Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When connecting to a Horizon View virtual machine using Blast, and the Blast Secure Gateway is turned off, you experience these symptoms: The Blast Secure Gateway is disabled on a connection serverThe SSL Session is invalid when directly connected to the virtual machine with BlastVMware Horizon blast certificate, browser warning that the certificate is untrusted.Virtual desktop SSL error, browser warning that the certificate is untrusted.
This is a child article of the following: Troubleshooting SSL certificate issues in VMware Horizon
This issue occurs if: The certificate on the virtual machine does not match the blast IP or the DNS name of the virtual machineYou are connecting to the virtual machine by IP and not by Name For example:1. You connect your horizon server (horizon.corporation.com) over the browser.2. You select the desktop pool where you wish to start a desktop instance.3. After selecting the desktop, the browser URL alters from horizon.corporation.com to desktop123.corporation.com or the IP address of the desktop
Recommended Approach: We advise using the blast secure gateway for HTML access to the machine rather than individual blast certificates on machines. To configure see Enable the Blast Secure Gateway for HTML AccessThis option is compatible with UAG, which requires other tunnels to be set on the UAG rather than the broker. Note : This will tunnel only your HTML5 connections into Desktops and utilize the certificate configured with the tunnel URL. This is the least disruptive approach. Please see Network Ports in VMware Horizon to review any potential port changes. For legacy environments, you can find manual steps/ options below. Note, These steps can be arduous / time intensive hence the recommended approach above. . ----------------------- Legacy Steps:-----------------------If you have to certify each desktop, please be precise and follow each step in depth and ensure you cross-check and validate as you go. An incorrect application of a certificate can result in disruption on the virtual desktop. Note: Ensure that we have a PFX certificate bundle with the private key when the certificate is received. To perform the SSL validation, execute these 6 steps: Change the Certificate on the virtual machine to satisfy SSL validationAdd the Certificate Snap-in to MMC on a Horizon View DesktopImport a Certificate for the VMware Horizon HTML Access Agent into the Windows Certificate StoreImport Root and Intermediate Certificates for the VMware Horizon HTML Access AgentSet the Certificate Thumbprint in the Windows RegistryUpdate the View Agent ADM Template Settings for the Agent VMs 1.Change the Certificate on the virtual machine to satisfy SSL validation Using a wildcard certificate is likely to be the most practical. If you are connecting to a virtual machine with Hostname using a wildcard certificate should match. For example: Hostname vm1.vm.company.com using a wildcard certificate *.vm.company.com or *.company.com should match. 2.Add the Certificate Snap-in to MMC on a Horizon View Desktop Before adding certificates to the Windows local computer certificate store, add the Certificate Snap-in to the Microsoft Management Console (MMC) on the Horizon View desktops where the VMware Horizon HTML Access Agent is installed. Prerequisites:Verify that the Microsoft Management Console (MMC) and Certificate Snap-in, available on the Windows guest operating system where the VMware Horizon HTML Access Agent is installed. Procedure: On the Horizon View desktop, click Start and type mmc.exe. In the MMC window, Navigate to File > Add/Remove Snap-in. In the Add or Remove Snap-in window, select Certificates and then click Add. In the Certificates Snap-in window, select Computer account and then click Next. Select Local computer, and click Finish. In the Add or Remove Snap-in window, click OK. 3.Import a Certificate for the VMware Horizon HTML Access Agent into the Windows Certificate Store To replace a default VMware Horizon HTML Access Agent certificate with a CA-signed certificate, import the CA-signed certificate into the Windows local computer certificate store. Perform this procedure on each desktop where the VMware Horizon HTML Access Agent is installed. Prerequisites: Verify that the VMware Horizon HTML Access Agent is installed on the Horizon View desktop. Verify that the CA-signed certificate was copied to the desktop. Procedure: In the MMC window on the Horizon View desktop, expand the Certificates (Local Computer) node and click the Personal folder. In the Actions pane, navigate to More Actions > All Tasks > Import. In the Certificate Import Wizard, click Next and browse to the location where the certificate is stored. Select the certificate file and click Open. To display certificate file type, select its file format from the File name drop-down menu. Type the password for the private key that is included in the certificate file. Click Mark this key as exportable. Click Include all extendable properties. Select Next and click Finish. The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder. Verify that the new certificate contains a private key. In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new certificate. In the General tab of the Certificate Information dialog box, verify that this statement appears: You have a private key that corresponds to this certificate. 4.Import Root and Intermediate Certificates for the VMware Horizon HTML Access Agent If the root certificate and intermediate certificates in the certificate chain are not imported with the SSL certificate that are imported for the VMware Horizon HTML Access Agent, import these certificates into the Windows local computer certificate store. Procedure: In the MMC console on the Horizon View desktop, expand the Certificates (Local Computer) and navigate to the Trusted Root Certification Authorities > Certificates folder. If the root certificate is in this folder, and there are no intermediate certificates in your certificate chain, skip this procedure. If the root certificate is not in this folder, proceed to step 2. Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks > Import. In the Certificate Import Wizard, click Next and browse to the location where the root CA certificate is stored. Select the root CA certificate file and click Open. Select Next and click Finish. If your server certificate was signed by an intermediate CA, import all intermediate certificates in the certificate chain into the Windows local computer certificate store. Navigate to the Certificates (Local Computer) > Intermediate Certification Authorities > Certificates folder. Repeat step 3 for each intermediate certificate that must be imported. 5.Set the Certificate Thumbprint in the Windows Registry To allow the VMware Horizon HTML Access Agent to use a CA-signed certificate that was imported to the Windows certificate store, configure the certificate thumbprint in a Windows registry key. Use this step on each desktop on which you replace the default certificate with a CA-signed certificate. Prerequisites:Verify that the CA-signed certificate is imported into the Windows certificate store. See, Import a Certificate for the VMware Horizon HTML Access Agent into the Windows Certificate Store. Procedure: In the MMC window on the Horizon View desktop where the VMware Horizon HTML Access Agent is installed, navigate to the Certificates (Local Computer) > Personal > Certificates folder. Double-click the CA-signed certificate that is imported into the Windows certificate store. In the certificates dialog box, click the Details tab, scroll down, and select the Thumbprint icon. Copy the selected thumbprint to a text file. For example: 31 2a 32 50 1a 0b 34 b1 65 46 13 a8 0a 5e f7 43 6e a9 2c 3e Note: When you copy the thumbprint, do not include the leading space. If you inadvertently paste the leading space with the thumbprint into the registry key in Step 7, the certificate might not be configured successfully. This problem can occur even though the leading space is not displayed in the registry value text box. Start the Windows Registry Editor on the desktop where the VMware Horizon HTML Access Agent is installed. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key. Modify the SslHash value and paste the certificate thumbprint into the text box. Restart the VMware Blast service to make your changes take effect. Note: In the Windows guest operating system, the service for the VMware Horizon HTML Access Agent is called VMware Blast. When a user connects to a desktop through VMware Horizon HTML Access, the VMware Horizon HTML Access Agent presents the CA-signed certificate to the user's browser. 6. Update the View Agent ADM Template Settings for the Agent VMs Enable the Connect using DNS Name GPO configuration setting in Horizon 6.0 and earlier releases.With Horizon 7, This View LDAP attribute replaces the per-desktop functionality that was provided by the group policy setting, Connect using DNS Name, in Horizon 6.0. x and earlier releases.Give Preference to DNS Names When View Connection Server Returns Address Information