently whenever I try to use the url--the spinner starts but then it dies with "The console has been disconnected. Close this window and re-launch the console to reconnect." That is using a freshly generated url (no chance of reusing a one time connection).
Any idea what might be causing this?
Hi Clark, I get same result even when using perl and the provided script as-is. Did you get any further with this? Could you please make your powershell code that generates the URL available?
Here is what I see in /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log:
2013-11-07 15:34:20.753] [ERROR] Thread-42 System.err Nov 07, 2013 3:34:20 PM com.vmware.mks.AuthdAdapterServlet retrieveMksTicket
[2013-11-07 15:34:20.754] [ERROR] Thread-42 System.err SEVERE: com.vmware.vim.vmomi.client.exception.ConnectionException: org.apache.http.conn.HttpHostConnectException: Connection to https://myserver.com refused
[2013-11-07 15:34:20.755] [ERROR] Thread-42 System.err 2013-11-07 15:34:20.754:WARN:oejs.ServletHandler:/console/authd
[2013-11-07 15:34:20.755] [ERROR] Thread-42 System.err java.lang.NullPointerException
[2013-11-07 15:34:20.755] [ERROR] Thread-42 System.err at com.vmware.mks.AuthdAdapterServlet.doWebSocketConnect(AuthdAdapterServlet.java:135)
Assuming you're doing the right thing, the only thing I can say is make sure your PowerCLI session does not close, meaning you don't exit else the login is invalidated before you launch VM Console. I hit this problem initially and hence I have a "sleep" in my code
Hi,
thank you a lot for this script, it works like a charm.
As I do not speak pearl, is there a way to pass the password as a parameter or is it possible, to "hardcode" it right in the script?
Would be a great help, as the user does not have shell access and I want to generate the URL by a website.
thanks a lot,
Jörg (from Germany)
Why do you keep it idle for 60 seconds? The token seems to work fine if you immediatly close the script and browse to the URL afterwards
Perhaps if you use it immediately, but I've found that it's no longer valid. The 60secs was just an example, ideally if you were to turn this into a service this would be running as a process handing out these URLs
Hi William,
Thanks for your work, this script is really nice as I work on Linux and can't use Web Client anymore with ESXi 5.5.
Anyhow, when I put the URL in my Firefox, the keyboard in the console is Qwerty.
Is it possible to change it to Azerty for example and how ?
I don't know if this a problem with the environnement (LANG ?) in vma, vcenter or if I must change something in your script to generate a different URL.
Philippe
Hi All,
I have no issue while accessing HTML5 console from the vCenter host (I SSH-ed to VMa and ran script there, then I pasted url into browser window on vCenter host). But when I try to do the same from another VLAN which has unrestricted network access to vCenter and all ESXi hosts (regulated on pfSense router which has NICs on bothe VLANs) I experience infinite timeout... I doublechecked settings on the pfSense firewall -- no restrictionsare there.
Am I missing someting? Could it be a restriction on vCenter firewall (I'm running it on Windows Server 2008R2)? Please advise.
--
Simon
Thanks, this works in as far as it generates the URL, however if I paste the URL into a browser right after generating it and well before the 60 seconds pass, I only get a
"The console has been disconnected. Close this window and re-launch the console to reconnect."
message , very similar to what Clark Updike experienced with his powershell solution? (post from 11/06/2013)
Is this a result of an update which broke this? I am running on the latest fully patched 5.5 update 1 ?
This is what my perl 5.8 generated URL looks like:
http://uk-vc1.global.local:7331/console/?vmId=vm-112&vmName=UK-SRV3&host=uk-vc1.global.local&sessionTicket=cst-VCT-52296221-7dab-fb67-6c9a-f87951cad768--tp-80-9B-86-8F-EC-44-E8-2D-6C-2E-7E-0C-F8-70-8E-48-DF-30-A1-31&thumbprint=
I just verified the script still works with 5.5u1 (I actually just finished upgrading my lab env). I'm on Mac 10.7.5 and I used incognito Chrome window to ensure there's no caching
Hi, just retried here also in incognito window on both win7 & mac 10.9.2 and it still fails on both.
Hi guys,
the situation might be lack of openssl components.
So that the perl script can't query the vCenter SSL fingerpring.
Getting this The console has been disconnected. Close this window and re-launch the console to reconnect.
Any ideas
Are you using the script or creating your own? I believe you would only see this if the script has exited, meaning the session has closed before the URL link was used
Hi everybody
I would use this Script but on my vcenter It will Not working
I have installed the vsphere sdk for Perl and the Power cli but when I double click the script It will start and after one second it is closed.
Have everyone a solution for my problem or can tell me What I have to do to run the script perfectly?
Thanks
Hi
Getting this too "The console has been disconnected. Close this window and re-launch the console to reconnect." on my MAC. On my Windows computers the link is perfect.
Hi William,
Excelent post, thank you.
I've managed to get the sessionTicket as well as the fingerprint value. My main issue now is to bypass the JSESSIONID cookie validation that is only created when launching the console from the Vsphere client. How did you overcome this?
Thanks,
Nuno
Forgot to add that, because of this, I'm also getting the “The console has been disconnected" error.
Never mind 🙂
I was trying to re-use the generated console URL string. Generating 1 url per user works well.
Thank you
Hello,
We are also trying to get around the JSESSIONID cookie validation but without any luck for vCenter 6.0 HTML5 web console. Even after generating the pre-authenticated URL programmatically (with all the required parameters including the clone ticket), the moment we launch the URL from the browser, it first takes to the vCenter SSO login page and then further to the VM console. This happens only for the first time (when the browser session is established). Any further 'get vm-console' requests using the pre-authenticated URL work just fine. The moment we switch to a new browser window (or the incognito mode), it again does for an explicit login.
Is there a way to get around the JSESSIONID cookie?
I'm having the exact same problem. Also, with vCenter 6.0 port 7343 isn't exposed anymore for console use. I got the link to "work" with this format: "https://vcenter.domain.com:9443/vsphere-client/webconsole.html? ..." and then appending vmId, vmName, host (fqdn):443, serverGuid, sessionTicket, and the thumbprint. Also noticed that when omitting the thumbprint from the link the behaviour is the same i.e. I get sent to the vCenter SSO login page and then any further request with a new link works just fine (without a thumbprint). Any help with this would me much appreciated.
How are you getting the serverGuid to put into the URL ?
For me this does not solve the problem, it keeps redirecting me to the login page. After a login the console (and all request to other consoles as long as I'm logged in) will work. Did you find a solution for this problem?
The VMware support folks confirmed that in version 6.0 they have added a security measure in the web client that forces to take to the SSO login page
Hello!
when you are take to the vcenter SSO login page do you login?
I have the same issue, but not happens only for the first time.
My console url for vSphere 6 looks like:
https://vcenter.mydomain.com:9443/vsphere-client/webconsole.html?vmId=vm-234&vmName=testconsole&host=vcenter.mydomain.com&sessionTicket=cst-VCT-52d143c3-8bde-8b67-d886-54fef3031e6a--tp-DB-69-D2-B9-56-15-63-4E-D9-89-C5-31-E0-E1-7D-15-49-45-7A-BC&thumbprint=DB:69:D2:B9:56:15:63:4E:D9:89:C5:31:E0:E1:7D:15:49:45:7A:BC
In vSphere vCenter Server 5.5.0 update 2 they changed the ports. Please change your script: "http"->"https" and port 7331 -> 7343. The rest is still working!
Thanks for making me aware of this, I must have missed this in the release notes. I've updated the article as well as the script to support both options in case you're not running the latest. There is now a new command-line argument you can pass to generate the secure HTML5 VM Console URL. Appreciate the confirmation on the script continues to work w/vSphere 5.5 Update 2 with those two changes
Hi Williamlam,
please test with this case
1st open link to 1st vcenter with virtual
2nd with other vcenter, and the second will be display the error [The console has been disconnected]
I will tell how to fix it; may be work arroud but I had find root cause
I may be a little late to this post, but since the URL is sent in clear text (even when the content is encrypted), isn't it fairly straightforward for someone sniffing traffic to gain access to the console of someone else's VM?
In vSphere 5.5 Update 2, the URL is not over a secure connection as well as the websocket, more details here http://www.virtuallyghetto.com/2014/09/html5-console-now-defaults-to-httpswss-in-vsphere-5-5-update-2.html
Hi everybody,
Nices script.
Anyhow, when I put the URL in my Firefox, the keyboard in the console is Qwerty.
Is it possible to change it to Azerty for example and how ?
I don’t know if this a problem with the environnement (LANG ?) in vma, vcenter or if I must change something in your script to generate a different URL.
Hey William
I have the same problem with my keyboard layout. I´m from germany and I would use the qwertz keyboard layout but when I use your html5 vmrc I have a keyboard layout which is not normaly.
Have you an idea where I can change the layout ?
Kind regards
Maik
Question,
Does this mean I no longer require the client running the console to have TCP connectivity to the host? Is this now proxied via the service running in the vCenter or is 902/903 whatever one it is for the VMRC still required?
Thanks
anyway you need windows for this to work ??
Hi, Great Article!!
We are planning to use this at a larger scale for our end users to access VM console via html5. Now when I look at the vsphere 5.5 maximum guide, I see this "Concurrent vSphere Web Clients connections to vCenter Server 180". Does this HTML5 connection count as a web client connection? If yes, I guess we cannot have more than 180. Our end users will not have any dedicated web client account, we will just provide them the pre-authenticated URL.Any thoughts? I know I can deliver access by adding vnc ports on a vm confg, but I find it hard to scale due to scenarios like DRS where VM needs to move to a different host etc. Looking forward
No, I don't believe VMRC sessions count against the vSphere Web Client connections, those are different and in fact much heavier. If you look at the vSphere 6 Config Max (that's the one I had open) you can have up to 40 concurrent connection per VM. Of course, if you need more details you can always file a request with GSS Support to get the supported number across VC
Thanks lot William.
Very cool, just what I was looking for. I'm planning a lab environment for trainings and I'm wondering if there is any way of setting a compression level for these console sessions. We currently encapsulate our VMRCs in a RemoteApp/RDP session, which at some times reduces the VMRC traffic by factor 10, but we'd like to get rid of the RemoteApp in between. Pure VMRC would really be a adsl line killer for us.
Thanks
Hi william,
If we generate an url in the format https://reflex.primp-industries.com:9443/vsphere-clien/vmrc/vmrc.jsp?vm=urn:vmomi:VirtualMachine:vm-1506:EE26E7F6-591B-4256-BD7A-402E5AC9E0A8. how does the vsphere authenticate it ?.
I have observed , the url works only when the vsphere web client is already logged in a browser.
Did you take a look at the blog post? It mentions that you'll need to request a session ticket which is then appended to the URL
Hello I very happy
I have some problem. I’m just started on Vsphére client and I want to also obtain the URL with javascript PHP or JSON o Can you help me please.?
I’m very zero
Please Help me.
Give me some advises
It is on V5.5
Thanks for this post and the information. In case someone may need it, here's how I did it in ruby:
https://gist.github.com/bthornto/bfce98039e845fa44e9b
thanks again.
Hey, know of any issues with vSphere 6 and your link generator ? Im not using your code but i have code that does the same thing, it works great in any version of 5.x but once in 6.x it stops working. You see any issues with how vSphere 6 handles the html5 console now?
Hi, Is there a way to log in to the vSphere web client logged in ? Could you please point me to the steps to open the web page pre logged in ... Is that supported by the web client version 6.0 ?
Thank you
Does not work for vCenter 6 🙁
Hi,
Thanks for the great article. It has been very useful for me. I've managed to generate the url using php script and got it working for vCenter 5.5.
Recently, I tried it on vCenter 6, but it will always redirect to the login page.
There's an additional serverGuid attribute, which is the vCenter instanceUuid. The url looks something like this.
-----
https://vc6.xx.xx:9443/vsphere-client/webconsole.html?vmId=vm-128&vmName=vc6&serverGuid=aa6c4745-985f-464f-afec-12ab9e9330f2&host=vc6.xxx.xx:443&sessionTicket=cst-VCT-52f7c410-0148-d12f-21c9-9ef62bb7775f--tp-5F-41-B9-4D-FB-E2-46-07-1F-D3-FF-94-4D-FC-A5-03-72-6C-61-B5&thumbprint=5F:41:B9:4D:FB:E2:46:07:1F:D3:FF:94:4D:FC:A5:03:72:6C:61:B5
-----
I have a public facing web page which already authenticates the users when they log in. When they click on the html5 icon, it will bring up the html5 console. I do not want the user to log in again.
Any suggestion on how to "bypass" the web client login ?
As per VMWare engineering team, because of security concerns they have discontinued this feature in vCenter 6.0.
You would always be presented with the vCenter login screen and only after passing the authentication phase, the JSESSIONID cookie would be created.
In short, the pre-authenticated URL to get VM console doesn't work in vCenter 6.0
Hello I very happy
I have some proble. I'm just started on Vsphére client and I want to also obtain the URL with aa script PHP or JSON or Javascript. Can you help me please.
I'm very zero
Please Help me.
Give me some advises
It is on V5.5
https://vc6.xx.xx:9443/vsphere-client/webconsole.html is protected by vCenter SSO. You can write your own webconsole.html with the same content as well as the related javascripts, then deployed on your web server or local desktop. Here you go.
Hi,
tried in browser
https://ipaddress:9443/console/?vmId=vm-23&vmName=VCSA&host=xxx.xx.xxx.xx&sessionTicket=cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07
it say as below
---------------------------------
404 - Page not found
The following page could not be found:
/console/
Please contact your network administrator for help.
vSphere Web Client home | VMware vSphere Documentation and Support
Not working for vmware 6
Hello I very happy
I have some problem. I’m just started on Vsphére client and I want to also obtain the URL with javascript PHP or JSON o Can you help me please.?
I’m very zero
Please Help me.
Give me some advises
It is on V5.5
Is there anyway we can generate HTML5 URL without session ticket. We want use to login when he opens link for the first time.
Hi William
Thanks for your script sharing about how to generate pre-authenticated url. Maybe it works fine in vSphere 5.1 & 5.5, but it doesn't work in vSphere 6.0 due to a missing field named as 'serverGuid', which is the instanceUuid of the vCenter server and can also be acquired from API. I found this field missing when comparing the url of the vm console generated by the vSphere web client.
I've updated your perl script to support vSphere 6.0 as below. We can invoke it with the following pattern:
But I still have problem of the SSO landing page when I first type in the url. We don't want user the type in the vCenter server's account before visiting his/her vm. If someone has already overcome this problem, please share with us. Thank you all in advance!
1. for vSphere 6.0:
./generateHTML5VMConsole.pl --vm yourVMName --vSphereVersion 6.0 --server yourServerUrl --username yourServerName --password yourServerPwd
2. for vSphere 5.5:
./generateHTML5VMConsole.pl --vm yourVMName --vSphereVersion 5.5 --server yourServerUrl --username yourServerName --password yourServerPwd
3. for vSphere others:
./generateHTML5VMConsole.pl --vm yourVMName --vSphereVersion 5.1 --server yourServerUrl --username yourServerName --password yourServerPwd
=>generateHTML5VMConsole.pl
--------------------------- The source code of pre-authenticated url generated script ---------------------------
#!/usr/bin/perl -w
# Author: William Lam
# Website: http://www.virtuallyghetto.com
# Reference: http://www.virtuallyghetto.com/2013/09/how-to-generate-pre-authenticated-html5.html
use strict;
use warnings;
use VMware::VILib;
use VMware::VIRuntime;
my %opts = (
vm => {
type => "=s",
help => "The name of virtual machine",
required => 1
},
vSphereVersion => {
type => "=s",
help => "vCenter Server, such as 5.5 or 6.0",
required => 1
},
server => {
type => "=s",
help => "The url of the the vCenter Server",
required => 1
},
username => {
type => "=s",
help => "The name of the account to login the vCenter Server",
required => 1
},
password => {
type => "=s",
help => "The password of the account to login the vCenter Server",
required => 1
}
);
# validate options, and connect to the server
Opts::add_options(%opts);
Opts::parse();
Opts::validate();
Util::connect();
my $vmname = Opts::get_option('vm');
my $vSphereVersion = Opts::get_option('vSphereVersion');
my $server = Opts::get_option('server');
my $username = Opts::get_option('username');
my $password = Opts::get_option('password');
my $htmlPort = 7331;
my $secureHtmlPortV5 = 7343;
my $secureHtmlPortV6 = 9443;
my $port = 443;
my $vcenter_fqdn;
# retrieve vCenter Server FQDN
my $settingsMgr = Vim::get_view(mo_ref => Vim::get_service_content()->setting);
my $settings = $settingsMgr->setting;
# retrieve vCenter Server serverGuid
my $serverGuid = Vim::get_service_content()->about->instanceUuid;
foreach my $setting (@$settings) {
if($setting->key eq 'VirtualCenter.FQDN') {
$vcenter_fqdn = $setting->value;
print("\$vcenter_fqdn is: $vcenter_fqdn \n");
last;
}
}
# Retrieve session ticket
my $sessionMgr = Vim::get_view(mo_ref => Vim::get_service_content()->sessionManager);
my $session = $sessionMgr->AcquireCloneTicket();
# VM name + MoRef ID
my $vm = Vim::find_entity_view(view_type => 'VirtualMachine', filter => { name => $vmname });
my $vm_mo_ref_id = $vm->{'mo_ref'}->value;
# vCenter Server SHA1 SSL Thumbprint
my $vcenterSSLThumbprint = `openssl s_client -connect $server:$port /dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | awk -F = '{print \$2}'`;
# VM console URL
if($vSphereVersion eq "6.0") {
print "https://" . $server . ":" . $secureHtmlPortV6 . "/vsphere-client/webconsole.html?vmId=" . $vm_mo_ref_id . "&vmName=" . $vmname . "&serverGuid=" . $serverGuid . "&host=" . $vcenter_fqdn . "&sessionTicket=" . $session . "&thumbprint=" . $vcenterSSLThumbprint . "\n";
}elsif($vSphereVersion eq "5.5"){
print "https://" . $server . ":" . $secureHtmlPortV5 . "/console/?vmId=" . $vm_mo_ref_id . "&vmName=" . $vmname . "&host=" . $vcenter_fqdn . "&sessionTicket=" . $session . "&thumbprint=" . $vcenterSSLThumbprint . "\n";
}else {
print "http://" . $server . ":" . $htmlPort . "/console/?vmId=" . $vm_mo_ref_id . "&vmName=" . $vmname . "&host=" . $vcenter_fqdn . "&sessionTicket=" . $session . "&thumbprint=" . $vcenterSSLThumbprint . "\n";
}
print "Sleeping for 300 seconds and then exiting ...\n";
sleep(300);
Util::disconnect();
Hi Jin Rong,
I had followed it up a lot with the same requirement last year, but then finally got a reply from VMware that they have blocked direct access because of a P1 level security threat. Because of that security patch in v6.0, it always redirects to the SSO page.
Unfortunately this approach is a dead route.
Regards,
Adwait
Dear Adwait,
Thanks for your reminder.
Since the SSO Validation blocks the direct visit to VM Console, I'm trying to get rid of the SSO Validation by disabling it.
I've searched the vmware community and find someone want to disable it too, based on another case(SSO Validation fails~). Here's the link:
https://communities.vmware.com/message/2476276#2476276
But, I'm not familiar with the details of vSphere configuration as well as the influence caused by disabling SSO Validation. So I want some experienced guys, such as you, to help check whether it's workable.
Also, I'm trying another solution, which is, to visit the VM Console form esxi server rather than vCenter server via using VMware HTML Console SDK. Here's the link of the discussion:
https://communities.vmware.com/thread/527090?start=0&tstart=0
In the discussion, vittoriop77 shared some information with us as below. But I can't go through his blog cause the link he provided is not accessible to me for some reason. Maybe it's workable~
/**
14. Re: VMware HTML Console SDK
vittoriop77 2016-3-29 (reply VMwareUser216)
The wss URL was wrong, you just need to use ESX host/port and a WebMKS Ticket
Example
wss://192.168.8.121:443/ticket/63de9452ffafa5f7
More details on my blog Vittorio Pavesi: vSphere 6 HTML Console
**/
Waiting for your reply.
Regards,
Jin Rong
I am trying to provide a user with access rights via a url as well.
As user root, I can connect directly to the console for my VM:
https://10.0.0.1/ui/#/console/5
However, as a normal user, I do not seem to have the proper right configured. Is it possible to create a role that will allow me to do this?
This method opens a console sessions without additional authentication against vCenter 6 appliance...
$MyVM = Get-VM XYXYXYX
$MyGUID = $global:DefaultVIServer.InstanceUuid
$VMmoRef = $MyVM.ExtensionData.moref.value
$VMname = $MyVM.name
$VCname = $global:DefaultVIServer.Name
$sessionMgr = Get-View $DefaultViserver.ExtensionData.Client.ServiceContent.SessionManager
$Ticket = $sessionMgr.AcquireCloneTicket()
$Thumb = ""; foreach ($i in (($Ticket.split('-')[9..28]))){if ($Thumb){$Thumb = "$Thumb`:$i"}else{$Thumb = $i}}
$URL = "https://$VCname`:9443/vsphere-client/webconsole.html?vmId=$VMmoRef&vmName=$VMname&serverGuid=$MyGUID&locale=en_US&host=$VCname`:443&sessionTicket=$Ticket&thumbprint=$Thumb"
Cheers
Scratch that, I must have had a cached session or something - unable to use generated url on fresh browser session.
Anyone figure out how to get the script working in a powercli sessions that is connected to two vcenters at once?
Hello William, Do you have the updated script for 6.x as the sso is going to be authenticated from SSO prior
Do you have an updated process that supports newer vcenter versions? Looking for a powercli solution to get vm console url for my users which I needs pre-authenticated for x amount of time. Thanks