paiolfi
Contributor
Contributor

View 5.1 - View Connection Server Authentication failed

Hi All,

I'm getting this error on my View 5.1 Environment: The View Connection Server authentication failed. Initialization failed while connecting to server 'https://view.mydomain.local:443'

I have three View connection server with a SAN certificate for view.mydomain.local; I've also inclued each connection server name in the cert as san.

I'm using HTTPs Secure Tunell with https://view.mydomain.local:443 in the External URL

If I change the external url to the connection server name I don't get the error.

here the view client log:

2013-02-05T07:19:44.610+01:00 DEBUG (1CB4-1210) <MessageFrameWorkDispatch> [wswc_ui] LogonDialog::startReverseGSSAPI sending service principal name 'myclient-machine'.
2013-02-05T07:19:44.610+01:00 DEBUG (1CB4-055C) <MessageFrameWorkDispatch> [wswc_http] Broker request reverse gssapi init started
2013-02-05T07:19:44.652+01:00 DEBUG (1CB4-055C) <MessageFrameWorkDispatch> [wswc_http] Broker request reverse gssapi init successful
2013-02-05T07:19:44.678+01:00 DEBUG (1CB4-055C) <MessageFrameWorkDispatch> [wswc_http] Broker request transportCredentials started
2013-02-05T07:19:44.864+01:00 DEBUG (1CB4-055C) <MessageFrameWorkDispatch> [wswc_http] Broker request transportCredentials successful
2013-02-05T07:19:44.867+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Data frame policy set to NEGOTIATE (proposing 0 bytes)
2013-02-05T07:19:44.867+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Received chunk window set to 2
2013-02-05T07:19:44.943+01:00 DEBUG (1CB4-1E44) <TunnelRead> [wswc_tunnel] Tunnel::start: Server thumbprint is in SHA-1 format.
2013-02-05T07:19:44.976+01:00 ERROR (1CB4-1E44) <TunnelRead> [wswc_tunnel] HttpConnection: BAD HttpResponse
2013-02-05T07:19:44.977+01:00 INFO  (1CB4-1E44) <TunnelRead> [wswc_tunnel] Tunnel Unnamed: Could not start server view.mydomain.local, reason: HttpConnection: BAD HttpResponse
2013-02-05T07:19:44.978+01:00 ERROR (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] TunnelQueue::MessageHandler: Tunnel 0x00818170 failed to connect.
2013-02-05T07:19:44.978+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Data frame policy set to NEGOTIATE (proposing 0 bytes)
2013-02-05T07:19:44.978+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Received chunk window set to 2
2013-02-05T07:19:45.052+01:00 DEBUG (1CB4-1184) <TunnelRead> [wswc_tunnel] Tunnel::start: Server thumbprint is in SHA-1 format.
2013-02-05T07:19:45.077+01:00 ERROR (1CB4-1184) <TunnelRead> [wswc_tunnel] HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.077+01:00 INFO  (1CB4-1184) <TunnelRead> [wswc_tunnel] Tunnel Unnamed: Could not start server view.mydomain.local, reason: HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.079+01:00 ERROR (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] TunnelQueue::MessageHandler: Tunnel 0x00818170 failed to connect.
2013-02-05T07:19:45.079+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Data frame policy set to NEGOTIATE (proposing 0 bytes)
2013-02-05T07:19:45.079+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Received chunk window set to 2
2013-02-05T07:19:45.153+01:00 DEBUG (1CB4-19F0) <TunnelRead> [wswc_tunnel] Tunnel::start: Server thumbprint is in SHA-1 format.
2013-02-05T07:19:45.176+01:00 ERROR (1CB4-19F0) <TunnelRead> [wswc_tunnel] HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.176+01:00 INFO  (1CB4-19F0) <TunnelRead> [wswc_tunnel] Tunnel Unnamed: Could not start server view.mydomain.local, reason: HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.177+01:00 ERROR (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] TunnelQueue::MessageHandler: Tunnel 0x008307A8 failed to connect.
2013-02-05T07:19:45.177+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Data frame policy set to NEGOTIATE (proposing 0 bytes)
2013-02-05T07:19:45.177+01:00 INFO  (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] Received chunk window set to 2
2013-02-05T07:19:45.260+01:00 DEBUG (1CB4-0EEC) <TunnelRead> [wswc_tunnel] Tunnel::start: Server thumbprint is in SHA-1 format.
2013-02-05T07:19:45.276+01:00 ERROR (1CB4-0EEC) <TunnelRead> [wswc_tunnel] HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.276+01:00 INFO  (1CB4-0EEC) <TunnelRead> [wswc_tunnel] Tunnel Unnamed: Could not start server view.mydomain.local, reason: HttpConnection: BAD HttpResponse
2013-02-05T07:19:45.277+01:00 ERROR (1CB4-055C) <MessageFrameWorkDispatch> [wswc_tunnel] TunnelQueue::MessageHandler: Tunnel 0x00818170 failed to connect.
2013-02-05T07:19:45.278+01:00 ERROR (1CB4-055C) <MessageFrameWorkDispatch> [wswc_ui] wswc_ui_operation::GetTunnelMsg: Unable to start the tunnel: "Tunnel failed to connect". Error message displayed was "The View Connection Server authentication failed. Initialization failed while connecting to server 'https://view.mydomain.local:443'.". Proxy used to connect was '(null)', connection server was 'https://view.mydomain.local:443'.
2013-02-05T07:19:48.378+01:00 DEBUG (1CB4-1210) <MessageFrameWorkDispatch> [wswc_http] Broker request brokerLogoff started
2013-02-05T07:19:48.862+01:00 DEBUG (1CB4-1210) <MessageFrameWorkDispatch> [wswc_http] Broker request brokerLogoff successful
2013-02-05T07:19:49.963+01:00 DEBUG (1CB4-1F04) <MessageFrameWorkDispatch> [MessageFrameWork] System::Shutdown
2013-02-05T07:19:49.963+01:00 INFO  (1CB4-1F04) <MessageFrameWorkDispatch> [wswc] VMware View Windows Client received shutdown signal
2013-02-05T07:19:49.964+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=wswc, Channel=00000000
2013-02-05T07:19:49.964+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: starting call to MessageFrameWork::System()->Stop().
2013-02-05T07:19:49.965+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: finished call to MessageFrameWork::System()->Stop().
2013-02-05T07:19:49.965+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: starting call to MessageFrameWork::System()->Shutdown().
2013-02-05T07:19:49.966+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=wswc_command, Channel=00000000
2013-02-05T07:19:49.997+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=wswc_http, Channel=00000000
2013-02-05T07:19:50.047+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=wswc_rdp, Channel=00000000
2013-02-05T07:19:50.072+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=securid-passcode, Channel=00000000
2013-02-05T07:19:50.097+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=Tunnel, Channel=00000000
2013-02-05T07:19:50.122+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=windows-password, Channel=00000000
2013-02-05T07:19:50.122+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=wswc_ui, Channel=00000000
2013-02-05T07:19:50.122+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=GuestUIManager, Channel=00000000
2013-02-05T07:19:50.147+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] Closed outgoing SharedMemory channel to machine myclient-machine, user myuser
2013-02-05T07:19:50.266+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=UIManager, Channel=00000000
2013-02-05T07:19:50.293+01:00 DEBUG (1CB4-1CD4) <Main Thread> [MessageFrameWork] MessageFrameWork Worker Shutdown, Name=WinAuth, Channel=00000000
2013-02-05T07:19:50.293+01:00 DEBUG (1CB4-1CD4) <Main Thread> [ws_winauth] WindowsAuthentication queue server un-installed
2013-02-05T07:19:50.345+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: finished call to MessageFrameWork::System()->Shutdown().
2013-02-05T07:19:50.345+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: starting call to corerunnable::waitForAllThreads(INFINITE).
2013-02-05T07:19:50.370+01:00 DEBUG (1CB4-1CD4) <Main Thread> [wswc] Cleanup: finished call to corerunnable::waitForAllThreads(INFINITE).
2013-02-05T07:19:50.370+01:00 INFO  (1CB4-1CD4) <Main Thread> [wswc] VMware Windows Client stopped (exit code 0)
2013-02-05T07:19:50.376+01:00 DEBUG (1CB4-1CD4) <7380> [MessageFrameWork] runtime onexit called

any idea?

May I missing something in View Connection server configuration? Or May I make a mistake installing some components?

Thanks

0 Kudos
9 Replies
markbenson
VMware Employee
VMware Employee

Is this going through a load balancer? It's possible that the tunnel connection is getting routed to a different Connection Server.

If your Load balancer doesn't ensure that subsequent connections from the same View Cient go to the same server, then you should use specific Connection Server hostname references in your External URL.

e.g. if you have view.mydomain.local as a load balanced alias and view-cs1.mydomain.local, view-cs2.mydomain.local and view-cs3.mydomain.local as the hostnames of your 3 Connection Servers then set each External URL to be the appropriate hostname (e.g. view-cs1.mydomain.local) to ensure the tunnel connection gets to the same Connection Server and your load balancer doesn't misroute it.

If this is all on an internal network, then you don't need to use the tunnel and you can disable this option so that RDP, USB redirect etc. goes directly to the desktop.

The External URL and PCoIP External URL are only needed for remote access. Also refer to http://communities.vmware.com/docs/DOC-14974 if this is a remote access setup. It describes the use of External URL and PCoIP External URL.

Mark

0 Kudos
paiolfi
Contributor
Contributor

At this time we are using round robin dns. Next steps is going through load balancer.

all the environment is in the internal network and we are using pcoip as client connection protocol.

the current configuration is this:

DNS

view.mydomain.local 192.168.1.10

view.mydomain.local 192.168.1.11

view.mydomain.local 192.168.1.12

in this way each client use the address assigned by the dns round robin.

for each connection server I've the config in the image below (this is for CS1):

config.png

we must check "Use Secure tunnel..." because is required for USB redirection with pcoip.

it this config correct?

0 Kudos
markbenson
VMware Employee
VMware Employee

No. This is not correct based on your original configuration. When you saw the failure, your round robin DNS will have sent tunnel connections to a different Connection Server and will have failed. Setting the External URL to the specific Connection Server name (resolvable on the Internet) is correct for remote access situations.

If you set the External URL and PCoIP External URL to the specific external IP addresses of your Connection Server then it will route correctly. It is only the FQDN in the URL that the View Client uses that should be used for round robin DNS (not the External URLs).

If this is all internal, then you don't need to use the tunnel anyway so you can untick "Use Tunnel ..." in which case the External URL is not used.

Mark

0 Kudos
paiolfi
Contributor
Contributor

I noticed that if I uncheck "Use Secure Tunnel..." i get the message "USB redirection is not available" and I cannot use usb with none my virtual desktop.

Is there something other to configure?

0 Kudos
paiolfi
Contributor
Contributor

I tought to check "use Secure Tunnel connection to desktop" becaue I read this KB:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=103620...

at the end in the field "Related Education" you can find this line:

In View Manager 5.1 and later releases, the USB redirection over port 32111 is tunneled over SSL connection (port 443).

I think that way If I uncheck 2use Secure..." the usb is not available

0 Kudos
markbenson
VMware Employee
VMware Employee

No. If you have direct connection available from the Client to the virtual desktop, you don't need to use the tunnel. The USB redirection channel on TCP port 32111 can be direct. Check that you don't have a firewall blocking 32111 anywhere in the path.

Mark 

0 Kudos
paiolfi
Contributor
Contributor

There is no firewall active on the connection server. Not sure that port 32111 is not blocked on the thinclient. I've got to check.

I'll let you know asap

0 Kudos
paiolfi
Contributor
Contributor

Ok. it was a firewall problem.

We are upgrading from View 4.5 and I noticed that in View 5.x client usb redirection is provided by vmware-view-usbd.exe. This executable is not present in our client version so there wasn't a firewall exception for this exe.

Thank you very much for your help

P

0 Kudos
markbenson
VMware Employee
VMware Employee

Thanks for confirming this answer and I'm glad you now have it working.

0 Kudos