Xelany
Contributor
Contributor

SSL error Horizon client

Hello,

I'm working at a company where we use horizon client to access a VDI

I have a user (only one) who had access without any problem, then his computer ran into some troubles, he performed a gpupdate, and since then he has an SSL error message whenever he connects

pastedImage_0.png

I have tried many things, including: (none of them worked)

changing SSL vertifiacte parameters in horizon

importing gpos from horizon gpo bundle and configure the following:

Ignore Certificate Revocation Problems - Enabled

Certificate verification mode - Enabled (No Security)

Same still doesnt work

I tried this too

Try adding the following registry on the client machine:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ VMware, Inc. \ VMware VDM \ Client \ Security]

"SSLCipherList" = "SSLv3: TLSv1: TLSv1.1: AES: RC4-SHA:! ANULL: @STRENGTH"

Nothing worked

Maybe I did it wrong but Im pretty sure I did it properly, for instance I can see the registry keys being created when I set up the GPOs

Does anyone has any idea?

Regards,

Tags (2)
21 Replies
AlexAskin
Enthusiast
Enthusiast

Are you directly connecting to your VDI or do you use a Gateway (either Connection Server or UAG) accessing it?

0 Kudos
Xelany
Contributor
Contributor

Hello,

Im unsure about the answer, we connect to a VDI which has a name like https://vdi-internal."company name".net

It works for everyone except that one user

0 Kudos
larstr
Champion
Champion

Xelany,

What version is the Horizon client? Have you tried upgrading to a newer version?

Lars

0 Kudos
Xelany
Contributor
Contributor

It is version 5.4.2, I took it from the internet, I think it is the last one

Personally I have version 5.3.0, does it change anything?

0 Kudos
AlexAskin
Enthusiast
Enthusiast

The reason why I am asking is to understand where between your Horizon Client and the VDI the SSL handshake happen?

Could be the VDI (direct connection), the Connection Server (acting as Gateway) or a UAG (again Gateway).

Can anybody else access exact the same VDI? Is the certificate trusted by the device where you launch Horizon Client?

I understand that you can logon to Horizon but the connection to the VDI is failing - correct?

0 Kudos
Xelany
Contributor
Contributor

The reason why I am asking is to understand where between your Horizon Client and the VDI the SSL handshake happen?

Could be the VDI (direct connection), the Connection Server (acting as Gateway) or a UAG (again Gateway).

Can anybody else access exact the same VDI? Is the certificate trusted by the device where you launch Horizon Client?

I don't know if it is direct connection, connection server or a UAG, I could maybe ask the team in charge if really needed, I just know we access to the VDI via a link and we connect to a desktop pool

Yes many people can access the same VDI, me included, how could I check if the certificate is trusted? In the MMC console?

I understand that you can logon to Horizon but the connection to the VDI is failing - correct?

Well I can launch the application, the user is then requested for a link (https...) then we click connect and we immediately have the SSL error, so I can't really logon to horizon, just launch it, and I'll say this happen before the real connection to the VDI

We don't access to the pool of desktop where we can choose the VDI to connect to, it fails during the conenction just before that

Hope that's clear enough

0 Kudos
Xelany
Contributor
Contributor

Any ideas?

0 Kudos
AlexAskin
Enthusiast
Enthusiast

Thanks situation is now more clear.

If you connect via Browser to https://vdi-internal."company name".net do you see any certificate errors (next to the URL on the left hand side)?

pastedImage_0.png

In case yes, can you click there on more details and paste a screenshot of the "Certificate Path"-Tab?

0 Kudos
larstr
Champion
Champion

I guess AlexAskin might be on the right track here. Perhaps your internal root certificate isn't trusted by the client computer?

Lars

0 Kudos
Xelany
Contributor
Contributor

Hello again,

Thank you so much for pointing out that we can connect using internet browser, I wasn't aware of that functionality! Now the user was able to connect to the VDI using HTML connection, and he can finally work normally, which was very important for his daily job!

Now I still would like the main application to work, I'll provide the details of the certificate next week, but I wonder, are some informations too confidential to be unveiled on the internet or can I post them with no problem in this forum?

Thanks again, it was a real annoyance, now he can work normally!

Regards,

Xelany
Contributor
Contributor

Hello again,

No answer since last time, I still would like to fix the issue for the main app

Can I post the screenshot here?

Regards,

0 Kudos
AlexAskin
Enthusiast
Enthusiast

Sure. Lets see if we can find the root-cause.

0 Kudos
Xelany
Contributor
Contributor

Here is the screenshot, I just hid the company name in case

Capturecertificatepath.JPG

Not much infromation here it seems, please tell me if you need more

Regards,

0 Kudos
EricMonjoin
VMware Employee
VMware Employee

Hi

As you are using Corporate certificates, insure this user have root CA and intermediate certificates in the trusted store, and check any as expired

6-18-2020 5-50-05 PM.jpg

Eric

0 Kudos
Xelany
Contributor
Contributor

Hello again,

I checked the "companyname"corporateRootCA in MMC and it is valid until 2024, it seems that it is the same as the one used with IE

There are actually a lot of certificates in those 2 folders, not sure what I should look for

Do you guys have any clue on what i should do next?

0 Kudos
Xelany
Contributor
Contributor

Any idea? Im glad I  have a workaround but I would like the main app to work

In case you need more infos I can provide them

0 Kudos
Xelany
Contributor
Contributor

Anyone?

0 Kudos
larstr
Champion
Champion

Xelany,

If the advices given here so far didn't work I would recommend you to file an SR with VMware support. I'm sure they will help you find the best soution.

Lars

0 Kudos
Xelany
Contributor
Contributor

Hello,

Ok I'll have a look at this

In the meantime I tried to copy the certificates from IE to MMC console but it didn't work either 😕

0 Kudos