VMware Horizon Community
nkatana
Contributor
Contributor
‎09-19-2015 03:10 PM
Jump to solution

View 6.2 bug?

I found some problem with view along with one-way trust domains. It seem problem is occurred when I added the domain (client1.lab) to domain exclude. But, no error when I remove the domain from domain exclude list.

My setup is two domains; HQ.lab and client1.lab;

One-way Trust

HQ.lab -> client1.lab

(outgoing)-->--(incoming)

View Connection is member of HQ.lab.

Client1-VM-01 is member of client1.lab.

Here is the error log when I entered "vdmadmin -N -domains -exclude -domain CLIENT1 -add" for hide the domain on the Domain list in View client; So the user will need to enter UPN.

2015-09-19T02:31:22.841-05:00 INFO  (09A0-08A0) <ajp-nio-8009-exec-1> [UserContext] (SESSION:95eb_***_0b70 user1@client1.lab) UPN Login: User with the UPN user1@client1.lab is the user CLIENT1\user1

2015-09-19T02:31:22.879-05:00 INFO  (09A0-08A0) <ajp-nio-8009-exec-1> [AuthorizationFilter] (SESSION:95eb_***_0b70) User CLIENT1\user1 has successfully authenticated to VDM

2015-09-19T02:31:22.880-05:00 INFO  (09A0-08A0) <ajp-nio-8009-exec-1> [PAEContext] (SESSION:95eb_***_0b70) Client supports idle session handling. User idle timeout set to: never. Desktop SSO: enabled. Application SSO: enabled.

2015-09-19T02:31:22.885-05:00 INFO  (09A0-08A0) <ajp-nio-8009-exec-1> [Audit] (SESSION:95eb_***_0b70) BROKER_LOGON:USER:CLIENT1\user1;USERSID:S-1-5-21-1754858777-1199020022-3019864467-1106;USERDN:CN=S-1-5-21-1754858777-1199020022-3019864467-1106,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int;

2015-09-19T02:31:23.207-05:00 INFO  (02C0-0A80) <Thread-33> [g] (Request2) User user1 connected to the Secure Gateway Server - session ID: 04A6_***_00B4

2015-09-19T02:31:24.619-05:00 ERROR (0B80-1640) <MessageFrameWorkDispatch> [ws_winauth] Failed to bind to LDAP://client1.lab (The user name or password is incorrect.) {SESSION:95eb_***_0b70}

2015-09-19T02:31:24.619-05:00 ERROR (0B80-1640) <MessageFrameWorkDispatch> [ws_winauth] Failed to bind for SID=S-1-5-21-1754858777-1199020022-3019864467-1106, domain name=client1.lab {SESSION:95eb_***_0b70}

2015-09-19T02:31:24.624-05:00 ERROR (09A0-1004) <ajp-nio-8009-exec-6> [PAEContext] (SESSION:95eb_***_0b70) Could not determine if user account (user1) is valid for logon from AD, assuming disabled.

Also, the user (user1) will see an error after selecting the pool (c1-pool). "Your user account is disabled". I checked the account and it is still enabled.

When I entered "vdmadmin -N -domains -exclude -domain CLIENT1 -remove" to expose the domain to Domain list in View client. The user can enter either UPN or enter username and select the domain.

It works perfectly. No error appears on the log.

Bizarre thing. I already tried bind LDAP with UPN and without. It is working fine. Any idea why it failed to LDAP bind when domain is on exclude? And it works fine while domain is not on exclude.

Is it bug?

1 Solution

Accepted Solutions
griffjames
VMware Employee
VMware Employee
‎09-21-2015 03:40 AM
Jump to solution

Hi,

Thanks for reporting this.

View has an extra security check to determine whether a user's AD account is disabled. This check is always run at logon, but it's also optionally run (enabled by default) for each client command. The per command check is what's failing in your case and generating the log errors.


The per command checks are bypassed when View detects that the user's domain has a limited or one way trust relationship with the connection server's domain. This is done because View will not be able to bind to the one-way trusted domain. In your case the domain has been excluded, so View can't determine that the user's domain has a one-way trust relationship. This results in the check being attempted and the bind failing. The only safe course of action on bind failure is to deny access, hence the error you are seeing.

I'll raise problem report to handle this scenario better in the longer term.

Thanks

Griff

View solution in original post

4 Replies
griffjames
VMware Employee
VMware Employee
‎09-21-2015 03:40 AM
Jump to solution

Hi,

Thanks for reporting this.

View has an extra security check to determine whether a user's AD account is disabled. This check is always run at logon, but it's also optionally run (enabled by default) for each client command. The per command check is what's failing in your case and generating the log errors.


The per command checks are bypassed when View detects that the user's domain has a limited or one way trust relationship with the connection server's domain. This is done because View will not be able to bind to the one-way trusted domain. In your case the domain has been excluded, so View can't determine that the user's domain has a one-way trust relationship. This results in the check being attempted and the bind failing. The only safe course of action on bind failure is to deny access, hence the error you are seeing.

I'll raise problem report to handle this scenario better in the longer term.

Thanks

Griff

griffjames
VMware Employee
VMware Employee
‎09-21-2015 03:53 AM
Jump to solution

I've raised PR 1519013 to cover this issue.

Griff

0 Kudos
nkatana
Contributor
Contributor
‎09-21-2015 10:38 PM
Jump to solution

You said optionally enabled by default.

Can you explain how to disable it?

0 Kudos
MiroVM
Contributor
Contributor
‎02-25-2016 02:30 AM
Jump to solution

Hi Guys,

did anyone find a permanent solution for this? Getting the same problem after upgrade from 6.1 to 6.2. Logs showing as per discussion "unable to verify so assuming disabled" - connection server and users part of the same domain so Domain exclusion list is empty. Thks for a reply

0 Kudos