VMware Horizon Community
RHamaker
Contributor
Contributor

Smart card authentication in Horizon View

Guys and gals, I am a bit perplexed at the issue we are dealing with so i wanted to go to the experts.  We are running HView 5.3.3 coupled with vcenter 6.0 (as an appliance).  I have all of the nessecary keystore files created and the locked.properties file setup right in order to make smart card (sc) authentication work, but just can't seem to find out where the issue lies.  Currently when you go to the URL to view server, it will prompt you for your sc certificate, i can pick the certificate and then it will take me to the usual logon screen with user name and password.  I am also experiencing similar behavior when trying to connect to the virtual machines in a view pool via cad card using a PCOIP client.  Here is where the oddity is though, sc authentication is working for parts of view.  I can log into the pcoip client with an sc and get taken to the pool selection screen, but when i pick the pool the client isn't passing the sc credentials to the vm and i am then being prompted for a user and password.  I can, however, use the view client on a physical box and connect to a vm using an sc and it works as expected. 

It seems as though there is some missing link somewhere that i haven't yet found.  The only oddity i can find in the debug log for view is this:

2015-12-03T07:45:44.059-06:00 DEBUG (0E04-1A9C) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2015-12-03T07:45:44.059-06:00 DEBUG (0E04-13A8) <ConfigureHostsCbrc-173d8861-e680-4357-80a8-fed71962420b-1449086049681> [CertMatchingTrustManager] invalid certificate (as expected) for 10.0.210.171:443 InvalidCertificateException[reasons:notTrusted;cantCheckRevoked; subject:'C=US, CN=10.0.210.171' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: cantCheckRevoked, noTrust, ChainReasons: noTrust']

2015-12-03T07:45:44.102-06:00 DEBUG (0E04-13A8) <ConfigureHostsCbrc-173d8861-e680-4357-80a8-fed71962420b-1449086049681> [SAX2EventRecorder] start replay: events=[ length=26, numPointers=119, objarray.length=50 ], start=12, stop=15, this=org.apache.axis.message.SAX2EventRecorder@2d737c36, handler=org.apache.axis.encoding.DeserializationContext@78dfd489

2015-12-03T07:45:44.102-06:00 DEBUG (0E04-13A8) <ConfigureHostsCbrc-173d8861-e680-4357-80a8-fed71962420b-1449086049681> [SAX2EventRecorder] end replay: events=[ length=26, numPointers=119, objarray.length=50 ], start=12, stop=15, this=org.apache.axis.message.SAX2EventRecorder@2d737c36

IN this cans 10.0.210.171 is our vcenter IP.

I am using the exact keystore on a separate view instance on the same network and it is working as expected, so i am just not sure where to start looking. 

0 Kudos
1 Reply
grossag
VMware Employee
VMware Employee

Smart card passthrough to a remote desktop with PCoIP depends upon the "PCoIP Smart Card" subfeature of the View Agent being present.  But default it is not installed.  Can you confirm that you installed that subfeature?

0 Kudos