If you are using Windows Server 2012 or later for your IaaS install it is recommended that you disable TLS1.2 on the IIS server. From the vCAC 6.1 install guide (IaaS Windows Server Requirements):
For certificates
using SHA512, TLS1.2 disabled on Windows 2012 machines
I have found that if you use self-signed certificates, you will absolutely need to follow this requirement – otherwise you will have deployments that utilize the Guest Agent stuck at “CustomizeOS” state and never finish deployment. The Guest Agent start up script uses OpenSSL to grab the IaaS server certificate and this fails for self-signed certs over TLS1.2.
The security protocol settings are available in the registry only. Fortunately, you can use this handy utility to manage your protocol settings on IIS instead of hunting through the registry. Or, if you like, refer to Microsoft KB 245030 for the officially supported method. Essentially, both will change the reg key as shown below….
4 responses to “Install Gotcha: vCAC, Windows Server 2012 and the Guest Agent”
Do you know if the Pre-Req script Brian has written takes care of this?
@Mark J, I do not see such check in the pre-req checker
https://raw.githubusercontent.com/vtagion/Scripts/master/vCAC61-PreReq-Automation.ps1
Thanks!!!. Agent stuck at "CustomizeOS" state in my case.
There were two reasons for this-
1.TLS was not disabled.
2. Two .dll files (ssleay32.dll and libeay32.dll) were missing in the agent setup files.(I am using vRA Build 6.2.2-2754020)
Hi
Where did you get those missing files from?
I think I am having the same issue
Thank you