VMware Horizon Community
garyraife1
Contributor
Contributor

VMWare TrueSSO unable to connect to certifcate server

Hi Al

I have a very strange issue in that the VMware Truesso enrolment service is unable to connect to the issuing CA service even though they are on the same server instance. I am trying to setup the enrolment service to talk to a Horizon cloud platform; however the enrolment service isn't able to talk to the certificate service even though it has specific permissions to do so in the CA server configuration. From digging through all the logs the only thing of any relevance that appears within: "C:\ProgramData\VMware\VDM\logs"

2019-08-18T02:38:47.859-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentServices::GenerateAndSignPKCS10CMC(): Enter - Generate And Sign PKCS10CMC

2019-08-18T02:38:47.875-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentServices::GenerateAndSignPKCS10CMC(): Exit

2019-08-18T02:38:47.875-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): Enter - Submit Queue

2019-08-18T02:38:47.875-07:00 DEBUG (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): No Connected CA - wait for one to connect Id=1

2019-08-18T02:38:48.890-07:00 DEBUG (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): No Connected CA - wait for one to connect Id=1

2019-08-18T02:38:49.906-07:00 DEBUG (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): No Connected CA - wait for one to connect Id=1

2019-08-18T02:38:50.922-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): Completed request id=1 - FAILED - elapsed=3047ms

2019-08-18T02:38:50.922-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertSrvPool::SubmitToCaQueue(): Exit

2019-08-18T02:38:50.922-07:00 ERROR (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentServices::SubmitRequest(): Failed to locate a connected CA - ErrorCode = 2147944650 (0x00000000800708CA)

2019-08-18T02:38:50.922-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentServices::SubmitRequest(): Exit

2019-08-18T02:38:50.922-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentConnection::SubmitRequest(): Exit

2019-08-18T02:38:50.922-07:00 ERROR (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertEnrollService::CertEnrollOperation::SubmitRequestHandler(): Failed to locate a connected CA - ErrorCode = 2147944650 (0x00000000800708CA)

2019-08-18T02:38:50.922-07:00 TRACE (0A58-1AEC) <MessageFrameWorkDispatch> [wsnm_certenroll] CertEnrollService::CertEnrollOperation::SubmitRequestHandler(): Exit

Any ideas would be greatly appreciated as I need to stand this service up urgently; I have also been in contact with VMware support however they don't seem to understand why this isn't working either?

7 Replies
VMntg
Contributor
Contributor

I've been battling the same issue but I think I have it fixed now. I had to import the Connection Server certificate WITH the private key into the "VMware Horizon View Enrollment Server Trusted Roots" store on the Enrollment Server.

If you have anything to add please let me know, I'm continuing to test.

Reply
0 Kudos
sjsaravanan1
Contributor
Contributor

I am facing the same problem in the Azure deployment

SubmitRequest Failed
Response ErrorCode = "-2147022646"
ErrorText = "Failed to locate a connected CA"
FailureReason = "SubmitFailureMayRetry"

Reply
0 Kudos
Aso57
Contributor
Contributor

Hello,

any update regarding your issue ?

 

ame here, and export HZCS Cert with Private key, but same result ...

 

SubCA is on same server than HZES ......

Reply
0 Kudos
Mickeybyte
Hot Shot
Hot Shot

Hi, did you export the correct Horizon Connection server certificate? It's not the "vdm" certificate you need, but the "vdm.ec" certificate.

see also: VMware Horizon authentication using AzureAD (with multifactor) – Part 3: Enrollment Servers – Mickey...


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
Reply
0 Kudos
eyeteegrunt
Contributor
Contributor

Did you ever resolve this? I have the same issue 

Reply
0 Kudos
Aso57
Contributor
Contributor

Solved for me :

If Enrollment Server is installed on SubCA Server : do this : 

On the enrollment server, add the following reg keys:  
 
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service] 
"UseNTLMAuthenticationToCa"="TRUE" 
"UseKerberosAuthenticationToCa"="FALSE" 
 

Reply
0 Kudos
eyeteegrunt
Contributor
Contributor

I already have those reg keys on my enrollment server which is already a subca :[

i see this in the debug logs of my enrollment server 

"<MessageFrameWorkDispatch> [wsnm_certenroll] EnrollmentServices::SubmitRequest(): The Request timed out - ErrorCode = 258 (0x0000000000000102)
2023-08-28T14:48:58.397-04:00 ERROR (0514-07E8) <MessageFrameWorkDispatch> [wsnm_certenroll] CertEnrollService::CertEnrollOperation::SubmitRequestHandler(): The Request timed out - ErrorCode = 258 (0x0000000000000102)"

if i run es_diag i get this 

Generate a PKCS10 Certificate Request
Send Cert-Request(s) to the enrollment service:
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName
## Invalid RequesterName

everything in the horizon console is green 

Reply
0 Kudos