VMware Horizon Community
RHamaker
Contributor
Contributor
Jump to solution

View Security Server with Smartcard Auth

Guys I am at a bit of a stand still with my Horizon 6 deployment and i am hoping to get some assistance.  I have a connection server running on the 10.0.244.x network, works fine with smart card authentication.  I have a security server in the DMZ, that will connect to the connection server over the allowed ports and that seems fine.  However, i cannot connect to the security server (which is on the 172.14.x.x network just for reference) via smart card.  I just get the error "Smart card authentication is required."  I am forcing smart card authentication so the error is not incorrect, but i cannot figure out what is keeping the security server from passing smart card credentials to the connection server.  I am cutting and pasting log snippets below to help hopefully:

Security server:

2016-01-26T14:17:23.180-06:00 DEBUG (0B20-1340) <pool-1-thread-13> [PooledProcessor] SSL handshake exception for /10.0.211.180:4708, error was: Received fatal alert: certificate_unknown

2016-01-26T14:17:24.258-06:00 DEBUG (0B20-16D4) <HandshakeCompletedNotify-Thread> [PooledProcessor] Using secure protocol TLSv1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

2016-01-26T14:17:24.321-06:00 DEBUG (0B20-0A7C) <Thread-34> [SimpleAJPService] (ajp:broker:Request37) Request from /10.0.211.180: POST /broker/xml

2016-01-26T14:17:24.368-06:00 DEBUG (0B20-0D9C) <AJP-18> [SimpleAJPService] (ajp:broker:Request37) Response 200 OK [close]

Connection server:

2016-01-26T14:17:17.582-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839437581}},{"type":"SET","item":{"name":"ATTR_BROKER_VERSION","typ...

2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) read XML input

2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) added: set-locale

2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) added: configuration

2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlAuthFilter] (SESSION:9cca_***_bdab) Pre-Auth Processing: configuration

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Attempting to authenticate against gssapi

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Attempting to authenticate against cert-auth

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) Client did not use Certificate Authentication, skipping or failing

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) Failing Certificate authentication, fatal error for REQUIRED mode

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) messageKey not set in HttpServletRequest

2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [EventLogger] (SESSION:9cca_***_bdab) Error_Event:[BROKER_USER_AUTHFAILED_GENERAL] "User null failed to authenticate": Node=VDI-IPPSA-View.ds.amrdec.army.mil, ClientIpAddress=10.0.211.180, Severity=AUDIT_FAIL, Time=Tue Jan 26 14:17:24 CST 2016, Module=Broker, UserDisplayName=null, Source=com.vmware.vdi.broker.filters.CertificateAuthFilter, Acknowledged=true

2016-01-26T14:17:24.617-06:00 DEBUG (1640-1118) <MessageFrameWorkDispatch> [MessageFrameWork] System::WriteWindowsEvent

2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Not authenticated, requesting login page for cert-auth

2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [AuthorizationFilter] (SESSION:9cca_***_bdab) paeCtx == null, forwarding to login page: /broker/xml

2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Start processing: set-locale,configuration

2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Processing: set-locale

2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Finished processing: set-locale, Result: ok

2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Processing: configuration

2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Finished processing: configuration, Result: error, Error Code: AUTHENTICATION_FAILED, Error Message: Authentication failure, User Message: Smart Card or Certificate authentication is required.

2016-01-26T14:17:24.619-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) End processing: set-locale,configuration

2016-01-26T14:17:37.261-06:00 DEBUG (1198-0ED0) <DesktopControlSessions> [DesktopTracker] start session reader broadcast

2016-01-26T14:17:39.801-06:00 DEBUG (1198-0124) <VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] VMs checked for reconfiguration: 5; not checked for reconfiguration: 0

2016-01-26T14:17:39.801-06:00 DEBUG (1198-0124) <VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] (RePropagate cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int

2016-01-26T14:17:40.171-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Connecting instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk

2016-01-26T14:17:40.185-06:00 DEBUG (1198-29D4) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:40.185-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']

2016-01-26T14:17:40.434-06:00 DEBUG (1198-1978) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:40.434-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']

2016-01-26T14:17:40.639-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Connected instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk

2016-01-26T14:17:40.639-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Fetched reference objects for instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk in 0 seconds. CBRC supported by VC: true

2016-01-26T14:17:40.657-06:00 DEBUG (1198-1588) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:40.658-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for 10.0.244.56:18443 InvalidCertificateException[reasons:nameMismatch;notTrusted; subject:'C=US, ST=CA, L=CA, O=VMware Inc., OU=VMware Inc., CN=VDI-SED-COMPOSE, EMAILADDRESS=support@vmware.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, noTrust, ChainReasons: invalid']

2016-01-26T14:17:47.266-06:00 DEBUG (1198-0ED0) <DesktopControlSessions> [SDMessageManager] finished waiting, was waiting for 10000ms

2016-01-26T14:17:49.307-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [bm] Item on queue "Inbound JMS Worker" for 81 us, queue length = 0, available workers = 9 of 10

2016-01-26T14:17:49.308-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [r] :smileyminus: RequestGetStatus: serverType = ice, server = null, localHostname = VDI-IPPSA-VIEW

2016-01-26T14:17:49.308-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [cc] :smileyminus: Queuing request ABSGC29-2451

2016-01-26T14:17:49.308-06:00 DEBUG (1B28-102C) <ABSGC29> [cc] Handling request ABSGC29-2451, on queue for 18uS

2016-01-26T14:17:49.309-06:00 DEBUG (1B28-102C) <ABSGC29> [cc] Queuing receipt ABSGC-9297

2016-01-26T14:17:49.309-06:00 DEBUG (1B28-207C) <ABSGC29:C> [cm] Handling message ABSGC-9297, on queue for 28uS

2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [cs] :smileyminus: Queuing request PSGC28-2477

2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1764) <PSGC28> [cs] Handling request PSGC28-2477, on queue for 25uS

2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1764) <PSGC28> [cs] Sending GETCOUNTERS request PSGC28-2477

2016-01-26T14:17:49.310-06:00 DEBUG (1B28-0E00) <PSGC28:L> [df] Good response received for GETCOUNTERS request PSGC28-2477 in 555uS (parsed in 82uS)

2016-01-26T14:17:49.310-06:00 DEBUG (1B28-0E00) <PSGC28:L> [cs] Queuing receipt 9334

2016-01-26T14:17:49.311-06:00 DEBUG (1B28-1EBC) <PSGC28:C> [cm] Handling message 9334, on queue for 17uS

2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [r] :smileyminus: IPsec Quick Mode Security Associations not currently active

2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [bm] Item on queue "Outbound JMS Responder" for 19 us, queue length = 0, available workers = 0 of 1

2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [m] Sending JMS message: CurrentStatus

2016-01-26T14:17:49.313-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [m] Sent ObjectMessage in 990 us

2016-01-26T14:17:49.804-06:00 DEBUG (1198-0D50) <propagate-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] Determine actions for cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int: stats={errorVMs=0, available=1, suspendedVMs=0, dirtyForNewSession=0, poweredOffVMs=3, recentlyRecoveredVMs=0, total=5, customizingVMs=0, availableAssigned=0, busy=1, zombie=0, assigned=0, adminDisabled=0}, vmMaximumCount=5, vmMinimumCount=5, vmHeadroomCount=1

2016-01-26T14:17:50.273-06:00 DEBUG (1198-2604) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:50.274-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']

2016-01-26T14:17:50.477-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [TrackerObject] Sync complete: VcCacheTrackedVCs:573f884e-f4e7-4a7c-b04f-184cd0c3c7be to version: 18725

2016-01-26T14:17:50.477-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"lastSeen","type":"LONG","longValue":1453839470477}}], v=18725, tn=VcCacheTrackedVCs, oi=573f884e-f4e7-4a7c-b04f-184cd0c3c7...

2016-01-26T14:17:53.347-06:00 DEBUG (1B28-207C) <ABSGC29:C> [az] getCoManagerStatus: CoController.queryHealth: request failed:

mid=ABSGC29-2451

reason=Timeout

2016-01-26T14:17:54.307-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] Processing health info from secure gateway BA-VMSEC

2016-01-26T14:17:54.308-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] IPsec status NOT_IN_USE for BA-VMSEC

2016-01-26T14:17:54.309-06:00 DEBUG (1198-18E0) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:54.310-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerObject] Sync complete: SGHealth:BA-VMSEC to version: 1273

2016-01-26T14:17:54.310-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839474309}},{"type":"SET","item":{"name":"ATTR_SG_VERSION","type":"...

2016-01-26T14:17:54.311-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] Processing health info from secure gateway VDI-IPPSA-VIEW

2016-01-26T14:17:54.312-06:00 DEBUG (1198-29D4) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0

2016-01-26T14:17:54.312-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerObject] Sync complete: SGHealth:VDI-IPPSA-VIEW to version: 9297

2016-01-26T14:17:54.312-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839474312}},{"type":"SET","item":{"name":"ATTR_SG_VERSION","type":"...

2016-01-26T14:17:54.554-06:00 DEBUG (1198-187C) <EnhancedSecurityManager$EnhancedSecurityTask-1453235101061> [EnhancedSecurityManager$EnhancedSecurityTask] Current mode: ENHANCED current level: ENHANCED

2016-01-26T14:17:57.583-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [CBHealth] IPsec status NOT_IN_USE for BA-VMSEC

2016-01-26T14:17:57.583-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerObject] Sync complete: BrokerHealth:VDI-IPPSA-VIEW to version: 15109

2016-01-26T14:17:57.584-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839477583}},{"type":"SET","item":{"name":"ATTR_BROKER_VERSION","typ...

0 Kudos
1 Solution

Accepted Solutions
larsonm
VMware Employee
VMware Employee
Jump to solution

When I experienced this issue, I had not configured the locked.properties file on the Security Server.  I also made the mistake of not showing the file extensions in Windows Explorer, so while it looked like locked.properties, it was locked.properties.txt.

View solution in original post

0 Kudos
2 Replies
larsonm
VMware Employee
VMware Employee
Jump to solution

When I experienced this issue, I had not configured the locked.properties file on the Security Server.  I also made the mistake of not showing the file extensions in Windows Explorer, so while it looked like locked.properties, it was locked.properties.txt.

0 Kudos
RHamaker
Contributor
Contributor
Jump to solution

Man i feel stupid for not even thinking about that.  Copied the locked.properties file from my connection server to my security server and all is well. 

Thanks for the help!

0 Kudos