VMware Horizon Community
ryand32
Contributor
Contributor

Problem logging in with TrueSSO with VMWare verify not passing credentials

SSO is not working

Connection servers are enrolled to enrollment server

External access through external access using workspace  one is working

Saml is working correctly and both Connection servers are configured using SAAS Url for iDP

CA installed and certs are all valid

Connection Servers are showing invalid cert, but show valid in browser and are brokering connections

VMware Verify is working externally as well

Any ideas?

Ryan

Reply
0 Kudos
6 Replies
ryand32
Contributor
Contributor

I am running Horizon 7.8

Reply
0 Kudos
techguy129
Expert
Expert

I suggest using the diagnostic fling to troubleshoot. There are a lot of moving components with TrueSSO so triple check you have anything setup correctly. One little thing off will break everything. Took me a few tries to get it working perfectly.

This is your friend:

VMware Fling for TrueSSO Diagnostics

True SSO Diagnostic Utility

Setup TrueSSO Documentation

Setting Up True SSO

ryand32
Contributor
Contributor

Techguy, thank you for those articles and fling.

The problem im getting is when adding the connector.   Im getting Cannot create on the primary enrollment server with a template with UNSUITABLE status.

When i ran the diag tool on the ES i got the following under Capability Notes: Unsuitable for Cert-SSO, Certificate is stored in the CA database

Looked like an issue with Cert-SSO, fixed the certificate template with correct settings.

Thank you for the tool. 

Internal SSO is working, external with Workspace One IDM and IDM Connector is not.

Reply
0 Kudos
ryand32
Contributor
Contributor

I have filed a ticket with VMWare, and will update this article of what transpired.

It looks like the user is using VMWare SSO User when trying to access TrueSSO from Workspace One IDM

Will update soon.

Reply
0 Kudos
ryand32
Contributor
Contributor

pastedImage_0.png

Here is the message we are getting now with All parts configured with TrueSSO working on-prem.

Reply
0 Kudos
bclyde
Enthusiast
Enthusiast

I had that problem. Took me ages to find an answer.

You need to take the issuing and root CA and place them into the NTAuthCA, RootCA and SubCA stores in AD. This feeds down to the desktops using GP Client Side Extensions and provides the complete chain for your enrolling certificate. That error is usually caused my TrueSSO pushing down the certificate correctly but your desktop need trusting it as it doesn't have all the chain to validate it.

Run these commands on your AD Controller, then waiting for GP to update on its own (or refresh your desktops)

CERTUTIL -f -dspublish <cert file name> SubCA

CERTUTIL -f -dspublish <cert file name> NTAuthCA

CERTUTIL -f -dspublish <cert file name> RootCA