danielmgrinnell
Enthusiast
Enthusiast

Getting Error "this horizon server expects to get your logon creds from another app server

I am getting this error does anyone know whats causing this ?

idm.PNG

Thanks

28 Replies
URIME
Contributor
Contributor

ive encounter with the same issue in my envieroment,the only solution ive found was:

  1. disable the View desktops in the IDM
  2. enable the view desktops in IDM
  3. in the connection server change the name of the server in the metadata to the FQDN of the IDM
  4. change back to the hostname

you will ge a popup of the certificate

again this was asepcific case ive had in the envieroment caused by change of certificate in the view server

0 Kudos
danielmgrinnell
Enthusiast
Enthusiast

Hey Urime,

Do i disable the View D in the Horizon Catalog? I already disabled it and then readded it and re authed the Certs. Can you give me a bit more detail on 3. and 4? Im not sure where to change the name of hte server in the metadata to the FQDN of the IDM.

Thanks

0 Kudos
pjeyara573
Contributor
Contributor

Hi,

did u manage to fix this issue.

Facing the same.

Regards!

0 Kudos
josefdi
Contributor
Contributor

Hi

I am also getting the same error when launching the application from vDIM portal.. Did you manage to resolve this..

Thanks.

0 Kudos
josefdi
Contributor
Contributor

Hi... Did you manage to resolve ? .. getting the below error when trying to launch the application. No errors on SAML authentication in Horizon. The vIDM appliances are load balanced through F5. Any pointers please.

pastedImage_0.png

0 Kudos
pjeyara573
Contributor
Contributor

Hi, one issue I found out was, connection server fqdn should be same the actual host name of the connection server.

say your actual connection server host name is connectionsrv.doamin.local. You should use the same when configuring VIDM.

In my environment our doamin had a underscore like my_domain.local. To workaround this i created a dns entry for the connection server ip in DNS as connectionsrv.mydomain.local (without underscore). It doesnt work. faced the same issue

0 Kudos
pjeyara573
Contributor
Contributor

adding more...

try check the value in  table FederationArtifacts of the VIDM database. It will give you more insight.

If you use default postgres DB use the below command to export the content to text file

export PGPASSWORD=cat /usr/local/horizon/conf/db.pwd

/opt/vmware/vpostgres/9.2/bin/psql -U postgres saas

saas=# \x

saas=# \o FedTableContents.txt

saas=# select * from "FederationArtifacts";

saas=# \q

0 Kudos
David1Black
Contributor
Contributor

We are having this issue in our environment as well.  It seems like after 5-10 app launches this messages pops up. It isn't always possible to recreate though.  After the pop-up you have to close the Horizon client and relaunch.  I believe this is based on the Horizon setting of forcing 3rd party logons, or prohibiting logons directly thru the client and forcing them thru the IDM portal.  Even though this setting isn't check it seems to be true in some cases.

VMware claims they are not aware of this issue when we brought it up to them. Might be time for a ticket if I can find a way to reproduce it while they are on the call.

David

0 Kudos
mmurthy
VMware Employee
VMware Employee

Could you please check Time on all Connection server and vIDM appliances. If time is not in Sync you will get such login issues.

Regards.

Manjunath M

0 Kudos
David1Black
Contributor
Contributor

Yes, all servers are perfectly in sync. I have a ticket open and the tech is requesting we reboot all of the servers.  But I can't keep doing that every couple weeks because no one can find the root cause of the problem.

0 Kudos
saadashraf
Contributor
Contributor

Hi David,

We are having the same issue. Were you able to find the root cause.

Thanks

0 Kudos
David1Black
Contributor
Contributor

We still have not found a root cause for this.  Rebooting the connection servers and appliances has resolved the issue, for now.  But I suspect it will pop-up again in the future.  So far VMware has not been able to find anything in the logs that could be causing this problem.

0 Kudos
David1Black
Contributor
Contributor

This issue has popped up again after only 2 weeks of the servers running. I have reopened the ticket with VMware. I will let you know what they say.

0 Kudos
OliverFuchs
Contributor
Contributor

Same Problem here. When I changed this entry (yellow) to "None" it works.........

ID Manager_2.PNG

David1Black
Contributor
Contributor

Oliver, what version are you running?  I'm still on 2.8.1 and don't see that option.

0 Kudos
OliverFuchs
Contributor
Contributor

Hello Version 2.9.1........

0 Kudos
eddzta
Contributor
Contributor

Having the same issue here after our VESC box's SSL Certificate expired.

Have regenerated the cert but now also getting "Untrusted Certificate" for the SAML 2.0 Authenticator in Horizon Administration; hitting Verify will not actually verify the certificate. Not sure if these are two separate issues though!

Has anyone made any progress?

0 Kudos
Skeetneet
Contributor
Contributor

Hi,

We've had this error too coming back after a certain period. After rebooting the vIDM appliances it seems to be fine again. We made a support request for this issue and VMware answered us with the following:

From log analysis we can see that this issue is related to metadata expiry

As an example say View Sync runs at 10am , this updates the View metadata in the vIDM service.

For the latest certificate lets say the metadata would expire before 10:00am say 9:30am so therefore this issue would be seen for 30 mins or until the next view sync would run and update the metadata in the vIDM service.

To resolve:

By default SAML metadata expires daily, you can increase the expiration time by 90 days.

1) Remove entries for pae-NameValuePair attribute on connection server and press okay.
cs-samlencryptionkeyvaliditydays=90
cs-samlsigningkeyvaliditydays=90

Change the Expiration Period for Service Provider Metadata http://pubs.vmware.com/horizon-71-view/topic/com.vmware.horizon-view.administration.doc/GUID-3E170C2...

2) Re-add entries for pae-NameValuePair attribute on connection server and press okay.

3) After around 5 mins restart all of the connection servers in the environment.

4) When connection servers are back up and running do a manual sync of View from IDM

The changes will take effect from the next day. Meaning the new certificate generated next day will have the expiration as 90 days.

In 90 days time this process will automatically repeat itself.


Please let us know if the above resolves the "server expects to get your logon credentials from another application or server..........." issue.

Hope this helps.

0 Kudos
Skeetneet
Contributor
Contributor

Yep, I think these are two separate issues. For the issue you're describing we've also logged a support request which is open for over 2 months now. We've installed a special debug-version of the Connection Server and sent the logs to Engineering. They are now investigating. When I've got an update I will let you know.

0 Kudos