MMAgeek
Enthusiast
Enthusiast

Issue with getting my workspace setup with external load balancers

Jump to solution

Hi

I have workspace set up and working. i now wish to move it to a pair of kemp load balancers. I have configured the virtual IP for my load balancers and pointed it to the gateway servers, and configured DNS accordingly

I have created my SSL cert (signed by a commercial CA - globalsign) and have both the cert and private key as pem. I have applied these to my load balancers

lb1.png

I have placed the intermediate and root CA certs also on the load balancers, as well as the gateway root CA certificates from my horizon workspace VMs so the load balancer trusts them.

certs.png

When i try to run the FQDN and SSL wizard i do the following:

External Load balancer: ticked

Horizon workspace FQDN: FQDN that matches the load balancer certificate

Load balancer root CA certificate: i have pasted the contents of the intermediate CA from globalsign CA

I then get the error: Unable to establish SSL connection to FQDN with the Root CA.

error1.png

The details of the error:

com.vmware.horizon.configurator.exception.VMException: VM.INVALID_ROOT_CA.11 at com.vmware.horizon.configurator.exception.VMException.INVALID_ROOT_CA(VMException.java:299) at com.vmware.horizon.configurator.vm.HorizonVMApi.validateRootCA(HorizonVMApi.java:1262) at com.vmware.horizon.configurator.controller.ConfiguratorSSLSetupPage.installRootCA(ConfiguratorSSLSetupPage.java:445) at com.vmware.horizon.configurator.controller.ConfiguratorSSLSetupPage.installRootCAFromSettings(ConfiguratorSSLSetupPage.java:116) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:212) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:900) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:827) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at com.vmware.horizon.configurator.ConfiguratorRequestFilter.doFilter(ConfiguratorRequestFilter.java:75) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at com.vmware.horizon.configurator.WizardRedirectionFilter.doFilter(WizardRedirectionFilter.java:96) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:409) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)

Any ideas what is going wrong?

0 Kudos
1 Solution

Accepted Solutions
Seb1180
Enthusiast
Enthusiast

Don t know if this will help but this is how I got it working with 2 internal connectors for SSO and 2 externals without Kerberos after couple of days scratching my head.

Check and browse to the AD object of your Kerberos connectors from a DC not from the RSAT console and ensure that in the Delegation tab Trust this computer for delegation to any service (Kerberos only) is selected and also in the Attibute Editor tab look for the servicePrincipalName.

I have a split DNS. My workspace is configured on mydomain.com and not on local.mydomain.com.

The values there were set like HOST / connector-va3.local.mydomain.com. Changed them :

HOST / connector-va3.mydomain.com

HOST / connector-va3

also added the one my F5 box is using HOST / connectors.mydomain.com just to be sure.

Then I have unticked the allow redirect box on those connectors (still don t know why but worked without) and got my SSO working.

Hope this will get you out of this issue Smiley Wink

Seb

Also had issues with the X-forwarder-For. For some reason putting the VIP of the F5 box wasn't sufficient. Had to put there also the physical ip's of my F5 LTM

View solution in original post

0 Kudos
11 Replies
nickjo67
Enthusiast
Enthusiast

om.vmware.horizon.configurator.exception.VMException: VM.INVALID_ROOT_CA.11 at com.vmware.horizon.configurator.exception.VMException.INVALID_ROOT_CA(VMException.java:299) at


I'm thinking that it does not like your root_ca cert.  Is it a wildcard cert?


Also, what if you test your configuration by changing your DNS to your gateway and removing the load balancer temporarily?  Or is that what you had before you attempted to use the load balancers?



0 Kudos
MMAgeek
Enthusiast
Enthusiast

No the cert is a specific one generated for workspace.

In the root CA field in the Workspace wizard i have tried entering the intermediate cert and the root cert, both don't work.

I havent tried changing the DNS to the gateway. originally the config was just pointing at the gateway by its host name. I was thinking about trying that but wasn't sure if it would cause future issues when i then want to move to the load balancer

0 Kudos
kzelenko
VMware Employee
VMware Employee

On Configurator page you need just RootCA certificate (no intermediate ones). You would need to install full chain on load balancers.

On the first screen I see that you have FQDN resolving to two addresses - are those two gateways or two load balancers?

0 Kudos
MMAgeek
Enthusiast
Enthusiast

I have managed to get the load balancing working now - it was due to the x-forwarded-for header settings on my load balancers but now have a new issue.

When i log into the workspace FQDN it redirects me to the connector va https://gr2cmnxhzwv04.cmn-uk.net briefly to authenticate and i get an SSL error as its presenting its own self signed certificate.

Also the Workspace agents get a certificate prompt for the connector-va

Why is this and how do i stop it? The connector is set to use the gateway as the idp url

0 Kudos
kzelenko
VMware Employee
VMware Employee

Do you have Windows Auth (kerberos) enabled on that connector? If yes, then you probably have a "allow redirect" checked.

If it is checked - uncheck it.

If you really need kerberos authentication enabled - you would need to create a separate connector instance with usegatewayasidp = N.

0 Kudos
MMAgeek
Enthusiast
Enthusiast

I unchecked "allow redirect" the client no longer gets the SSL error, but i lose kerberos.

I have a 2nd connector instance as you described with usegatewayasidp = N however if i set this in the priority list to first i get the SSL error again as it redirects.

Is there no way to have 2 connector VAs load balanced behind the gateway FQDN and still using kerberos?

0 Kudos
Seb1180
Enthusiast
Enthusiast

Don t know if this will help but this is how I got it working with 2 internal connectors for SSO and 2 externals without Kerberos after couple of days scratching my head.

Check and browse to the AD object of your Kerberos connectors from a DC not from the RSAT console and ensure that in the Delegation tab Trust this computer for delegation to any service (Kerberos only) is selected and also in the Attibute Editor tab look for the servicePrincipalName.

I have a split DNS. My workspace is configured on mydomain.com and not on local.mydomain.com.

The values there were set like HOST / connector-va3.local.mydomain.com. Changed them :

HOST / connector-va3.mydomain.com

HOST / connector-va3

also added the one my F5 box is using HOST / connectors.mydomain.com just to be sure.

Then I have unticked the allow redirect box on those connectors (still don t know why but worked without) and got my SSO working.

Hope this will get you out of this issue Smiley Wink

Seb

Also had issues with the X-forwarder-For. For some reason putting the VIP of the F5 box wasn't sufficient. Had to put there also the physical ip's of my F5 LTM

View solution in original post

0 Kudos
TomKH
VMware Employee
VMware Employee

You will need to create a second certificate for the external connector (ie. it does not use the gateway) that is using Windows Authentication unless you have a single wildcard certificate that is valid for each hostname. Kerberos enabled connectors will not work correctly via the Workspace FQDN (Gateway VAs)

MMAgeek
Enthusiast
Enthusiast

so if i understand this correctly:

I need to have 2 connectors for kerberos that are load balanced to a different URL than the workspace FQDN?

Say my new load balanced url is workspace-krb.domain.com - i need to apply an SSL cert with that name to the ssl configuration section of each connector, change its idp url it presents to workspace-krb.domain.com and untick redirection? or does the ssl cert go on the load balancer as per load balancing the gateway.

This is for internal use only. Right now there is the default connector which has useGatewayAsIDP = Y and a 2nd connector i added with useGatewayAsIDP = N

Do i need to add a 3rd then load balance those 2 or can i edit the config of the default one?

0 Kudos
Seb1180
Enthusiast
Enthusiast

No you need 2 connectors. One for internal one for external. I have 4 for "redundancy" and fun I can say Smiley Happy

As you say one with useGatewayAsIDP = N and the other with useGatewayAsIDP = Y is what you need. After you can add more.

I think you got it right. you need of course a cert for the load balanced url that you will apply to the connectors, change the url in the idp part.I have also loaded the cert in my loadbalancer. I use a SAN cert so I can have as many names as I want.

In the docs I have been reading it mentions to tick the box for redirection. figured out for me it was working only when that box was unticked. Had also that AD object issue that was blocking the Kerberos.

Give a look in the F5 whitepaper even if you don t have the same box. Might also help. there is also another post where someone is describing how he did. It has no replies should be easy to spot.

Seb

Seb1180
Enthusiast
Enthusiast

behind your loadbalancer you can have one or as many connectors as you want. doesn t matter.

0 Kudos