VMware Horizon Community
cmatamr
Contributor
Contributor
‎07-14-2021 01:22 PM

The error message "No valid certificates were found on this smart card" appears on the Horizon Clien

The error message "No valid certificates were found on this smart card" appears on the Horizon Client for Mac.

Client Version 2103

Build 8.2.0 

macOS Big Sur

Version 11.4

0 Kudos
11 Replies
SurajRoy
Enthusiast
Enthusiast
‎07-14-2021 01:34 PM

This seems to be configuration issue.

Is the smartcard configured on UAG or Connection Server?

0 Kudos
cmatamr
Contributor
Contributor
‎07-14-2021 01:45 PM

Yes. The issue is only when I try to use the Mac client. On Windows works fine.

0 Kudos
SurajRoy
Enthusiast
Enthusiast
‎07-14-2021 02:02 PM

Thanks for confirming. So it is the client which is not presenting the cert. Need to repro the the issue and check the Client and UAG/Connection server logs for the issue.

0 Kudos
FelixYan
VMware Employee
VMware Employee
‎07-15-2021 09:34 PM

Mac Client full level Log is needed for further checking why client could not get the valid cert.

0 Kudos
cmatamr
Contributor
Contributor
‎07-16-2021 10:19 AM

Thank you FelixYan.

Here the log.

 

Jul 16 11:16:46.516 -06:00: vmware-view 3411| Log for vmware-view pid=3411 version=5.5.2-18035016
Jul 16 11:16:46.516 -06:00: vmware-view 3411| MergePlist, com.vmware.view.plist doesn't exist
Jul 16 11:16:46.521 -06:00: vmware-view 3411| SetDefaultAppForURLScheme,LSSetDefaultHandlerForURLScheme returns:0
Jul 16 11:16:47.528 -06:00: vmware-view 3411| Using OpenSSL 1.0.2y 16 Feb 2021
Jul 16 11:16:47.528 -06:00: vmware-view 3411| Using libcurl/7.74.0 OpenSSL/1.0.2y zlib/1.2.11
Jul 16 11:16:47.637 -06:00: vmware-view 3411| CdkKillSwitch_SetBENITServerConnectionMode: BENIT server connection mode setting: UNSPEC
Jul 16 11:16:47.637 -06:00: vmware-view 3411| CdkKillSwitch_SetBENITServerConnectionCounts: BENIT server connection mode counts: TCP 1, UDP 0
Jul 16 11:16:47.638 -06:00: vmware-view 3411| UDPProxy_Initialize: UDP proxy listening on local port 51415...
Jul 16 11:16:47.638 -06:00: vmware-view 3411| CdkConnection_SetLoopbackPort: loopback port: 51415.
Jul 16 11:16:47.638 -06:00: vmware-view 3411| CdkConnection_SetLoopbackPort: loopback port: 51415.
Jul 16 11:16:47.638 -06:00: vmware-view 3411| UDP proxy initialized OK, loopbackPort = 51415l
Jul 16 11:16:47.644 -06:00: vmware-view 3411| -[CdkSCViewController init]_block_invoke: Detect a new token com.apple.setoken is inserted.
Jul 16 11:16:47.644 -06:00: vmware-view 3411| -[CdkSCViewController init]_block_invoke: Detect a new token com.apple.setoken:aks is inserted.
Jul 16 11:16:47.645 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.648 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.648 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.649 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.649 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.649 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.665 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.665 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.665 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.665 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshAllCertificates], new size is 0
Jul 16 11:16:47.665 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], did not get any certficate
Jul 16 11:16:47.665 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], new size is 0
Jul 16 11:16:47.669 -06:00: vmware-view 3411| Using OpenSSL 1.0.2y 16 Feb 2021
Jul 16 11:16:47.669 -06:00: vmware-view 3411| Using libcurl/7.74.0 OpenSSL/1.0.2y zlib/1.2.11
Jul 16 11:16:47.682 -06:00: vmware-view 3411| -[CdkConfigureKeyboardAndMouseViewController init] current profile: 528ec18c-30a5-022b-ec33-885b442611a6, returned profile: 528ec18c-30a5-022b-ec33-885b442611a6.
Jul 16 11:16:47.751 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.751 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.751 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.752 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.752 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.752 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.756 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.756 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.756 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.756 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshAllCertificates], new size is 0
Jul 16 11:16:47.756 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], did not get any certficate
Jul 16 11:16:47.756 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], new size is 0
Jul 16 11:16:47.763 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.763 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.763 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.763 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.763 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.764 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.768 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:47.768 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:47.768 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:47.768 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshAllCertificates], new size is 0
Jul 16 11:16:47.768 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], did not get any certficate
Jul 16 11:16:47.768 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], new size is 0
Jul 16 11:16:47.775 -06:00: vmware-view 3411| -[CdkAppController applicationDidFinishLaunching:], KEY_LAUNCH_APP_QUIETLY:0
Jul 16 11:16:47.780 -06:00: vmware-view 3411| -[CdkWindowController observeValueForKeyPath:ofObject:change:context:], workspaceOneMode: 0
Jul 16 11:16:47.860 -06:00: vmware-view 3411| -[CdkUrlRedirectionController setDefaultAppForURLScheme:bundleId:],LSSetDefaultHandlerForURLScheme returns:0
Jul 16 11:16:50.478 -06:00: vmware-view 3411| CdkUtil_SetIpProtocolUsage: setting Dual as the addressing mode.
Jul 16 11:16:50.478 -06:00: vmware-view 3411| CdkConnection_SetUrl: Connection url: https://svfrayc-cntsrv.inafrayc.altec:443/broker/xml.
Jul 16 11:16:50.478 -06:00: vmware-view 3411| CdkConnection_SetEffectiveUrl: Connection protocol: https, host: svfrayc-cntsrv.inafrayc.altec, port: 443, path: /broker/xml, secure: true.
Jul 16 11:16:50.478 -06:00: vmware-view 3411| CdkConnection_SetEffectiveUrl: Synthetic url: https://svfrayc-cntsrv.inafrayc.altec:443/broker/xml, interface: (null), scope: -1.
Jul 16 11:16:50.510 -06:00: vmware-view 3411| TaskCombiner: CdkGetLaunchItemsTask(TODO) added, group task num:1, total task num:1.
Jul 16 11:16:50.512 -06:00: vmware-view 3411| TaskCombiner: CdkGetUserGlobalPreferencesTask(TODO) added, group task num:2, total task num:2.
Jul 16 11:16:50.513 -06:00: vmware-view 3411| CdkConnection_SetProxy: Proxy: (null), type: 0.
Jul 16 11:16:50.514 -06:00: vmware-view 3411| CdkDnsLookup_ResolveAddress: Unable to resolve server name svfrayc-cntsrv.inafrayc.altec for IPv6.
Jul 16 11:16:50.514 -06:00: vmware-view 3411| CdkConnection_CheckPeerReachabilityImpl: peer reachability check returns 1 with error 0.
Jul 16 11:16:50.515 -06:00: vmware-view 3411| TaskCombiner: CdkGetTunnelConnectionTask(TODO) added, group task num:3, total task num:3.
Jul 16 11:16:50.515 -06:00: vmware-view 3411| TaskCombiner: Group Tasks(3):CdkGetLaunchItemsTask(TODO),CdkGetUserGlobalPreferencesTask(TODO),CdkGetTunnelConnectionTask(TODO),
Jul 16 11:16:50.517 -06:00: vmware-view 3411| TaskCombiner: CdkGetConfigurationTask(TODO) added, group task num:1, total task num:4.
Jul 16 11:16:50.518 -06:00: vmware-view 3411| TaskCombiner: CdkSetLocaleTask(TODO) added, group task num:2, total task num:5.
Jul 16 11:16:50.518 -06:00: vmware-view 3411| TaskCombiner: Group Tasks(2):CdkGetConfigurationTask(TODO),CdkSetLocaleTask(TODO),
Jul 16 11:16:50.881 -06:00: vmware-view 3411| CdkConnection_SetReachability: reachability: 1.
Jul 16 11:16:50.881 -06:00: vmware-view 3411| CdkConnection_SetUserMode: Connection user mode: Mixed-mode.
Jul 16 11:16:50.881 -06:00: vmware-view 3411| CdkConnection_SetPreferredAddress: Preferred server address: 192.168.10.26.
Jul 16 11:16:50.881 -06:00: vmware-view 3411| CdkConnection_SetAddressType: Connection address type: IPv4 (2)
Jul 16 11:16:50.881 -06:00: vmware-view 3411| TaskCombiner: CreateRequest for CdkSetLocaleTask(REDY).
Jul 16 11:16:50.883 -06:00: vmware-view 3411| CdkUtil_SetLocalAddress: local ip address 192.168.20.237 is being picked.
Jul 16 11:16:50.883 -06:00: vmware-view 3411| Send request successful: 0x600003a259c0
Jul 16 11:16:51.568 -06:00: vmware-view 3411| Verify server's certificate for Request 0x7fddfc54ced0
Jul 16 11:16:51.568 -06:00: vmware-view 3411| Find rpc request 0x7fddfc54ced0 from list
Jul 16 11:16:51.572 -06:00: vmware-view 3411| Alt name 0 matches hostname svfrayc-cntsrv.inafrayc.altec
Jul 16 11:16:51.572 -06:00: vmware-view 3411| Found a valid EKU: TLS Web Server Authentication
Jul 16 11:16:52.292 -06:00: vmware-view 3411| CdkRpc_HandleResponsesAsync: Handle Response with rpc call id: 1.
Jul 16 11:16:52.292 -06:00: vmware-view 3411| Got a response to request 1.
Jul 16 11:16:52.292 -06:00: vmware-view 3411| TaskCombiner: ParseResult for CdkSetLocaleTask(PEND).
Jul 16 11:16:52.292 -06:00: vmware-view 3411| TaskCombiner: CdkSetLocaleTask(DONE) removed, group task num:1, total task num:4.
Jul 16 11:16:52.292 -06:00: vmware-view 3411| TaskCombiner: SetResult for CdkSetLocaleTask(DONE).
Jul 16 11:16:52.296 -06:00: vmware-view 3411| Alt name 0 matches hostname svfrayc-cntsrv.inafrayc.altec
Jul 16 11:16:52.296 -06:00: vmware-view 3411| Found a valid EKU: TLS Web Server Authentication
Jul 16 11:16:52.297 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:52.297 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:52.297 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:52.298 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:52.298 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:52.298 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:52.303 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], failed to create search list
Jul 16 11:16:52.303 -06:00: vmware-view 3411| errorcode = -25300, msg = The specified item could not be found in the keychain.
Jul 16 11:16:52.303 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController certificatesWithTokenId:], get 0 valid logon certificates
Jul 16 11:16:52.303 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshAllCertificates], new size is 0
Jul 16 11:16:52.303 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], did not get any certficate
Jul 16 11:16:52.303 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshCertDynamicFlag], new size is 0
Jul 16 11:16:52.314 -06:00: vmware-view 3411| Smart card, reader length is 21
Jul 16 11:16:52.314 -06:00: vmware-view 3411| Smart card, first reader -Bit4id miniLector-s-
Jul 16 11:16:52.314 -06:00: vmware-view 3411| -[CdkSCViewController lockSCKeychain]: There is no used certificate.
Jul 16 11:16:52.314 -06:00: vmware-view 3411| Smart card, -[CdkSCViewController refreshDeviceInserted], did not get any certficate
Jul 16 11:16:52.326 -06:00: vmware-view 3411| TaskCombiner: SetResult for CdkGetConfigurationTask(PEND).
Jul 16 11:16:52.327 -06:00: vmware-view 3411| TaskCombiner: CdkGetConfigurationTask(PEND) removed, group task num:0, total task num:3.
Jul 16 11:16:54.190 -06:00: vmware-view 3411| CdkUtil_SetLocalAddress: local ip address 192.168.20.237 is being picked.
Jul 16 11:16:54.190 -06:00: vmware-view 3411| Send request successful: 0x600003a38e40
Jul 16 11:16:54.770 -06:00: vmware-view 3411| Verify server's certificate for Request 0x7fddfc681c20
Jul 16 11:16:54.770 -06:00: vmware-view 3411| Find rpc request 0x7fddfc681c20 from list
Jul 16 11:16:54.774 -06:00: vmware-view 3411| Alt name 0 matches hostname svfrayc-cntsrv.inafrayc.altec
Jul 16 11:16:54.774 -06:00: vmware-view 3411| Found a valid EKU: TLS Web Server Authentication
Jul 16 11:16:55.591 -06:00: vmware-view 3411| CdkRpc_HandleResponsesAsync: Handle Response with rpc call id: 2.
Jul 16 11:16:55.591 -06:00: vmware-view 3411| Got a response to request 2.
Jul 16 11:16:55.593 -06:00: vmware-view 3411| CdkUtil_SetLocalAddress: local ip address 192.168.20.237 is being picked.
Jul 16 11:16:55.593 -06:00: vmware-view 3411| Send request successful: 0x600003a1ae40
Jul 16 11:16:55.990 -06:00: vmware-view 3411| CdkRpc_HandleResponsesAsync: Handle Response with rpc call id: 3.
Jul 16 11:16:55.990 -06:00: vmware-view 3411| Got a response to request 3.
Jul 16 11:16:55.994 -06:00: vmware-view 3411| Alt name 0 matches hostname svfrayc-cntsrv.inafrayc.altec
Jul 16 11:16:55.994 -06:00: vmware-view 3411| Found a valid EKU: TLS Web Server Authentication
Jul 16 11:16:56.008 -06:00: vmware-view 3411| -[CdkWindowController observeValueForKeyPath:ofObject:change:context:], workspaceOneMode: 0
Jul 16 11:16:57.061 -06:00: vmware-view 3411| Disconnecting from broker https://svfrayc-cntsrv.inafrayc.altec:443/broker/xml
Jul 16 11:16:57.061 -06:00: vmware-view 3411| CdkConnection_SetUrl: Connection url: (null).
Jul 16 11:16:57.061 -06:00: vmware-view 3411| Reseting global state of libcdk.
Jul 16 11:16:57.061 -06:00: vmware-view 3411| CdkUtil_SetLocalAddress: fd -1 < 0, not retrieving local address.

0 Kudos
hongshengl
VMware Employee
VMware Employee
‎07-19-2021 01:54 AM

From your log, it seems that there are no valid login certificates from MAC CTK service.

Could you please execute command to show the smart card mapping status on your MAC OS:
#sc_auth identities

If all the certificates can be recognized correctly, it can show below results:
SmartCard: com.apple.pivtoken:00000000000000000000000000000000
Unpaired identities:
088247DB83C93BA7F970CB742F6E135DD6EEE638 Certificate For Card Authentication (Test Agency, Test Department)
56FD4DE755D04C368B809128F9D4EE5482BDE0EB Certificate For Digital Signature (Test Cardholder)
AEAEED0DFBB928D3C8975ECD67557E9BA8EB1FD9 Certificate For PIV Authentication (Test Cardholder)

Otherwise, please check the certificates mapping status on your smart card.

cmatamr
Contributor
Contributor
‎07-20-2021 03:37 PM

Hello hongshengl,

The command #sc_auth identities returns nothing.

How I do check the certificates mapping status on smart card?

 

0 Kudos
hongshengl
VMware Employee
VMware Employee
‎07-20-2021 10:53 PM

Please try the below command and check whether any smart card setting is set on your env.
#defaults read /Library/Preferences/com.apple.security.smartcard
 
By the way you can also try to use below command can display available smartcards on your Mac:
#security list-smartcards
 
About the certificate mapping status of your smartcard, maybe you should consult with the card provider or the person who flash the certificates into the physical smartcard. There has a reference about how to mapping the certs into PIV card: https://pivkey.zendesk.com/hc/en-us/articles/115000506843-Mapping-a-PIV-Certificate-using-an-OID
cmatamr
Contributor
Contributor
‎07-20-2021 11:04 PM

The command #defaults read /Library/Preferences/com.apple.security.smartcard returns

DisabledTokens =     (

        "com.apple.CryptoTokenKit.pivtoken"

    );

    EnablTokens =     (

        "com.apple.CryptoTokenKit.pivtoken"

    );

    EnableTokens =     (

        "com.apple.CryptoTokenKit.pivtoken"

    );

    EnabledTokens =     (

        "com.apple.CryptoTokenKit.pivtoken"

    );

    Legacy = 1;

    UserPairing = 1;

    checkCertificateTrust = 3;

 

The command #security list-smartcards returns nothing

And about mapping status I think it's ok. This problem is only on Mac if I use another computer the login works fine.

0 Kudos
hongshengl
VMware Employee
VMware Employee
‎07-20-2021 11:26 PM

You mentioned that: "I use another computer the login works fine",  could you please tell me the kind of OS on the another computer?

 

We already noticed a similar issue that certificate mapping is not correct on PIV smartcard which can works well on Windows platform but failed at MAC OS.

 

0 Kudos
cmatamr
Contributor
Contributor
‎07-21-2021 12:30 AM

Yes, that’s the problem on Windows works ok but MacOS I get this error

0 Kudos