VMware Horizon Community
tolot27
Contributor
Contributor
‎05-25-2023 05:35 AM

Volume-Attach user do not match with user from JWT

Hi,

today I tried setting up an automated RDSH farm as described at Quick-Start Tutorial for VMware Horizon 8 | VMware

Every Horizon component has version 2303 (8.9) and the setup worked so far except that no RDSH published app can be started. The RDSH event log contains the following error (variables <..> are used for privacy):

AGENT_APPLICATION_LAUNCH_FAILED
Machine named RDSH-5 failed to launch application C:\Users\Public\Desktop\MEGA11.lnk for user <DOMAIN>\<sAMAccountName>

Attributes:
MachineId=499605df-d75f-421f-89e6-374db8e40fcc
SessionType=APPLICATION
AppVolumesErrStr=App Delivery with Jwt failed. AVM request for app launch failed. No app was attached.Unable to deliver the application at this time. Please try again later.
PoolId=rdsh-farm
Node=RDSH-5.<domain fqdn>
Severity=WARNING
Time=Thu May 25 13:45:49 CEST 2023
ApplicationExecutable=C:\Users\Public\Desktop\MEGA11.lnk
Source=com.vmware.vdi.events.client.EventLogger
UserSID=S-1-5-21-842925246-448539723-725345543-2790
MachineName=RDSH-5
AppVolumesErrCode=3
Module=Agent
UserDisplayName=<DOMAIN>\<sAMAccountName>
Acknowledged=true

The C:\Program Files (x86)\CloudVolumes\Agent\Logs\svservice.log RDSH-5 shows the same error with some more context and that the source of the error is the AVM. The AVM production######.log shows at the same time lot of INFO entries and one WARN:

[2023-05-25 11:45:49 UTC] P8016R2379 WARN Cvo: Volume-Attach user "<DOMAIN>\<sAMAccountName>" do not match with user from JWT "CN=<cn>,OU=USERS,DC=<DOMAIN>,DC=<TLD>"

 

Why does the AVM tries to match the user login name (<DOMAIN>\<sAMAccountName>) with the canonical name? That does not make sense at all? How to fix this problem?

I have also a manual farm and the app packages get attached automatically during login. This works well. The on-demand app delivery also works for the desktop pools.

--
Regards,
Mathias

Labels (3)
0 Kudos
2 Replies
tolot27
Contributor
Contributor
‎05-25-2023 05:49 AM

BTW: The AVM shows the correct login to CN mapping in the Directory/Users tab. Hence, it knows the mapping between login name and AD canonical names.

I've also tried to enable "Non-Domain Entities" at the Configuration/Settings tag but no new users are listed.

0 Kudos
jlstraat
Contributor
Contributor
‎02-21-2024 05:30 AM

Hi Tolot27,

Did you got this solved, we have same issue where we moved users from 1 OU to another OU and several users cannot launch the published application. The virtual desktop works fine but it's only the published application (On-Demand) that doesn't work.

We got a temporarily fix from vmware: Logon to your connection server open command prompt browse to C:\Program Files\VMware\VMware View\Server\bin

Now use the vdmadmin -F -U domainname\username to reset the user Foreign Security Principal.

See wmare article > Updating Foreign Security Principals Using the ‑F Option (vmware.com)

Reqruirement the user must be logged off from the environment.

kind regards,
Hans

0 Kudos