Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When the Certificate Distribution Point location is in a “Expired” state we experience VDI Desktop or RDSH Application Launch failure in conjunction with TrueSSO Horizon Client Users see an error as “Loading failed: The connection to the remote computer ended" VMware Horizon Agent Debug Logs show loglines similar to the following: YYYY-MM-DDTHH:MM:SS.ms-TIMEZONE ERROR (XXXX-XXXX) <MessageFrameWorkDispatch> [wsnm_desktop] commandhandler::storeSessionCertificate(): CertSSO: CERTIFICATESSOID=xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx, Broker failed to provide a Certificate, Reason: Certificate generation request failed and not resubmitted, userName: <username>, domainName: DOMAIN, domainFqdn: domain.com, template: [name:HorizonTrueSSO,hashAlgorithm:SHA1,minKenLength:2048] VMware Horizon Connection Server Debug Logs show loglines similar to the following: YYYY-MM-DDTHH:MM:SS.ms-TIMEZONE ERROR (XXXX-XXXX) <certSso-10475> [ESConnectionManager] CertSso: Certificate generation request failed, userName:username, domainName: DOMAIN, domainFqdn: domain.com, template: [name:HorizonTrueSSO,hashAlgorithm:SHA1,minKenLength:2048] used EnrollmentServerChannel: enrollmentserver.domain.com, Reason: EsChannel: enrollmentserver.domain.com, Error: -2146885613, ErrorText: Error Verifying Request Signature or Signing Certificate The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) - 0x0000000080092013 (The revocation function was unable to check revocation because the revocation server was offline.), EsReason: SubmitFailureMayRetry
This article discusses a particular instance of an RDSH application or VDI Desktop launch while using TrueSSO
This event occurs when a Certificate Distribution Point [CDP] Location is in "Expired" State.
User cannot launch Desktop session or RDSH application session.
The status of Certificate Distribution Point (CDP) locations frequently changes to "Expiring," however on the day of expiration, they are immediately renewed. If a Certificate Distribution Point (CDP) location is already listed as "Expired," a new Root CA CRL must be published.We do strongly encourage deferring to vendor best practices in terms of rectifying these concerns with the engagement of a qualified on-site administrator: Specify CRL Distribution PointsSchedule Publication of Certificate Revocation Lists As a courtesy, please find a guideline below regarding one approach to renewing below.Renewing an expired CDP Location: Connect to Certificate Authority Server Click on Start à Run and Type “certsrv.msc” Right-click on Revoked Certificate , Select “All Tasks” and click on Publish Select New CRL: Click ok. Configuring the Certificate Authority for processing non-persistent certificates and ignoring revocation checking (2149312) can be referenced for more information about disabling the revocation checking The TrueSSO diagnostic utility can be leveraged to ensure TrueSSO configuration is healthy.
Please see this article for other considerations when setting up TrueSSO: Common Configuration Issues and Guidelines with TrueSSO (90037)