Sometome the Horizon TrueSSO may work unexpected. In this blog i will share some troubleshooting skill on TrueSSO issue. This is a continuously updating blog. I will share different troubleshooting from time to time.
1. Make sure the Enrollment Server is working with valid Domain certificate
You may work with following procedures to check the status.
Login to the Horizon Connection Server.
Open the command prompt.
run following command and make sure the result is showing Valid for certstate.
cd %PROGRAMFILES%\VMware\VMware View\Server\tools\bin
vdmUtil –authAs <username> –authDomain <netbios domain name> –authPassword <password> –truesso –environment –list –enrollmentServer <FQDN of Enrollment Server Machine> –domain <FQDN of Domain>
Result:
Enrollment server: enrollServer.testinglab.local
Domain: testinglab.local
Forest:
Name: testinglab.local
Enrollment CertState: VALID
Template(s):
Name: TrueSsoTemplate
Minimum key length: 2048
Hash algorithm: SHA256
Certificate Authority(s):
Name: testdom-rootca
Actions to take:
If the result returning "invalid" on the Enrollment CertState, you should request the certificate again with following steps:
2. Make sure the TrueSSO mode is enabled
You may work with following procedures to check the status.
Login to the Horizon Connection Server.
Open the command prompt.
run following command and make sure the TrueSSO is enabled.
cd %PROGRAMFILES%\VMware\VMware View\Server\tools\bin
vdmUtil –authAs <user> –authDomain <Domain NetBios name> –authPassword <password> –truesso –list –authenticator
Result:
Authenticator(s) found: 1
Name: vidm.testinglab.local
TrueSSO Mode: ENABLE_IF_NO_PASSWORD
Actions to take:
If the result is not showing "ENABLE_IF_NO_PASSWORD", you should review your TrueSSO setting on Connection sever as following.
3. Using TrueSSO Diagnostic Utility
Omnissa do have a diagnostic utility available on Techzone. You can search and download the tool from following.
The download contain an executable file named "es_diag.exe. You could copy the exe file to the local drive of Enrollment Server.
Then you could open the command prompt and change to the directory storing the es_diag.exe file.
Run following command and make sure the output with following result.
es_diag /ListEnvironment
Result should contain 3 templates. And showing the CA-Server with vaild certificate and templates.
Run following command to simulate the flow of TrueSSO.
es_diag /enrollmenttest /domain:<FQDN of domain> /requester:<domain\user> /template:<Template name from result above> /caserver:<CA name from result above>
Result should similar as follow if no issue. And you may have hints from the result if any issue..
Execute EnrollmentDiags::EnrollmentTest:
Connect to the Enrollment Service: localhost
Successfully connected to the Enrollment Server
Configure the enrollment service for the selected domain
Wait up to 30 seconds for the Active Directory to be read
Send Cert-Request(s) to the enrollment service:
Successfully requested a Certificate
Requested : 1, Issued: 1, Failed: 0, Retry: 0
Total Time: 0.015 sec to generate 1 certificates.
Throughput: 66 certificates/second.
Average : 0.015 sec to generate a certificate.
Subject : Test User
UPN : testuser@testinglab.local
SerialNo : 60:10:00:01:09:78:26:B5:24:D1:47:11:F6:06:01:10:00:00:09
UTC Time : 2024-09-13,10:35:02
Valid From: 2024-09-13,10:25:02
Valid To : 2024-09-13,11:25:02
Validity : Certificate is valid
4. Review log on View Agent
If the Enrollment Server is using a dedicated Microsoft CA server, please make sure this CA server share the same domain root certifcate of the domain CA server. Or the CA server Enrollment Server using is configured as "Subordinate CA" during initial configuration.
----- END -----
Comments