Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
An index of common configuration issues with Horizon TrueSSO.Horizon View True SSO uses Microsoft Enterprise Certificate Servers to issue certificates used to log into a Horizon Desktop.
Horizon Single Sign On is a different technology from Horizon TrueSSO. If you do not have TrueSSO configured, but you are experiencing issues with Single Sign On, please see Troubleshooting issues with Single Sign On in a VMware Horizon environment (1029391) Preparation and Validation: TrueSSO is heavily reliant on the correct and systematic setup of your PKI infrastructure.If you encounter issues with set-up, a very common source is misconfiguration during setup.We actively encourage active verification at each step to ensure no setup is missed.The True SSO Configuration Utility can be utilized as a method to validate or complete setup. Additionally, there is a walkthrough of set-up on Techzone: "Setting Up TrueSSO" You must perform the following tasks to set up your environment for True SSO: Set Up an Enterprise Certificate Authority Create Certificate Templates Used with True SSOInstall and Set Up an Enrollment ServerExport the Enrollment Service Client CertificateConfigure SAML Authentication to Work with True SSOConfigure Horizon Connection Server for True SSO Troubleshooting TrueSSO: With a First time Set-up, if you encounter issues, please start your troubleshooting process with a comprehensive validation of your setup steps. There is a dashboard on your horizon console where you can verify the status of TrueSSO - Check here to ensure everything is green, please see Using the Dashboard to Troubleshoot Issues Related to True SSO for more detail.The lynchpin with TrueSSO is your Enterprise CA. Please ensure your CA server is healthy and error-free.The TrueSSO Diagnostic Utility can be used to troubleshoot allowing basic validation of the Enrollment Server, Active Directory PKI settings, and Enterprise Certificate Authorities. Re-Generate Horizon Cluster Certificate (vdm.ec) (76941) outlines steps to regenerate your vdm.ec certificate if missing. KB's Related to Public Key Infrastructure : TrueSSO - Public Key Infrastructure: "The request is not supported" while launching a published Application or Desktop(59953) This article outlines an error message received if the authenticating domain controller is not configured for smartcard logons.TrueSSO - Public Key Infrastructure: Cannot create a TrueSSO Connector on the enrollment server on a domain with NOT_VALID enrollment certificate status (86228) This article outlines some steps to verify in relation to the enrollment of certificates and your PKI infrastructure when the cert state is reported as not_valid.TrueSSO - Public Key Infrastructure - CRL : Error: "The attempted logon is invalid. The revocation status of the certificate used for authentication could not be determined.(89994) This article outlines a scenario where the Certificate Revocation List (CRL) of the Certificate includes a URL that cannot be accessed from the Virtual Desktop or Domain ControllersTrueSSO - Public Key Infrastructure - CRL : Error: "Encountered unexpected error during execution" seen when using vdmutil to reconfigure Horizon TrueSSO (85571) - This article outlines a scenario when editing your TrueSSO connector results in an Error.TrueSSO - Public Key Infrastructure: Windows 11 Client Error "cannot utilize the smartcard subsystem" with Windows Hello for Business (90720 ) - This article outlines an intermittent issue with certificate availability on Windows 11 clients and WHFB.TrueSSO - Public Key Infrastructure: Certificate Distribution Point Location expiration results in a VDI Launch Failure (90491) - This article outlines a scenario when a CDL expiration can impact successful login.TrueSSO - Public Key Infrastructure - Error: "The attempted logon is invalid. This is either due to a bad username or authentication information. An untrusted certificate authority was detected while processing the domain controller certificate" (94971) - This article outlines symptoms when a CA certificate is not present or autoenrollment has been disabled.TrueSSO – Enrollment Server unable to connect to CA: The authentication service is unknown (90682) This article outlines a workaround when the Certificate Authority and Enrollment Server are co-installed. Best Practice: Configuring the Certificate Authority for processing non-persistent certificates and ignoring revocation checking (2149312) - This article outlines steps to enable non-persistent certificate processing which can help reduce the CA database growth rate and frequency of database management tasks.TrueSSO - Public Key Infrastructure: How to Renew an Enrollment Server Certificate (95008) - Step by Step for Certificate renewal. Historical Issues: Failed to pair the Enrollment Server while configuring TrueSSO on VMware Horizon Cloud on Microsoft Azure (67917). This article outlines a specific error seen with Horizon Cloud when the enrollment server was already registered - Fixed in 7.13.2 / 8.4 and higher.TrueSSO: DisableCertSSOUnlock Horizon Agent Registry Key not functioning (91582) - This article outlines a workaround for a known issue in Horizon 2206,2209,2209.1 and 2212. This matter is fixed in Horizon Horizon Agent 8.9 (2303) and higher.TrueSSO trigger mode is disabled by default while creating or editing a SAML Authenticator from Horizon Console. (90589) and Enabling SAML on newly added broker disables TrueSSO mode for the entire Horizon cluster. (83621) both discuss historical GUI limitations with TrueSSO mode & the SAML Authenticator. This is corrected in full from Horizon 8 2212.