OPERATIONAL DEFECT DATABASE
...
...
Launching the Horizon Client and connecting to a Horizon Connection Server that has SmartCard authentication enabled fails.You cannot connect to the Horizon Connection Server that has SmartCard authentication enabled.If the SmartCard authentication is set to Optional, you do not see the PIN dialog.If the SmartCard authentication is set to Required, you see the error: The View Connection Server connection failed. Smart Card or Certificate authentication is required. When debug logging is enabled on the horizon client, you see an issuer mismatch. This is a list sent by the Server. IsValidCertificate: Cert didn't match a valid issuer. Skipping cert. To see the list of issuers sent by the server, in the client debug log, look for a line similar to: IsValidCertificate: Cert contains a valid issuer in its chain. Adding cert to list. Note: For more information on log file locations, see Location of VMware View log files (1027744).
This issue occurs if all the required root or intermediate certificates have not been loaded into the keystore on the View Connection servers.In the DoD space, this issue may also occur if newer CACs are signed by the new root and intermediate certs were released since the keystore was created.
To resolve this issue, add the required root or intermediate certificates to the keystore. To add the required root or intermediate certificates to the keystore: Note: If you are a DoD customer using DoD issued CAC cards, perform the steps in the Additional Steps for DoD Customers section in this article, then proceed to Step 6. Log in to the Connection Broker as an administrator.Using Windows Explorer, navigate to the root of your C drive and create a new folder named Certs.Copy all root and intermediate certificates required by your organization to validate SmartCards to the C:\Certs folder.Download the 2021_make_keystore.txt file attached to this article. Rename the 2021_make_keystore.txt to make_keystore.ps1 and copy file to the C:\Program Files\VMware\VMware View\Server\sslgateway\conf folder.Click Start > All Programs > Accessories.Right-click Windows PowerShell and click Run as administrator.Run this command: cd "\Program Files\VMware\VMware View\Server\sslgateway\conf" Run this command: Set-ExecutionPolicy unrestricted Answer Y when prompted.Run this command in a single line: .\make_keystore.ps1 -CertDir C:\Certs -Password storepass -KeyStore keystore -LockedProperties locked.properties Where storepass is a password of your choice. Note: The password must be at least 6 characters and must be enclosed within quotes if it contains spaces or special characters. Click Start > Administrative Tools > Services.Right-click the VMware Horizon Connection Server service and click Restart. Additional Steps for DoD Customers Note: A downloadable package of all the DoD root and intermediate certificates is already available. Ensure to perform this procedure with the latest version every few months to ensure that new CAC cards authenticate in your environment as new CA certs are released. Go to https://public.cyber.mil/installroot_5-6/ and download the latest version of the InstallRoot###.msi package. (available under Trust Store section)Double-click the downloaded package. You may be prompted with a security warning.Click Run to continue with the installation.In the Setup Wizard welcome screen, click Next to accept the default settings.In the Ready to Install screen, click Install.Click Finish. Note: The InstallRoot program should automatically open. If it does not open, use the Start menu. Click Advanced Mode.Click DoD NIPRNet Certificates and then click Select/Deselect All.Click Export Selected.Navigate to the root of your C drive and create a new folder called Certs.Open the Certs folder.Click OK.
In the PowerShell script of the attached 2021_make_keystore.zip file, you see entries similar to: Param($CertDir, $Password, $KeyStore = "", $LockedProperties = "") # This script will create a keystore file containing all the # certificates in $CertDir, and create they keystore with the # given $Password. It will also generate a locked.properties file # for use with the VMware View Connection Server. # -CertDir -- The path to the directory containing all the certificates to import # -Password -- The password to write the keystore with. # -KeyStore -- The full path and file name of the keystore file to write # -LockedProperties -- The full path and file name of the locked.properties file function usage($commandname) { Write-Host "Usage:" Write-Host "$commandname -CertDir <Directory Path>" Write-Host " -Password <Password>" Write-Host " [-KeyStore <Keystore file path>]" Write-Host " [-LockedProperties <locked.properties file path>]" } # Initialize Variables $messages=@() $errorstatus=$false $certcount=0 # Add the View JRE to the path $env:Path+=";C:\Program Files\VMware\VMware View\Server\jre\bin" # Make sure the password has at least 6 characters if ($Password.length -le 6) { $messages+="Password must be a minimum of 6 characters long" $errorstatus=$true } # Check the certificate directory to make sure it exists if ($CertDir -eq $null) { $messages+="Please provide a -CertDir and the path to your certificates folder" $errorstatus=$true } else { if (-not (Test-Path -PathType Container -Path $CertDir)) { $messages+="$CertDir does not exist" $errorstatus=$true } } # Check for errors and exit if found if ($errorstatus) { foreach ($message in $messages) { Write-Host $message -ForegroundColor "red" } usage $myinvocation.mycommand.name return } # Create a certificate store in the CertDir unless it's specified # to go into another location if ($KeyStore -eq "") { $KeyStore = "$CertDir\keystore" } $returnstatus = $KeyStore -match "([^\\]*$)" $KeyStoreNoPath = $Matches[1] # Create a locked.properties file in the CertDir unless it's specified # to go into another location if ($LockedProperties -eq "") { $LockedProperties = "$CertDir\locked.properties" } # Loop through all *.cer files in the certificate directory. Add each # one to the keystore file. foreach ($certificate in Get-ChildItem "$CertDir\*.cer") { # Create an alias for this key $returnstatus = $certificate -match "([^\\]*)\..*$" $alias = $Matches[1] trap [SystemException] { Write-Host "$_" -ForegroundColor "red" return; } $OldErrorActionPreference = $ErrorActionPreference $ErrorActionPreference = 'SilentlyContinue' keytool -import -alias $alias -file $certificate -keystore $KeyStore -storepass $Password -noprompt -storetype JKS $ErrorActionPreference = $OldErrorActionPreference $certcount += 1 } Write-Host "Wrote $certcount certificates into the keystore file $KeyStore" -ForegroundColor "green" # Create a locked.properties file properly formatted for View. "trustKeyfile=$KeyStoreNoPath" | Out-File -Encoding "ASCII" $LockedProperties "trustStoretype=JKS" | Out-File -Encoding "ASCII" -Append $LockedProperties "useCertAuth=true" | Out-File -Encoding "ASCII" -Append $LockedProperties Write-Host "Wrote $LockedProperties file" -ForegroundColor "green" Write-Host -ForegroundColor Blue "Please copy the files $KeyStore and $LockedProperties files into the" Write-Host -ForegroundColor Blue "VMware View sslgateway\conf folder, by default located in your View" Write-Host -ForegroundColor Blue "installation directory." Location of VMware View log files
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
