I am unable to authenticate using a smartcard from the view client.
Error Log 1 (View server):
Unable to extract User Principal Name: Unknown type 22, remaining......
..........................................
Failed to convert SID (null)
Unable to obtain user information from the Active Directory
Error instantiating PAEContext for : com.vmware.vdi.ob.lib.b: Failed to retrieve user information for the users with given upns: Unable to obtain information from the Active Directory - ErrorCode 1
Error Log 2 (View server):
No SubjectAlternativeName found
Failed to convert SID
Unable to obtain user information from the Active Directory
Error instantiating PAEContext for : com.vmware.vdi.ob.lib.b: Failed to retrieve user information for the users with given upns: Unable to obtain information from the Active Directory - ErrorCode 1
The logs show the certificate being read by the view server and all the detials of CRLs etc but it appears unable to extract the UPN. Where does it resolve it from?
I read in the admin guide that if the Root CA is in another domain then the user must have the Subject Alt Name of the Root CA cert set as this UPN of their local domain account. I do not understand why this is as the UPN is a vital attribute for many other software products and is usually in the format user@company.com. The error logs above would suggest that the UPN from the user cert can not be decoded and therefore can not be used to resolve the user from the Active Directory.
In the event log on the view server the first event is an informational one stating "No SubjectAlternativeName found" and then the next event is of the type warning and is "Failed to convert SID (null)". Why is the first message Informational when it appears to be part of the problem?
Are there any special rights required by the ws_admin server to convert the SID, or is it because it uses the Subject Alt Name whch should be the user UPN?
Thoroughly confused!
Thanks
Welcome to the community.
The virtual desktop is part of a pool?
Have you tried on a single dedicated VM?
Andre
This appears to be an authentication problem not relating to specific VMs. I don't even get to that stage. It fails at this point:
[CertificateAuthFilter]: Extracted UPN from Header:
There should be a value after this line for the UPN as shown on a working system we have. The question is where does it extract this from?
Thanks
Saf
Hi Safyas,
UPN should be present for user accounts in order for smart card authentication to work.
Please make sure the user has proper UPN set.
Refer View Admin Guide- Page125 for details on how to configure this. You can make sure smart card authentication configuration in your domain/machines is proper by connecting to View Desktop from a Client machine using normall RDP (mstsc).
-noble
Thanks but I checked that already. I noticed that on the system that is failing different processes appear to be starting before the UPN is extracted. They appear to be related to a broker connection via a web protocol. Could this be related to VM pools as mentioned above by another contributor?
View uses smart card certificate for authenticating users to access broker and then Login to the desktop VM.
If you are unable to get upto the Desktop selection page, that means the first step itself has failed.
Can you give the exact error message what you are getting on Client and at what stage you are getting it?
Also few more details like
Do you have any other client machine where smart card authentication works perfect?
Are you able to login using smart card and launch desktops as this particular user/smartcard from any other client?
The client error supports what is shown on the server logs:
wswc_http: brokerLogon succesful
wswc_command: brokerLogon response xml ERROR: Athentication failure
The view Connection server connection failed. No user could be found for your certificate.
The difference on the view server that fails is it has extra lines in the log:
[PooledProcessor] Peer Verifiied as: CN=user1, OR (Rest of DN here)
[PooledProcessor] Calling SocketHandler process...
[SimpleAJPService] (Request 2) SimpleAJPService request: /broker/xml
There is more but essentially it appears to be doing some kind of pool processing before authentication and forwarding headers. This is why I though it may be related to pooling. None of this is done on the working server.
Thanks
Found the problem.
Our UPN in the certificate uses IA5String encoding and the broker can not interperet it. Changing to UTF8 encoding solves the problem.
Thanks for all your suggestions.
See last comment.
Hi SaFYas,
I have the same problem. At which level are you changed the encoding to UTF8: certificate or parameter in the View Connection Server?. In any case, could you tell me what´s the procedure?.
Thanks in advanced.
I did it in the certificate. I do not know if you can do it on the broker. Check your certificate has a valid UPN in it for the user.
I found the exact nature of the problem by dumping the logs using the "Generate View Connection Server Log Bundle" from the VMWare menu in the program menu. This dumps a directory to your desktop. In that directory is a folder called vdm-logs. In there is a series of logs. Look at the most recently modified one that starts with "debug-...". In there you should see a section where the certificate is parsed, search for the text "Reading Certificate". You should see it attempting to extract the user UPN from the certificate. This is where there will be an error if it can not find one in the right format.
Where in your certificate do you have the UPN?
Yes. The certificate has a valid UPN name (l0021@xxxxxx.es) and this name is ubicated in the attribute Subject Alternative Name (SAN).
The log from the View Connection Server is the next:
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Reading certificate: CN="GUTIÉRREZ DÍAZ, xxxxxxxxx (SEN-AUTENTICACION)", GIVENNAME=xxxxxxxx, SURNAME=GUTIÉRREZ DÍAZ, SERIALNUMBER=xxxxxxxxxxxx, EMAILADDRESS=xxxxxxxxx.gutierrez@xxxxxx.es, O=xxxxxx, C=ES
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] PrincipalNameParser.decode: 0, 0, ,
, +, , , , , ツ, 7, , , , ᅠ, ", ᅠ, , , ,
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] getNameFromSequence: type = 16 length = 48, ObjectID = {1.3.6.1.4.1.311.20.2.3.}
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] drillToString: Sequence is composition: moving on to next level
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] drillToString: Sequence is composition: moving on to next level
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Unable to extract User Principal Name: Unknown type: 30, remaining (0, 0, ,
, +, , , , , ツ, 7, , , , ᅠ, ", ᅠ, , , ,
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Reading certificate: CN=AC xxxxxx PERSONAS, O=xxxxxxx, C=ES
2011-03-10 11:24:31,049 WARN <HandshakeCompletedNotify-Thread> [PooledProcessor] No SubjectAlternativeName found
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer verified as: CN=GUTIÉRREZ DÍAZ\, xxxxxxxx (SEN-AUTENTICACION),2.5.4.42=#0c0e4d4152c38d41204245474fc39141,2.5.4.4=#0c1047555449c3895252455a2044c38d415a,2.5.4.5=#1309353030333431303053,1.2.840.113549.1.9.1=#161b6d6265676f6e612e67757469657272657a4073656e61646f2e6573,O=xxxxxx,C=ES
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] Calling SocketHandler.process...
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] SocketHandler.process done.
Some information is changed by "xxxxxxx" for security reasons.
How are you issuing your certificates? Do you use a Registration Authority? Are there any policy modules that run on the certificate authority?
An esay way to specify the UTF-8 type UPN is here:
http://support.microsoft.com/kb/888180
I solved the error Failed to bind to GC by setting the ip of my active directory as the primary dns server on my view conecction server
I found out, that as I have a linux dns server and windows 2008 server, I lacked a configuration in my dns named zone that redirects global catalog searchs to the active directory server.
It was this:
gc._msdcs.ad.mydom.com | SRV | 0 0 3268 dc1.ad.mydom.com. |