OPERATIONAL DEFECT DATABASE
...
...
Certificates can present a range of potential symptoms with both your broker and end-user clients. We focus on specific issues that can arise with Horizon Servers.Awareness of these symptoms as potential certificate issues will aid in faster isolation and resolution of incidents. You may have one or all of these symptoms. Symptom 1:The Connection Server shows a red alert in the System Health section of the Horizon console Dashboard. You receive warning messages in the Horizon Administrator Console Dashboard related to SSL certificates, including but not limited to "An SSL error occurred." Symptom 2:You cannot open the Horizon Administrator Console page. It does not load.Note: This symptom can be caused by other factors, Certificate Issues can be a primary cause. Symptom 3:Connecting with a Horizon Client/View Client returns an error message saying the certificate is untrusted or a similar certificate warning. Symptom 4:Services on the horizon server, such as the Blast Service Gateway fail to start or remain started.
This article provides troubleshooting steps and identifies common issues with SSL certificates in the context of their usage to certify Horizon Brokers / Connection Servers. The steps below are ordered in order of severity and frequency in order to offer a sequential method to triage potential certificate issues in your environment. Important: Your Horizon Server is installed by default with a self-signed certificate. VMware strongly recommends that you configure TLS certificates that are signed by a valid Certificate Authority (CA) for use by Horizon Connection Server instances Documentation: Obtaining TLS Certificates from a Certificate Authority
Horizon Software has the following requirements in terms of the certificate utilized. Most certificate issues arise from the misconfiguration of these criteria.Certificate Requirements: Exportable private key (required for data decryption)The Enhanced Key Usage of an SSL server certificate is "Server Authentication".The Key Usage (i.e., specific use cases) of such a certificate is "Digital Signature" and "Key Encipherment".The certificate must have the correct key usage (serverAuth EKU) The Key storage provider is compatible with Blast See Blast gateway not running when a Certificate generated from IIS is used (89820)The friendly name is vdm. It must be lowercase.Cert chain shows as valid.Root cert is present: The certificate's chain of trust must be rooted in the server's local Root Authority certificate store.Certificate issued by a Trusted CAThe certificate must not be revoked. If you have certificate revocation enabled, the revocation server must be contactable from the server. See Troubleshooting Horizon 7 Server Certificate Revocation Checking. A certificate will have a Common Name or Subject Alternative Name(s) which needs to match the connection server FQDN or configured external URL.
Restarting your connection server may potentially disrupt client connections and ongoing provisioning tasks.When replacing a cert, you can split the task into 2 phases.Non-Disruptive: Import of the cert and verification of criteria, placing emphasis on the exportability of the key. Disruptive:A maintenance window where you ensure clients are aware to allow you time to: change the old cert Friendly name to "backup" or another alternative that is not vdm.rename the new cert to vdm - Certain Services will pick up the new certificate immediately (console, rest, soap)Gateway Services (Blast, PCoIP) will continue using the initial certificate until the services are restarted.
Sequential Troubleshooting Steps for Horizon Server Certificate Issues:1) Please ensure your certificate is generated as per best practices: We do strongly recommend the usage of Certreq to generate and install Certificates for Horizon View. Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq(Horizon 8 2203) - Primary Product Documentation on the usage of Certreq. Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View (2032400) - This article outlines the process step-by-step with a sample template request.inf file to accelerate the process. Alternate methods are available and are documented if there are barriers to the primary method above. Configuration of TLS/SSL certificates for Horizon View Connection Servers (89916) - outlines alternative methods with narrated video guidance detailing common issues encountered. 2 ) Verify your SSL certificate configuration against the most common causes: Common SSL Certificate configuration issues in VMware Horizon (80303) - This article outlines the top common causes in detail with a narrated video explaining each in detail.Verifying SSL certificate configuration for VMware Horizon (80317) outlines more infrequent elements that can result in certificate warnings. 3) Horizon Server Dashboard Fails to Load:These articles outline scenarios where your horizon console does not load, however, certificate errors are reported in the dashboard. VMware Horizon Connection Server Admin Page fails to load with a new SSL certificate applied (2072459) -This article outlines the process of validating key certificate criteria that can cause the Horizon Dashboard to not load, primarily focused on ensuring the private key for your certificate is exportable.Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. (85801) - This article outlines a scenario where html5 or admin access can result in a blank page with CORS enabled. 4) Errors in Your Horizon Dashboard Related to your Connection Server Certificate:These articles outline scenarios where your horizon console load, however, certificate errors are reported in the dashboard: Administration Dashboard in VMware Horizon reports the error:"Server's certificate subject name does not match the server's External URL. Server's certificate is not trusted" (80371) - This article outlines a scenario where the Common Name (CN) or Subject Alternative Name (SAN) does not match FQDN/ Gateway URL.Administration Dashboard in VMware Horizon reports the error: Server's certificate cannot be checked (2000063) - This article outlines issues arising due to Certificate Revocation List (CRL) Access IssuesAdministration Dashboard in VMware Horizon Fails to load due to 3rd Party Port conflicts (2078101) - This article outlines a scenario where a competing service on the same network ports can impact Horizon. 5) Errors reported when connecting into Horizon with a Horizon Client:These articles outline scenarios where your horizon client reports a certificate error: Connecting to VMware Horizon View desktops with a Horizon Client fails with the error: "Tunnel server presented a certificate that didn't match the expected certificate" (2083612) - This article outlines a client error message seen typically in a scenario where SSL connections are offloaded but there is a mismatch with the thumbprint or the configured certificate.Connecting to VMware Horizon View desktops with a Horizon Client fails with the error: "An SSL error Occurred" (78372) - This article outlines a scenario when this error is seen on the Horizon Client side and options to resolve it via a narrated video.Connecting to VMware Horizon View desktops with an HTML5 browser session fails with the error: "SSL Session is invalid" (2088354 ) - This article outlines a scenario where the client is instructed to receive its certificate directly from the Virtual Desktop. Note: If the issue still exists after attempting the steps in this article, file a support request with VMware Technical Support and note this Knowledge Base article ID (2082408) in the problem description. For more information on filing a Support Request, see Filing a Support Request in Customer Connect (2006985).Before restarting to test, you can turn up the log levels on the connection server to full (level 3) which will capture detailed information about the certificate to assist with an efficient resolution by support. You can turn off the log level using the same commands. See Collect Diagnostic Information for Horizon Connection Server for detailed steps.
Note: A VMware Default certificate present on a connection server can be used as a troubleshooting step - If the admin page loads when you roll back to this certificate, it indicates an issue with the new certificate
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
