SSO is not working
Connection servers are enrolled to enrollment server
External access through external access using workspace one is working
Saml is working correctly and both Connection servers are configured using SAAS Url for iDP
CA installed and certs are all valid
Connection Servers are showing invalid cert, but show valid in browser and are brokering connections
VMware Verify is working externally as well
Any ideas?
Ryan
I am running Horizon 7.8
I suggest using the diagnostic fling to troubleshoot. There are a lot of moving components with TrueSSO so triple check you have anything setup correctly. One little thing off will break everything. Took me a few tries to get it working perfectly.
This is your friend:
VMware Fling for TrueSSO Diagnostics
Setup TrueSSO Documentation
Techguy, thank you for those articles and fling.
The problem im getting is when adding the connector. Im getting Cannot create on the primary enrollment server with a template with UNSUITABLE status.
When i ran the diag tool on the ES i got the following under Capability Notes: Unsuitable for Cert-SSO, Certificate is stored in the CA database
Looked like an issue with Cert-SSO, fixed the certificate template with correct settings.
Thank you for the tool.
Internal SSO is working, external with Workspace One IDM and IDM Connector is not.
I have filed a ticket with VMWare, and will update this article of what transpired.
It looks like the user is using VMWare SSO User when trying to access TrueSSO from Workspace One IDM
Will update soon.
Here is the message we are getting now with All parts configured with TrueSSO working on-prem.
I had that problem. Took me ages to find an answer.
You need to take the issuing and root CA and place them into the NTAuthCA, RootCA and SubCA stores in AD. This feeds down to the desktops using GP Client Side Extensions and provides the complete chain for your enrolling certificate. That error is usually caused my TrueSSO pushing down the certificate correctly but your desktop need trusting it as it doesn't have all the chain to validate it.
Run these commands on your AD Controller, then waiting for GP to update on its own (or refresh your desktops)
CERTUTIL -f -dspublish <cert file name> SubCA
CERTUTIL -f -dspublish <cert file name> NTAuthCA
CERTUTIL -f -dspublish <cert file name> RootCA