• After upgrade or install of VMware Aria Automation 8.10.2 users cannot access managed machines via remote console.
• The browser displays the error message

  "Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to accept the certificate, then close and retry the connection."

The remote console functionality changed in the Aria Automation 8.10.2 release.

This change was prompted due to the introduction of webmks and the deprecated of mks ticket type in vCenter 8.x

Prior to the Aria Automation 8.10.2 version the remote console traffic from end user client machines to the ESXI hosts was proxied through the Aria Automation appliance.

In the 8.10.2 release which leverages the webmks ticket type the connection is now directly made between the browser on the client machine and the ESXI host. This introduces new requirements for remote console traffic in the Aria Automation 8.10.2 release.

To resolve the issue in Aria Automation version 8.10.2 you will need to ensure the following requirements are met.

1. Network access is required between client machines and ESXI hosts on port 443.
2. The web browser is required to trust the ESXI host certificate.

Some browsers leverage the certificate trust store on the client machines, others maintain their own internal trust store. The relevant browser vendor would need to be contacted for clarity in this regard.

In active directory managed environments a Group policy Update can be used to add the ESXI certificate to the trust store on all client machines. This procedure is outlined in How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings.
 

Optional

If these  new prerequisites are not desirable the remote console connection to the esxi's can instead be proxied through vCenter server by following the steps contained in the workaround section of KB 93070 to enable the vSphere remote console proxy service.

Alternatively If you wish to revert to the previous behaviour its possible to re-enable the MKS ticket type in the vRealize Automation 8.11.1 release.

Note: This workaround can only be leveraged in vRA version 8.11.1 and against machines hosted on vCenter 7.x due to the deprecation of MKS in vCenter 8.x

To switch to mks, remote console proxy should be enabled.

1. SSH / PuTTy into one vRA virtual appliance in the cluster
2. Edit the provisioning service deployment by running the following command

   kubectl -n prelude edit deployment provisioning-service-app

3. Set the following property in the JAVA_OPTS list to true

   -Denable.remote-console-proxy=true

4. Save the changes, press the escape key on the keyboard, and then save the change by pressing :wq. If you make a mistake you can exit without saving by entering :q! instead.
5. Monitor the provisioning-service-app pod restart by running watch kubectl get pods -n prelude within the vRA SSH session. Once the pods are restarted and in a Ready state, retry the VMRC connection.