VMware Horizon Community
SafYas
Contributor
Contributor
‎03-04-2011 07:33 AM

View smartcard logon - Failed to convert SID

I am unable to authenticate using a smartcard from the view client.

Error Log 1 (View server):

Unable to extract User Principal Name: Unknown type 22, remaining......

..........................................

Failed to convert SID (null)

Unable to obtain user information from the Active Directory

Error instantiating PAEContext for : com.vmware.vdi.ob.lib.b: Failed to retrieve user information for the users with given upns: Unable to obtain information from the Active Directory - ErrorCode 1

Error Log 2 (View server):

No SubjectAlternativeName found

Failed to convert SID

Unable to obtain user information from the Active Directory

Error  instantiating PAEContext for : com.vmware.vdi.ob.lib.b: Failed to  retrieve user information for the users with given upns: Unable to  obtain information from the Active Directory - ErrorCode 1

The logs show the certificate being read by the view server and all the detials of CRLs etc but it appears unable to extract the UPN. Where does it resolve it from?

I read in the admin guide that if the Root CA is in another domain then the user must have the Subject Alt Name of the Root CA cert set as this UPN of their local domain account. I do not understand why this is as the UPN is a vital attribute for many other software products and is usually in the format user@company.com. The error logs above would suggest that the UPN from the user cert can not be decoded and therefore can not be used to resolve the user from the Active Directory.

In the event log on the view server the first event is an informational one stating "No SubjectAlternativeName found" and then the next event is of the type warning and is "Failed to convert SID (null)". Why is the first message Informational when it appears to be part of the problem?

Are there any special rights required by the ws_admin server to convert the SID, or is it because it uses the Subject Alt Name whch should be the user UPN?

Thoroughly confused!

Thanks

0 Kudos
15 Replies
AndreTheGiant
Immortal
Immortal
‎03-04-2011 11:08 AM

Welcome to the community.

The virtual desktop is part of a pool?

Have you tried on a single dedicated VM?

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
0 Kudos
SafYas
Contributor
Contributor
‎03-07-2011 12:59 AM

This appears to be an authentication problem not relating to specific VMs. I don't even get to that stage. It fails at this point:

[CertificateAuthFilter]: Extracted UPN from Header:

There should be a value after this line for the UPN as shown on a working system we have. The question is where does it extract this from?

Thanks

Saf

0 Kudos
npeter
Expert
Expert
‎03-07-2011 01:08 AM

Hi Safyas,

UPN should be present for user accounts in order for smart card authentication to work.

Please make sure the user has proper UPN set.

Refer View Admin Guide- Page125 for details on how to configure this. You can make sure smart card authentication configuration in your domain/machines is proper by connecting to View Desktop from a Client machine using normall RDP (mstsc).

-noble

-nObLe
SafYas
Contributor
Contributor
‎03-07-2011 01:37 AM

Thanks but I checked that already. I noticed that on the system that is failing different processes appear to be starting before the UPN is extracted. They appear to be related to a broker connection via a web protocol. Could this be related to VM pools as mentioned above by another contributor?

0 Kudos
npeter
Expert
Expert
‎03-07-2011 01:51 AM

View uses smart card certificate for authenticating users to access broker and then Login to the desktop VM.

If you are unable to get upto the Desktop selection page, that means the first step itself has failed.

Can you give the exact error message what you are getting on Client and at what stage you are getting it?

Also few more details like

Do you have any other client machine where smart card authentication works perfect?

Are you able to login using smart card and launch desktops as this particular user/smartcard from any other client?

-nObLe
0 Kudos
SafYas
Contributor
Contributor
‎03-07-2011 02:34 AM

The client error supports what is shown on the server logs:

wswc_http: brokerLogon succesful

wswc_command: brokerLogon response xml ERROR: Athentication failure

The view Connection server connection failed. No user could be found for your certificate.

The difference on the view server that fails is it has extra lines in the log:

[PooledProcessor] Peer Verifiied as: CN=user1, OR (Rest of DN here)

[PooledProcessor] Calling SocketHandler process...

[SimpleAJPService] (Request 2) SimpleAJPService request: /broker/xml

There is more but essentially it appears to be doing some kind of pool processing before authentication and forwarding headers. This is why I though it may be related to pooling. None of this is done on the working server.

Thanks

0 Kudos
SafYas
Contributor
Contributor
‎03-07-2011 06:59 AM

Found the problem.

Our UPN in the certificate uses IA5String encoding and the broker can not interperet it. Changing to UTF8 encoding solves the problem.

Thanks for all your suggestions.

0 Kudos
SafYas
Contributor
Contributor
‎03-08-2011 02:11 AM

See last comment.

0 Kudos
Alejandro_Salga
Contributor
Contributor
‎03-10-2011 04:51 AM

Hi SaFYas,

I have the same problem. At which level are you changed the encoding  to UTF8: certificate or parameter in the View Connection Server?. In any case, could you tell me what´s the procedure?.

Thanks in advanced.

0 Kudos
SafYas
Contributor
Contributor
‎03-10-2011 06:10 AM

I did it in the certificate. I do not know if you can do it on the broker. Check your certificate has a valid UPN in it for the user.

I found the exact nature of the problem by dumping the logs using the "Generate View Connection Server Log Bundle" from the VMWare menu in the program menu. This dumps a directory to your desktop. In that directory is a folder called vdm-logs. In there is a series of logs. Look at the most recently modified one that starts with "debug-...". In there you should see a section where the certificate is parsed, search for the text "Reading Certificate".  You should see it attempting to extract the user UPN from the certificate. This is where there will be an error if it can not find one in the right format.

Where in your certificate do you have the UPN?

0 Kudos
Alejandro_Salga
Contributor
Contributor
‎03-10-2011 06:52 AM

Yes. The certificate has a valid UPN name (l0021@xxxxxx.es) and this name is ubicated in the attribute Subject Alternative Name (SAN).

The log from the View Connection Server is the next:

2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Reading certificate: CN="GUTIÉRREZ DÍAZ, xxxxxxxxx (SEN-AUTENTICACION)", GIVENNAME=xxxxxxxx, SURNAME=GUTIÉRREZ DÍAZ, SERIALNUMBER=xxxxxxxxxxxx, EMAILADDRESS=xxxxxxxxx.gutierrez@xxxxxx.es, O=xxxxxx, C=ES
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] PrincipalNameParser.decode: 0, 0,  ,
, +,  ,  ,  ,  , ツ, 7,  ,  ,  , ᅠ, ", ᅠ,  ,  ,  ,
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] getNameFromSequence: type = 16 length = 48, ObjectID = {1.3.6.1.4.1.311.20.2.3.}
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] drillToString: Sequence is composition: moving on to next level
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] drillToString: Sequence is composition: moving on to next level
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] readLength: Length consists of 7-bit value
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Unable to extract User Principal Name: Unknown type: 30, remaining (0, 0,  ,
, +,  ,  ,  ,  , ツ, 7,  ,  ,  , ᅠ, ", ᅠ,  ,  ,  ,
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Reading certificate: CN=AC xxxxxx PERSONAS, O=xxxxxxx, C=ES
2011-03-10 11:24:31,049 WARN  <HandshakeCompletedNotify-Thread> [PooledProcessor] No SubjectAlternativeName found
2011-03-10 11:24:31,049 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer verified as: CN=GUTIÉRREZ DÍAZ\, xxxxxxxx (SEN-AUTENTICACION),2.5.4.42=#0c0e4d4152c38d41204245474fc39141,2.5.4.4=#0c1047555449c3895252455a2044c38d415a,2.5.4.5=#1309353030333431303053,1.2.840.113549.1.9.1=#161b6d6265676f6e612e67757469657272657a4073656e61646f2e6573,O=xxxxxx,C=ES
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] Calling SocketHandler.process...
2011-03-10 11:24:31,049 TRACE <HandshakeCompletedNotify-Thread> [PooledProcessor] SocketHandler.process done.

Some information is changed by "xxxxxxx" for security reasons.

0 Kudos
SafYas
Contributor
Contributor
‎03-10-2011 07:24 AM

How are you issuing your certificates? Do you use a Registration Authority? Are there any policy modules that run on the certificate authority?

0 Kudos
gjimenez
Contributor
Contributor
‎03-01-2013 07:26 AM

An esay way to specify the UTF-8 type UPN is here:

http://support.microsoft.com/kb/888180

Enforce UTF8 encoding

After you configure a CA to force UTF8 encoding, the UTF8 setting applies to all certificates that are issued with this CA. At the CA that must issue ISIS-MTT-compliant certificates, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following, and then press ENTER:
    certutil -setreg ca\forceteletex +0x20
    This command sets the flag so that the CA always encodes the subject with UTF8.
  3. To stop and then restart the CA service, type the following at a command prompt. Press ENTER after each command.
    net stop "certificate services"
    net start "certificate services"
    After this you shoud generate a new certificate for your smartcard.
    Doing so I can see now the UPN is being readed from the smartcard but I still get the error: User could not be found for your certificate.
0 Kudos
gjimenez
Contributor
Contributor
‎03-14-2013 09:28 AM

I solved the error Failed to bind to GC by setting the ip of my active directory as the primary dns server on my view conecction server

0 Kudos
gjimenez
Contributor
Contributor
‎03-25-2013 01:40 PM

I found out, that as I have a linux dns server and windows 2008 server, I lacked a configuration in my dns named zone that redirects global catalog searchs to the active directory server.

It was this:

gc._msdcs.ad.mydom.com

SRV

0 0 3268 dc1.ad.mydom.com.

http://technet.microsoft.com/en-us/library/dd316373.aspx

0 Kudos