An ssl error occurred vmware horizon что такое
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- VMware Technology Network
- :
- Digital Workspace
- :
- Horizon
- :
- Horizon Desktops and Apps
- :
- SSL error Horizon client
Xelany
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
I'm working at a company where we use horizon client to access a VDI
I have a user (only one) who had access without any problem, then his computer ran into some troubles, he performed a gpupdate, and since then he has an SSL error message whenever he connects
I have tried many things, including: (none of them worked)
changing SSL vertifiacte parameters in horizon
importing gpos from horizon gpo bundle and configure the following:
Ignore Certificate Revocation Problems - Enabled
Certificate verification mode - Enabled (No Security)
Same still doesnt work
I tried this too
Try adding the following registry on the client machine:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ VMware, Inc. \ VMware VDM \ Client \ Security]
"SSLCipherList" = "SSLv3: TLSv1: TLSv1.1: AES: RC4-SHA:! ANULL: @STRENGTH"
Maybe I did it wrong but Im pretty sure I did it properly, for instance I can see the registry keys being created when I set up the GPOs
Does anyone has any idea?
AlexAskin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
Are you directly connecting to your VDI or do you use a Gateway (either Connection Server or UAG) accessing it?
Xelany
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
It works for everyone except that one user
larstr
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
What version is the Horizon client? Have you tried upgrading to a newer version?
Xelany
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
It is version 5.4.2, I took it from the internet, I think it is the last one
Personally I have version 5.3.0, does it change anything?
AlexAskin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
The reason why I am asking is to understand where between your Horizon Client and the VDI the SSL handshake happen?
Could be the VDI (direct connection), the Connection Server (acting as Gateway) or a UAG (again Gateway).
Can anybody else access exact the same VDI? Is the certificate trusted by the device where you launch Horizon Client?
I understand that you can logon to Horizon but the connection to the VDI is failing - correct?
Xelany
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
The reason why I am asking is to understand where between your Horizon Client and the VDI the SSL handshake happen?
Could be the VDI (direct connection), the Connection Server (acting as Gateway) or a UAG (again Gateway).
Can anybody else access exact the same VDI? Is the certificate trusted by the device where you launch Horizon Client?
I don't know if it is direct connection, connection server or a UAG, I could maybe ask the team in charge if really needed, I just know we access to the VDI via a link and we connect to a desktop pool
Yes many people can access the same VDI, me included, how could I check if the certificate is trusted? In the MMC console?
I understand that you can logon to Horizon but the connection to the VDI is failing - correct?
We don't access to the pool of desktop where we can choose the VDI to connect to, it fails during the conenction just before that
as shown in figure below.
i'm doing VDI session test but some of the remote desktop session can't be established and the Horizon Client show such message.
here's my lab's settings:
1. vSphere version:6.7U3
2. Horizon version:7.10
3. Horizon client version:5.2
4. windows 10 is utilized for client and target desktop VMs and the horizon client is installed in all the client VMs.
5. the client and target desktop pools' type: instant clone, floating assignment
6. the "Do not verify server identity certificates" is configured in all the Horizon clients.
7. all the infrastructure and VMs are utilizing the same and the only one VLAN, does not need routing.
i also turned off all the firewalls on Horizon Connection server, client VMs and target VMs, however, when i perform the automatic VDI session test, some of the client VMs (randomly) always cannot connect to the target VMs.
since only some of the client VMs cannot connect to the Horizon Connection server, I doubt that there's truly networking issues?
can anyone provide some clues for troubleshooting ?
niceguy001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
I checked the time sync between servers, hosts and desktops and corrected, unfortunately this did not help.
all the Horizon Clients are configured with "Do not verify server identity certificate" but the SSL error still occurred on dozens of windows client VMs randomly.
Now I believe that I found the ultimate solution:VMware Horizon View Client URI's and SSL Issues
This post just saved my ass, according to my VDI test results.
By configuring the group policy of Horizon Client security setting in the golden image and use it for the desktop pool, the "SSL error" problem can be minimized or even solved completely.
if anyone knows a better solution please share.
@Amin thanks again for your professional answers, these are valuable for troubleshooting !
NathanosBlightc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
Run the MMC and add the snap-in of certificates (for the local machine) in your client and Remove all related certificates (machine, web, . ) of the VDI servers from your client. Most of them are probably self-signed, So let it trust them again if you require, and next try to connect to the desktop pool. Tell us the result
niceguy001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
thanks for answering!
i have a question,
my VDI test tool will automatically create some Active Directory users and control the client desktops' local admin account, which is already logged in, to use these AD users access the Horizon Client for further testing.
so this SSL error issue seemed to be the client desktops' problem? not the AD users which are created for Horizon Client login?
i'm wondering about whether i should add the certificate snap-in of either "my user account" or "computer account" in the client desktop.
NathanosBlightc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
not the AD users which are created for Horizon Client login?
I don't think it's related to the AD Users, However you may need check the Horizon-side (Connection Servers) and Client-side logs and events more carefully.
i'm wondering about whether i should add the certificate snap-in of either "my user account" or "computer account" in the client desktop.
Add it for the Computer Account when you add the certmgr.msc in the MMC.
niceguy001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Email to a Friend
I did some work recently:
1. I followed this post's instructions, and a self-signed certificate is installed on horizon connection server and the details of it in the connection server console is shown in figure below.
however, my VDI session tests' results were not perfect and some client windows VMs still have the SSL error.
note that my client windows VMs are provisioned by the Horizon too.
so is it possible that the SSL error problem persist due to the "untrusted certificate"??
2. do I need to import the connection server's certificate in to all the client VMs' MMC?
3. I checked the Horizon Client's logs on different windows desktops that had this "SSL error" and they all showed similar errors, as listed below:
ERROR (0750) [WinCDK] utils::ParseServerUrl : Unexpectedly unable to parse URL ''.
ERROR (077C) [WinCDK] UpdateMgrCDS::CdsLogCallback : CdsUtil_RemoveFile: Unable to remove file C:\Users\user\AppData\Local\Temp\cdstmp_1692_0
INFO (0750) [WinCDK] BaseServices::ErrorCallback : Error(Taskname:CdkSetLocaleTask, domain:54, code:35) Callback: Entry.
ERROR (0750) [WinCDK] DefaultErrorHandler::ProcessError : DefaultErrorHandler process error 'Error: An SSL error occurred' (code=35).
ERROR (0468) [WinCDK] UpdateMgrCDS::CdsLogCallback : CdsUtil_RemoveFile: Unable to remove file C:\Users\user\AppData\Local\Temp\cdstmp_7824_0
2019-10-28T20:26:35.526-07:00| host-1128| I125: DictionaryLoad: Cannot open file "C:\ProgramData\VMware\VMware Horizon View\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.526-07:00| host-1128| I125: [msg.dictionary.load.openFailed] Cannot open file "C:\ProgramData\VMware\VMware Horizon View\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.526-07:00| host-1128| I125: PREF Optional preferences file not found at C:\ProgramData\VMware\VMware Horizon View\config.ini. Using default values.
2019-10-28T20:26:35.541-07:00| host-1128| I125: DictionaryLoad: Cannot open file "C:\ProgramData\VMware\VMware Horizon View\settings.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: [msg.dictionary.load.openFailed] Cannot open file "C:\ProgramData\VMware\VMware Horizon View\settings.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: PREF Optional preferences file not found at C:\ProgramData\VMware\VMware Horizon View\settings.ini. Using default values.
2019-10-28T20:26:35.541-07:00| host-1128| I125: DictionaryLoad: Cannot open file "C:\ProgramData\VMware\VMware Horizon View\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: [msg.dictionary.load.openFailed] Cannot open file "C:\ProgramData\VMware\VMware Horizon View\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: PREF Optional preferences file not found at C:\ProgramData\VMware\VMware Horizon View\config.ini. Using default values.
2019-10-28T20:26:35.541-07:00| host-1128| I125: DictionaryLoad: Cannot open file "C:\Users\user\AppData\Roaming\VMware\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: [msg.dictionary.load.openFailed] Cannot open file "C:\Users\user\AppData\Roaming\VMware\config.ini": The system cannot find the file specified.
2019-10-28T20:26:35.541-07:00| host-1128| I125: PREF Optional preferences file not found at C:\Users\user\AppData\Roaming\VMware\config.ini. Using default values.
I have a user with a client of ours that gets a SSL error when opening up VMware Horizon Client. However, the error itself doesn't happen every day and if the user press OK, she can move forward into the program with no issue. No other user is experiencing this. What I want to ask is what would be causing this and what can I do to remedy this? Normally, something like this isn't a big deal but the client considers themselves to be high profile and always ask for our help to be urgent. Error is attached.
Enable Business-Ready Data with a Data Catalog
2022-05-17 18:00:00 UTC Webinar Webinar: Precisely -Enable Business-Ready Data with a Data Catalog Event Details View all events
About the Author
Helge Klein (ex CTP, MVP and vExpert) worked as a consultant and developer before founding vast limits, the uberAgent company. Helge applied his extensive knowledge in IT infrastructure projects and architected the user profile management product whose successor is now available as Citrix Profile Management. Helge is the author of the popular tools Delprof2 and SetACL. He has presented at Citrix Synergy, BriForum, E2EVC, Splunk .conf and many other events. Helge is very active in the IT community and has co-founded Virtualization Community NRW (VCNRW).
Establishing Trust
To make the default self-signed certificate work correctly you need to export it from the computer’s personal certificate store and then re-import it in the trusted root certificate store.
Exporting
It is OK to export without a private key; leave the file format at the default.
Importing – Connection Server
After the import restart the Connection Server machine. View Administrator should now display the Connection Server status in green (certificate valid):
Importing – Clients
Clients that connect to Horizon need the certificate imported as trusted root certificate in the same way as described for the Connection Server above.
Announcements from Google I/O 2022
chrisf7 mentioned this in today's Snap and, while I will mention it in tomorrow's version, it feels like this might warrant its own topic. Today was Google I/O, the company's annual conference for developers. I already see a variety of stories popping up.
Dual Monitors with Same Resolution
Snap! Patch Tuesday, Win10 20H2 EOS, Joint Cybersecurity Advisory, & a Marsquake
Your daily dose of tech news, in brief. You need to hear this. Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates Today's theme will be Microsoft as we have a few stories across the internet that are fairly important .
Name Resolution
Clients connecting to Horizon View need to be able to resolve the name as it is stored in the certificate, in all likelihood fully qualified. If your (lab) clients use a different DNS server than the Horizon installation the simplest solution is to add the Connection Server’s name and IP address to each client’s hosts file.
Basic authentication deadline
Like many of you, I'm investigating the deprecation of basic auth in Exchange Online. We moved to Office365 about 2 years ago, moved our Outlook clients to the latest Outlook365 and had everyone recreate their phone email accounts. I knew I had some out.
This is a description of a quick and dirty way to get SSL to work correctly in a VMware Horizon View installation in a lab environment. Do not do this in production!
Spark! Pro series 11th May 2022
Today in History: 1956 Elvis Presley's 1st entry on UK charts with "Heartbreak Hotel"On 10 January 1956, Elvis Presley made his first recordings for RCA Records at The Methodist Television, Radio and TV Studios, 1525 McGavock Street, Nashville. “Heartbrea.
Announcements from Google I/O 2022
chrisf7 mentioned this in today's Snap and, while I will mention it in tomorrow's version, it feels like this might warrant its own topic. Today was Google I/O, the company's annual conference for developers. I already see a variety of stories popping up.
Snap! Patch Tuesday, Win10 20H2 EOS, Joint Cybersecurity Advisory, & a Marsquake
Your daily dose of tech news, in brief. You need to hear this. Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates Today's theme will be Microsoft as we have a few stories across the internet that are fairly important .
3 Replies
- check 338 Best Answers
- thumb_up 879 Helpful Votes
No error is included.
Is the SSL self-signed?
Has everyone else accepted this and remembered?
Is this internal or external?
CarlPower
The easiest way to remedy it is set the client not to verify SSL certs - although not ideal, it allows the end user to connect without confusing them. From there, evaluate whether you need to connect via a secure connection, or are you happy with the additional security you have in place?
I apologize for not originally adding that error. As far as the other questions, I don't have answers for them. The client is not easy to get ahold of so I'm trying to work with what I got and go from there. Regarding your disabling SSL check option, where do you go to bring that up? I'm not that familiar with the Horizon Client.
It won't let me attach the error code so I'll type it out: SSL connection was shut down while reading.
The options are to press OK or you can click on the red X
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
3 Replies
- check 338 Best Answers
- thumb_up 879 Helpful Votes
No error is included.
Is the SSL self-signed?
Has everyone else accepted this and remembered?
Is this internal or external?
CarlPower
The easiest way to remedy it is set the client not to verify SSL certs - although not ideal, it allows the end user to connect without confusing them. From there, evaluate whether you need to connect via a secure connection, or are you happy with the additional security you have in place?
I apologize for not originally adding that error. As far as the other questions, I don't have answers for them. The client is not easy to get ahold of so I'm trying to work with what I got and go from there. Regarding your disabling SSL check option, where do you go to bring that up? I'm not that familiar with the Horizon Client.
It won't let me attach the error code so I'll type it out: SSL connection was shut down while reading.
The options are to press OK or you can click on the red X
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Dual Monitors with Same Resolution
17 Replies
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Has the domain name changed or any firewall rules to block VC talking to your AD?
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Also confirm your ESXi and VC servers are using the correct time and date, if they are different from that of AD, AD logins also wont work
- check 338 Best Answers
- thumb_up 879 Helpful Votes
You should also really avoid using the Windows vCentre and migrate to the VCSA appliance to avoid such issues in the future.
Not to mention as of V7 there is no windows installer
There is no domain name changed. There are no any firewall rules to block VC talking to my AD.
I confirm that all my ESXi and VC servers are using the correct time and date. The difference is only 2 seconds.
For the moment I can't avoid using the Windows vCentre. This is a Production environment.
- check 338 Best Answers
- thumb_up 879 Helpful Votes
I assumed it was production, but i dont understand why you cant avoid the windows version.
Have you tried the most obvious - reboot it and any PSCs if they are external.
- check 338 Best Answers
- thumb_up 879 Helpful Votes
How many hosts, local or network storage, VDS in use, any complicated configurations?
I didn't tried to reboot it. I will try during this weekend.
I have 2 vCenter servers (VC-01/Host-03,Host-04 and Host-05/ and VC-02/Host-01 and Host-02/). Each host have approx. 9TB local storage/RAID-6/. There is 1 network storage 36 GB/Raid-6/ shared for all esxi hosts. In each esxi host(6.5.0 Update 1, build 5969303) I have 3 VDS. It's not a complicated configuration(s). There are also 1 Horizon Connection server (CS-01) and 1 Secure Gateway server(SG-01). All servers (VC-01,VC-02,CS-01 and SG-01) are running on Wndows 2012 R2 Datacenter edition.
If my problem can't be solved, can I install in parallel from scratch 2 VCSA appliances(version 6.5) named VC-03 and VC-04?
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Yes or migrate your VC to VCSA - it will do it for you
I found in vCenter Server logs\vsphere-client\logs\vsphere_client_virgo.log the following:
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Did this by chance start to fail on the 30th or at least Monday this week for you if you do not work weekends?
- check 338 Best Answers
- thumb_up 879 Helpful Votes
If yes, have you patched/updated your vcentre server, including vcentre itself, not just windows and/or your hosts?
There has been a major change with CA chains and rots as of 30th.
I saw this started to fail from 2020-05-30T13:05:30.930+02:00
- check 338 Best Answers
- thumb_up 879 Helpful Votes
See my post above relating to the 30th
All my Windows 2012 R2 VCenter servers (VC-01/ESXI 6.5.0 Update 1, build 5969303: Host-03,Host-04 and Host-05/ and VC-02/ESXI 6.5.0 Update 1, build 5969303:Host-01 and Host-02/), Windows 2012 R2 Horizon Connection server (CS-01) and Windows 2012 R2 Secure Gateway server(SG-01) are running since July 2017
I didn't patched/updated my servers/hosts in production.
- check 338 Best Answers
- thumb_up 879 Helpful Votes
simon_t wrote:
I didn't patched/updated my servers/hosts in production.
You should be, I'd start with getting them up to date, not patching them is a bad move
They will download configurations, updates, vulnerability fixes and roots for CAs which i believe is the cause here since your date or error starts the day of the major CA root updates.
All my ESXI 6.5 hosts are not connected to the internet.
Can I download the ESXi offline bundle from VMware site and upload to the datastore which is accessible for ESXi hosts and execute the ESXi esxcli command line VIB installer from an ESXi console or SSH session?
Which ESXi offline bundle version I need? Is it ESXi 6.7U3b?
Should I update first the vCenter servers(VC-01 and VC-02) and then Horizon Connection server (CS-01), Windows 2012 R2 Secure Gateway server(SG-01)? Can I use the ISO Method, because I can't log into the vSphere Web Client with the SSO administrator (administrator@vsphere.local) account?
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Horizon can stay out of this for now
Get your VCs done first - yes you can do offline bundles, however if you have VCs, give that internet access and use update manager.
After your VCs do the PSCs if separate then the hosts
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Basic authentication deadline
Like many of you, I'm investigating the deprecation of basic auth in Exchange Online. We moved to Office365 about 2 years ago, moved our Outlook clients to the latest Outlook365 and had everyone recreate their phone email accounts. I knew I had some out.
I have no issues with my VMware vCenter 6.5 server since 2016.
Today I'm trying to access my vSphere Web client using as usual my AD account.
I can't also log into the vSphere Web Client with the SSO administrator (administrator@vsphere.local) account.
I got the following error:
"
A server error occurred.
[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Signature validation failed.
Check the vSphere Web Client server logs for details.
"
By the way, the file C:\ProgramData\VMWare\vCenterServer\logs\sso\vmware-sts-idmd.log contains NO errors, regarding "Signature validation failed".
Could you please give me some hints.
Thank you in advance.
Upskill, reskill, or hire?
- check 338 Best Answers
- thumb_up 879 Helpful Votes
Horizon can stay out of this for now
Get your VCs done first - yes you can do offline bundles, however if you have VCs, give that internet access and use update manager.
After your VCs do the PSCs if separate then the hosts
The Situation
The Horizon View Connection Server installer creates a self-signed certificate which it places in the computer’s personal certificate store. This certificate’s root is not trusted by anyone, least of all by the clients trying to connect to your apps and desktops.
Spark! Pro series 11th May 2022
Today in History: 1956 Elvis Presley's 1st entry on UK charts with "Heartbreak Hotel"On 10 January 1956, Elvis Presley made his first recordings for RCA Records at The Methodist Television, Radio and TV Studios, 1525 McGavock Street, Nashville. “Heartbrea.
Читайте также: