Thursday, September 11, 2014

Install Gotcha: vCAC, Windows Server 2012 and the Guest Agent

If you are using Windows Server 2012 or later for your IaaS install it is recommended that you disable TLS1.2 on the IIS server.  From the vCAC 6.1 install guide (IaaS Windows Server Requirements):

For certificates using SHA512, TLS1.2 disabled on Windows 2012 machines

I have found that if you use self-signed certificates, you will absolutely need to follow this requirement - otherwise you will have deployments that utilize the Guest Agent stuck at "CustomizeOS" state and never finish deployment.  The Guest Agent start up script uses OpenSSL to grab the IaaS server certificate and this fails for self-signed certs over TLS1.2.

The security protocol settings are available in the registry only.  Fortunately, you can use this handy utility to manage your protocol settings on IIS instead of hunting through the registry.  Or, if you like, refer to Microsoft KB 245030 for the officially supported method.  Essentially, both will change the reg key as shown below....


  1. Do you know if the Pre-Req script Brian has written takes care of this?

  2. @Mark J, I do not see such check in the pre-req checker

  3. Thanks!!!. Agent stuck at "CustomizeOS" state in my case.

    There were two reasons for this-
    1.TLS was not disabled.
    2. Two .dll files (ssleay32.dll and libeay32.dll) were missing in the agent setup files.(I am using vRA Build 6.2.2-2754020)

    1. Hi
      Where did you get those missing files from?
      I think I am having the same issue
      Thank you