Hello,
I'm running VMware Horizon Client ver 3.1.0 on Windows 7 Enterprise x64 on an AD domain. When I install the software on a new computer, the 'Login as current user' is working correctly and all is right in the world. However, if I reimage a workstation and add it to the domain using the same computer name (even when I delete the computer object out of AD first), the 'Login as current user' functionality does not work and instead I receive error message 'The Connection Server authentication failed to log in as current user'. If I deselect 'Login as current user', I am able to manually enter the credentials that I am logged on with at the prompt and it works correctly. Does anyone have any ideas why the functionality isn't working on reimaged machines?
Here is the Windows Security Event Viewer entry showing the failure when I try to connect using 'Login as current user'
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006a
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
And here is the VMware log during a failed login attempt (username and VDI server name removed for security)
2015-03-04 11:59:42.515+-5:00 INFO (0784) [libcdk] Log for vmware-view.exe pid=2148 version=3.1.0-2085634
2015-03-04 11:59:42.515+-5:00 INFO (0784) [WinCDK] OpenLog : Log for VMware Horizon Client, version=3.1.0 build-2085634.
2015-03-04 11:59:42.520+-5:00 ERROR (0784) [WinCDK] RebrandingPref::LoadCertFile : Failed create new BIO from cert file: C:\Program Files (x86)\VMware\VMware Horizon View Client\rc\rebranding\vendor.crt.
2015-03-04 11:59:42.520+-5:00 ERROR (0784) [WinCDK] RebrandingPref::VerifyCert : Invalid parameter.
2015-03-04 11:59:42.520+-5:00 ERROR (0784) [WinCDK] RebrandingPref::CheckRebranding : Failed to verify cert.
2015-03-04 11:59:42.520+-5:00 INFO (0784) [WinCDK] utils::GetCurrentLangId : Language id '0x0409' used by the OS.
2015-03-04 11:59:42.520+-5:00 INFO (0784) [libcdk] Using the WSAPoll() API Implementation for polling sockets.
2015-03-04 11:59:42.525+-5:00 INFO (0784) [libcdk] Using libcurl/7.32.0 OpenSSL/1.0.1h zlib/1.2.3 c-ares/1.9.1
2015-03-04 11:59:42.525+-5:00 INFO (0784) [libcdk] Set local language as en-us.
2015-03-04 11:59:42.600+-5:00 INFO (0784) [libcdk] Icon cache root dir will be:C:\Users\[UsernameRemoved]\AppData\Roaming\VMware\VMware Horizon View Client\Icon Cache\.
2015-03-04 11:59:42.635+-5:00 INFO (0784) [WinCDK] SmallWindow::OnInitDialog : [User] Enter SmallWindow.
2015-03-04 11:59:42.680+-5:00 INFO (0784) [WinCDK] SmallWindow::OnInitDialog : [User] Exit SmallWindow.
2015-03-04 11:59:42.703+-5:00 INFO (0784) [WinCDK] AppWindow::EnterWindowState : Valid transition from state 'Uninitialized' to state 'Disconnected'.
2015-03-04 11:59:42.723+-5:00 INFO (0784) [WinCDK] NotificationAreaManager::ShowIcon : Create notify icon in the notification area succeed.
2015-03-04 11:59:42.723+-5:00 INFO (0784) [WinCDK] NotificationAreaManager::ShowIcon : Set version for the notify icon succeed.
2015-03-04 11:59:42.733+-5:00 INFO (0784) [WinCDK] ImageItem::OnPaint : Current system's BITSPIXEL: 32.
2015-03-04 11:59:43.705+-5:00 INFO (0784) [WinCDK] BrokerItem::Connect : [User] Enter ConnectToServer:[VDI Server Name Removed Here]
2015-03-04 11:59:43.705+-5:00 INFO (0784) [WinCDK] Services::LogOffServer : [User] Enter Services::LogOffServer.
2015-03-04 11:59:43.705+-5:00 INFO (0784) [WinCDK] Services::LogOffServer : [User] Exit Services::LogOffServer.
2015-03-04 11:59:43.710+-5:00 INFO (0784) [WinCDK] AppWindow::EnterWindowState : Valid transition from state 'Disconnected' to state 'Connecting'.
2015-03-04 11:59:43.805+-5:00 INFO (0784) [WinCDK] BrokerItem::Connect : [User] Exit ConnectToServer:[VDI Server Name Removed Here]
2015-03-04 11:59:43.805+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkGetLaunchItemsTask(TODO) added, group task num:1, total task num:1.
2015-03-04 11:59:43.805+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkGetUserGlobalPreferencesTask(TODO) added, group task num:2, total task num:2.
2015-03-04 11:59:43.855+-5:00 DEBUG (0784) [(null)] CdkProxy_GetProxyForUrl: Got the proxy and return to main message loop.
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkGetTunnelConnectionTask(TODO) added, group task num:3, total task num:3.
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: Group Tasks(3):CdkGetLaunchItemsTask(TODO),CdkGetUserGlobalPreferencesTask(TODO),CdkGetTunnelConnectionTask(TODO),
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkGetConfigurationTask(TODO) added, group task num:1, total task num:4.
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkSetLocaleTask(TODO) added, group task num:2, total task num:5.
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: Group Tasks(2):CdkGetConfigurationTask(TODO),CdkSetLocaleTask(TODO),
2015-03-04 11:59:43.855+-5:00 INFO (0784) [libcdk] TaskCombiner: CreateRequest for CdkSetLocaleTask(REDY).
2015-03-04 11:59:43.860+-5:00 INFO (0784) [libcdk] Send request successful: 0311B220
2015-03-04 11:59:43.913+-5:00 INFO (0784) [libcdk] Verify server's certificate for Request 03137610
2015-03-04 11:59:43.913+-5:00 INFO (0784) [libcdk] Find rpc request 03137610 from list
2015-03-04 11:59:43.960+-5:00 INFO (0784) [libcdk] Alt name 0 matches hostname [VDI Server Name Removed Here]
2015-03-04 11:59:43.960+-5:00 INFO (0784) [libcdk] Found a valid EKU: TLS Web Server Authentication
2015-03-04 11:59:44.625+-5:00 INFO (0784) [libcdk] Got a response to request 1.
2015-03-04 11:59:44.625+-5:00 INFO (0784) [libcdk] TaskCombiner: ParseResult for CdkSetLocaleTask(PEND).
2015-03-04 11:59:44.625+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkSetLocaleTask(DONE) removed, group task num:1, total task num:4.
2015-03-04 11:59:44.625+-5:00 INFO (0784) [libcdk] TaskCombiner: SetResult for CdkSetLocaleTask(DONE).
2015-03-04 11:59:44.628+-5:00 INFO (0784) [libcdk] Alt name 0 matches hostname [VDI Server Name Removed Here]
2015-03-04 11:59:44.628+-5:00 INFO (0784) [libcdk] Found a valid EKU: TLS Web Server Authentication
2015-03-04 11:59:44.628+-5:00 INFO (0784) [WinCDK] Services::AuthInfoLoadCallback : Unhandled_Type Callback: Entry.
2015-03-04 11:59:44.628+-5:00 INFO (0784) [WinCDK] Services::AuthInfoLoadCallback : Unhandled_Type Callback: Exit.
2015-03-04 11:59:44.628+-5:00 INFO (0784) [WinCDK] Services::AuthInfoCallback : Unhandled_Type Callback: Entry.
2015-03-04 11:59:44.630+-5:00 INFO (0784) [WinCDK] Services::AuthInfoCallback : Unhandled_Type Callback: Exit.
2015-03-04 11:59:44.630+-5:00 INFO (0784) [libcdk] TaskCombiner: CdkGetConfigurationTask(DONE) removed, group task num:0, total task num:3.
2015-03-04 11:59:44.630+-5:00 INFO (0784) [libcdk] TaskCombiner: SetResult for CdkGetConfigurationTask(DONE).
2015-03-04 11:59:44.640+-5:00 INFO (0784) [libcdk] Send request successful: 0311BCE8
2015-03-04 11:59:45.123+-5:00 INFO (0784) [libcdk] Got a response to request 2.
2015-03-04 11:59:45.123+-5:00 INFO (0784) [WinCDK] Services::TaskDoneCallback : CdkSubmitGssapiTask Callback: Entry.
2015-03-04 11:59:45.123+-5:00 INFO (0784) [WinCDK] Services::TaskDoneCallback : CdkSubmitGssapiTask Callback: Exit.
2015-03-04 11:59:45.133+-5:00 INFO (0784) [libcdk] Send request successful: 0311BCE8
2015-03-04 11:59:45.743+-5:00 INFO (0784) [libcdk] Got a response to request 3.
2015-03-04 11:59:45.743+-5:00 INFO (0784) [WinCDK] Services::AuthInfoLoadCallback : Unhandled_Type Callback: Entry.
2015-03-04 11:59:45.743+-5:00 INFO (0784) [WinCDK] Services::AuthInfoLoadCallback : Unhandled_Type Callback: Exit.
2015-03-04 11:59:45.743+-5:00 INFO (0784) [WinCDK] Services::AuthInfoCallback : Unhandled_Type Callback: Entry.
2015-03-04 11:59:45.743+-5:00 INFO (0784) [WinCDK] Services::AuthInfoCallback : Unhandled_Type Callback: Exit.
2015-03-04 11:59:45.748+-5:00 ERROR (0784) [WinCDK] BaseAppWindow::OnAuthInfoChanged : GSSAPI ProcessServerContext FAILED.
Thanks in advance for any advice!
The plot thickens - the problem appears to be self-correcting. After anywhere from 2 hours to 8 hours, the 'Login as current user' functionality begins to work. I've verified this multiple times over the past 5 days. Another very interesting note, it doesn't matter if the computer is on or not while this amount of time passes. I was able to reimage a machine and saw the problem, and then powered the machine off overnight, and when I booted it up the next day the 'Login as current user' was working. Very strange.
I'm guessing the issue is somewhere within AD, but it still doesn't make sense to me why dropping from the domain and re-joining it wouldn't fix it if it was a domain trust problem, or a problem with the computer object. It appears that only time will fix it for now. So at least I have a workaround, but I'm open to suggestions if anyone has any input! Thanks!
After re imaging, does it miss any windows updates ?
I guess After re-imaging, windows updates will run in the background to fix certificate vulnerabilities and hot patches.
Good suggestion, but I've got all the the updates installed on the reference image (using SCCM offline servicing). Also as I mentioned in the second post, the problem fixes itself even when the machine is off over night.
Have you tried uninstalling and reinstalling the client, followed by a reboot so that it can reset its hooks to the authentication?
did you find out why this happening ? also do you have any work around ?
Unfortunately I was unable to get to the bottom of why this is happening, and the only 'workaround' I have (if you can call it a workaround) is to wait the unspecified amount of time for it to fix itself before I deploy the workstation to the end-user. In my testing this could be a matter of hours, or potentially overnight, and does not require the effected workstation to be on the network (or even powered on for that matter). Luckily our desktop support technicians and incident support folks aren't reporting seeing this problem very often in the field, even though I can replicate the behavior at-will in my computer lab. I guess they aren't doing many in-place reimages, and are more likely replacing workstations with pre-imaged devices. *shrug*
We had the same issue, only our workstation had not been re-imaged. And it resolved itself by the next day.
This client was working fine with "log in as current user" selected for the last month.
Then began to get this error Message with "Log in as current user" selected.
"The Connection Server authentication failed to log in as current user"
This was the only client experiencing this problem.
Unselecting "Log in as current user", allowed the user to be prompted for credentials and successfully login using the same connection.
A day later, the "Log in as current user" feature is now working again for the client.
Client Workstation:
O/S: Windows 7 Enterprise
Level: Service Pack 1 64-bit
VMware Horizon View Client 3.0.0.1969620150313
No smartcard
Two Connection Servers, both version 6.0.0-1884746
Load balance DNS IP address to connection servers.
No Security Servers.
Servers and client in the same Active Directory Domain.
Client security event log error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/15/2015 7:49:29 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXXX.xxxxx.ca
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006a
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Rebooting the workstation, did not resolve it either, it still failed after a reboot. Only the next day it was working again.
Any resolution to this? I am experiencing the same issue in our environment.
