BugZero | VMware BugID 91007 - Horizon Secondary Crendential is getting locked in...

VMware - Defect ID: 91007

Horizon Secondary Crendential is getting locked in Horizon 8

VMware - Defect ID: 91007

Horizon Secondary Crendential is getting locked in Horizon 8

Last updated on 2/21/2023

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptoms

Secondary credential is getting locked frequently.Domain Bind account registered in Horizon Universal Console is frequently getting locked out.Log lines similar to below are seen in the Horizon Connection Server logs: 2022-11-30T16:00:48.514+05:30 WARN (20CC-1848) <Thread-77> [LdapContextPoolFactory] Unable to connect to domain XXXX using service account yyy@XXXX.COM: javax.naming.NamingException: getGssapiDirContextInstance, kerberos authentication failed for user: yyy@XXXX.COM, reason: Clients credentials have been revoked (18) [Root exception is javax.security.auth.login.LoginException: Clients credentials have been revoked (18)]2022-11-30T16:00:48.515+05:30 INFO (20CC-1848) <Thread-77> [ActiveDirectoryLocationOptimizer] updateServiceAccountStatus, updating service account status for domain XXXX.com: AdDomainAccountStatus [netbiosName=XXXX, loginName=yyy, isPrimary=true, isActive=false]<notifyNewDomain-updateDomainMaps> [ActiveDirectoryTopologyManager] getDomainMap, failed to get domain map for XXXX due to error: javax.naming.NamingException: getGssapiDirContextInstance, kerberos authentication failed for user: yyy@XXXX.com, reason: Pre-authentication information was invalid (24) [Root exception is javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)] com.desktone.directory.service.ActiveDirectoryTopologyManager.getDomainMap(ActiveDirectoryTopologyManager.java:253)com.desktone.directory.exception.InvalidADDomainConfigException: javax.naming.NamingException: getGssapiDirContextInstance, kerberos authentication failed for user: yyy@XXXX.com, reason: Pre-authentication information was invalid (24) [Root exception is javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)]

Cause

This issue is caused by using wrong encryption while storing Secondary Credentials.

Resolution

Upgrade the Horizon Connection Server to 8.8

Workaround

Disable no trust domain feature by making below changes in ADLDS. Connect to LDAP instance of the Connection Server.In CN=Common,OU=Global,OU=Properties,DC=vdi,DC=vmware,DC=int, for the attribute: pae-NameValuePair, Add the below value: cs-noTrustDomainFeatureEnabled=0 or cs-noTrustDomainFeatureEnabled=false Restart the connection server services in all the connection servers.

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 91007

Horizon Secondary Crendential is getting locked in Horizon 8

VMware - Defect ID: 91007

Horizon Secondary Crendential is getting locked in Horizon 8

Last updated on 2/21/2023

Vendor details

Vendor details

Description

Symptoms

Cause

Resolution

Workaround

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?