Re: True SSO Error - Attempted Logon is invalid

epa80 · ‎11-20-2023

Environment:

Horizon 8 2111.2
RDSH Published App on Server 2019
Utilizing WorkspaceOne Access

We're testing True SSO in our Horizon non-prod environment and receiving the error below when launching published apps. True SSO within Horizon is all green for the domain being utilized, but we get this message. Didn't have much luck in Google, so figured I'd throw it here to see if anyone as seen it. We have opened an SR as well.

Thanks in advance for any feedback.

Mickeybyte · ‎11-20-2023

@epa80

From what I can see, it's all in the error message: an untrusted certificate authority was detected...

Check the CA that is handing out the user certificates for TrueSSO and make sure it's trusted by the RDSH server.

Good that you also created a SR because in my experience with TrueSSO, it can be hard to troubleshoot and support seems to have a way to find a solution faster than searching for it on your own :-).

Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.

epa80 · ‎11-20-2023

Thanks for the reply! I logged on to one of the RDSH servers locally, and within the Certificates MMC, I do see the CA as a trusted root CA, but still no go.

And yup, waiting on some SR feedback.

-Ed

Mickeybyte · ‎11-20-2023

Are you looking at the user certificates or the computer certificates? It must be in the computer certificates.

There's a diagnostic tool called es_diag (you can still find it here: flings.vmware.com directory listing (archive.org)) that you can try to simulate a login with. Try running it from a console on the RDSH to see what results you get.

Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.

epa80 · ‎11-20-2023

I've tried posting a reply here a few times but I don't see it, so here's the 3rd try.

Yeah it's in the Computer section for certs not user. And we did use es_diag but got this output. This was run off the Enrollment Server.

epa80 · ‎11-24-2023

Small update:

SR with supporting still ongoing. Might need to open a separate ticket with Microsoft. To clarify some on our environment:

Horizon infrastructure all lives on what we'll call Domain 1. It's the primary domain our enterprise uses, with 98% of users within it. We also have 1% of a user base coming from domain 2, and the other 1% from domain 3. All 3 domains are trusted with eachother, but within their own forests.

We have spun up 3 Enrollment servers, 1 for each domain, and attached them to Horizon. For domain 1, where the Connection brokers/users/VM desktops/enrollment server lives, everything goes fine. For domain 2 and domain 3 users, we receive the error I attached earlier. This is with them having their own enrollment servers, but connecting to desktops in domain 1.

We're hoping that we don't also need connection brokers on those domains for this to work, as it would throw a pretty big wrench into our design.

epa80 · ‎12-14-2023

We eventually did resolve our issue. Unfortunately I don't have the best details but could try and update the thread when I gather more. At a very very very high level (vague):

1. Push out the CA certs of all 3 domains out to all the domains

2. Ensure the cert of the domain you're logging in to is in the NT Auth store of the domain the machine is on

If I can get a much cleaner/better write up from our domain admin I'll post it here. Lesson learned: make sure CA pieces of your environment are all using best practices and functioning normally.