We are currently receiving a certificate error with connecting to our new Horizon 7.8 Farm via a browser. It appears the certificate error relates to the BLAST certificate. I have gone through this VMware KB (VMware Knowledge Base ) and followed the steps on the Golden image but the error persists.
When I look at the certificate error via the Chrome browser, this is what it looks like:
I have imported the Blast certificate into the Trusted Root Certificate and the intermediate Certificate stores on the Golden image however the error persists. It already exists in the Personal Certificates store. One of the strange things is when I copy the Thumbprint of our wildcard certificate for our local domain and paste it in the sslhash value of the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key the pasted value does not stay after a restart of the Golden Image.
The strange thing is at one time this was working but we do not know when it stopped working; possible when we introduced the UAGs.
We are very frustrated and looking for any suggestions.
Thank you!
Request a wildcard cert from your internal CA.
You can not use the the blast certificate in your screenshot for that purpose. You are not following the KB hence why you are having issues.
Using a wildcard certificate is likely be the most practical. If you are connecting to a virtual machine with Hostname using a wildcard certificate should match.
For example: Hostname vm1.vm.company.com using a wildcard certificate *.vm.company.com or *.company.com should match.
This is also a very important step as well as the view agent by default connects using ip address.
Enable the Connect using DNS Name GPO configuration setting.
We have a wildcard certificate for our domain (internal and external) applied to the machine. And following that KB I have copied the Thumbprint of the wildcard cert to the SSLHash for the Blast entry in the registry. The strange thing is the SSLHash value changes after a restart of the Blast service on the Golden Image or reboot of the Golden Image. What would cause the value to change?
Regarding the "Connect using DNS Name" GPO setting would this be for the Image/desktops and NOT the connection servers?
I have been busy dealing with some issues at work. Did you ever get this resolved. I believe the SSLHash registry would revert if it can not find the certificate in the store. Also import the certificate as importable.
Yes, that would be done on your golden image or perhaps your clones. Not sure if that is something that requires a reboot. I would do it on the parent image.
Can you please try this script? You can add it as a startup script, computer policy.
As pre-req you will need to create a template that has exportable private key and the DNS name as certificate name.
Or you can adjust the "Computer template", but then you need to change the script.
This way it is not in the goldenimage.
<#
************************************************************************************************************************
Ceator : Ralph Hofman
Company: RHofman IT
Created: 15-01-2020
Version: 1.0
Purpose:
# Change Log
************************************************************************************************************************
#>
#Prereq Certificate Variable
# Set hostname
$hostname = hostname
# Get the thumbprint from the right certificate
$thumb = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {$_.subject -match $hostname}).Thumbprint
# Insert spaces between every 2 characters just like a real thumbprint
if ($thumb -eq $Null){
Write-Host "No Thumbprint found"
} Else {
$regthumb = $thumb.insert(2," ").insert(5," ").insert(8," ").insert(11," ").insert(14," ").insert(17," ").insert(20," ").insert(23," ").insert(26," ").insert(29," ").insert(32," ").insert(35," ").insert(38," ").insert(41," ").insert(44," ").insert(47," ").insert(50," ").insert(53," ").insert(56," ")
}
# Display the thumbprint to verify
$Currentumb = (get-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\VMware Blast\Config").SslHash
# Function
if ($regthumb -eq $Currentumb ) {
Write-host "Keys is the same"
} Else {
# Request computernamed certificate at the AD enrollment server
# with ComputerHorizon template
# Template > issued by CA, subjectname = DNS, Privatekey = Exportable
certreq -Enroll -machine -q "ComputerHorizon"
$hostname = hostname
# Get the thumbprint from the right certificate
$thumb = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {$_.subject -match $hostname}).Thumbprint
# Insert spaces between every 2 characters just like a real thumbprint
$regthumb = $thumb.insert(2," ").insert(5," ").insert(8," ").insert(11," ").insert(14," ").insert(17," ").insert(20," ").insert(23," ").insert(26," ").insert(29," ").insert(32," ").insert(35," ").insert(38," ").insert(41," ").insert(44," ").insert(47," ").insert(50," ").insert(53," ").insert(56," ")
Set-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\VMware Blast\Config" -Name "SslHash" -Value $regthumb
# Fill the SslHash for Blast to use the computernamed certificate
# Restart the Blast service to take effect
Restart-Service -Name VMBlast -Force
}
Kind regards,
Ralph Hofman
I also have this issue now. However, in my case, the impact is limited to HTML connections via the internal (non-UAG) route.
The first line in resolution section of this KB article says "We would advise using blast secure gateway for HTML access to the machine.".
Now, FIRST, I check my both connection servers and see below setting set to "Do not use Blast Secure Gateway":-
So, should I change this to second radio button "Use Blast Secure Gateway for only HTML Access connections to machine"? Or, why not the first radio button to connect machines via Blast? BSG is for good, I think, and there should not be any harm to select first radio button in that case.
If changing above BSG setting helps to solve the original problem of "certificate issue for HTML connection via Internal route", then I can leave the invalid Blast certificate as is in the VDI's, I guess.
SECOND:- My Golden Image is not registered on domain to avoid any GPO's. So, if Machine certificate still needed, then where is it suggested to create the CSR (not clear in KB) for internal CA's wildcard certificate - Should I create CSR on non-domain GI (The AD certificate template not available and create manual certificate) - Or, can the CSR be created from any non-persistent VDI (domain joined, of course) also, and just remember to preserve the Private Key in that case.
FYI, problem solved by changing the option in Horizon Admin console to the option "Use Blast Secure Gateway for only HTML Access connections to machine".
No action done on Blast certificate. The HTML connections via internal route started working just with above change in my environment.
Thanks - just posting this comment in case someone ever faces this issue again.