ive encounter with the same issue in my envieroment,the only solution ive found was:
you will ge a popup of the certificate
again this was asepcific case ive had in the envieroment caused by change of certificate in the view server
Do i disable the View D in the Horizon Catalog? I already disabled it and then readded it and re authed the Certs. Can you give me a bit more detail on 3. and 4? Im not sure where to change the name of hte server in the metadata to the FQDN of the IDM.
Hi... Did you manage to resolve ? .. getting the below error when trying to launch the application. No errors on SAML authentication in Horizon. The vIDM appliances are load balanced through F5. Any pointers please.
Hi, one issue I found out was, connection server fqdn should be same the actual host name of the connection server.
say your actual connection server host name is connectionsrv.doamin.local. You should use the same when configuring VIDM.
In my environment our doamin had a underscore like my_domain.local. To workaround this i created a dns entry for the connection server ip in DNS as connectionsrv.mydomain.local (without underscore). It doesnt work. faced the same issue
try check the value in table FederationArtifacts of the VIDM database. It will give you more insight.
If you use default postgres DB use the below command to export the content to text file
export PGPASSWORD=cat /usr/local/horizon/conf/db.pwd
/opt/vmware/vpostgres/9.2/bin/psql -U postgres saas
saas=# \o FedTableContents.txt
saas=# select * from "FederationArtifacts";
We are having this issue in our environment as well. It seems like after 5-10 app launches this messages pops up. It isn't always possible to recreate though. After the pop-up you have to close the Horizon client and relaunch. I believe this is based on the Horizon setting of forcing 3rd party logons, or prohibiting logons directly thru the client and forcing them thru the IDM portal. Even though this setting isn't check it seems to be true in some cases.
VMware claims they are not aware of this issue when we brought it up to them. Might be time for a ticket if I can find a way to reproduce it while they are on the call.
Yes, all servers are perfectly in sync. I have a ticket open and the tech is requesting we reboot all of the servers. But I can't keep doing that every couple weeks because no one can find the root cause of the problem.
We still have not found a root cause for this. Rebooting the connection servers and appliances has resolved the issue, for now. But I suspect it will pop-up again in the future. So far VMware has not been able to find anything in the logs that could be causing this problem.
Having the same issue here after our VESC box's SSL Certificate expired.
Have regenerated the cert but now also getting "Untrusted Certificate" for the SAML 2.0 Authenticator in Horizon Administration; hitting Verify will not actually verify the certificate. Not sure if these are two separate issues though!
Has anyone made any progress?
We've had this error too coming back after a certain period. After rebooting the vIDM appliances it seems to be fine again. We made a support request for this issue and VMware answered us with the following:
From log analysis we can see that this issue is related to metadata expiry
As an example say View Sync runs at 10am , this updates the View metadata in the vIDM service.
For the latest certificate lets say the metadata would expire before 10:00am say 9:30am so therefore this issue would be seen for 30 mins or until the next view sync would run and update the metadata in the vIDM service.
By default SAML metadata expires daily, you can increase the expiration time by 90 days.
1) Remove entries for pae-NameValuePair attribute on connection server and press okay.
Change the Expiration Period for Service Provider Metadata http://pubs.vmware.com/horizon-71-view/topic/com.vmware.horizon-view.administration.doc/GUID-3E170C2...
2) Re-add entries for pae-NameValuePair attribute on connection server and press okay.
3) After around 5 mins restart all of the connection servers in the environment.
4) When connection servers are back up and running do a manual sync of View from IDM
The changes will take effect from the next day. Meaning the new certificate generated next day will have the expiration as 90 days.
In 90 days time this process will automatically repeat itself.
Please let us know if the above resolves the "server expects to get your logon credentials from another application or server..........." issue.
Hope this helps.
Yep, I think these are two separate issues. For the issue you're describing we've also logged a support request which is open for over 2 months now. We've installed a special debug-version of the Connection Server and sent the logs to Engineering. They are now investigating. When I've got an update I will let you know.