fcjxxl
Contributor
Contributor

VMware Horizon 7 HTML Access through Chrome or Safari can't work properly and console outputs error, but IE or Firefox have no problems

Hi team, when I connect through IE or Firefox, I can login and use Horizon without problems

23C808DA-0486-4EC1-AF47-9A6A72DF83D1.png

but when I connect with safari or chrome, it likes this

QQ20170208-130356@2x.png

and console outputs:

Safari

478836DB-6EFE-42A9-B9E8-6E2FAE127F41.png

Chrome

QQ20170208-130106@2x.png

ps:

horizon 7.0.3

safari 10.0.3

firefox 51.0.1

chrome 55.0.2883.95

ie 11

14 Replies
SanderGNL
Contributor
Contributor

Same issue here. Also tried Chrome 57 beta which shows the same.

No idea what causes this.

fcjxxl
Contributor
Contributor

I guess it's a bug in the jscdk.js file

0 Kudos
fcjxxl
Contributor
Contributor

Is there anyone can help me?

0 Kudos
RobertSa
Contributor
Contributor

0 Kudos
markbenson
VMware Employee
VMware Employee

This problem usually occurs if you are accessing Connection Server with a different hostname than it is expecting and is as a result of the "origin checking" feature. This may be the case if you are connecting via Unified Access Gateway (formerly Access Point) or through a load balancer etc. where the user is entering a different hostname in the URL than Connection Server expects.

You can check if this is the case by looking in the debug log file on Connection Server. This is usually in "C:\ProgramData\VMware\VDM\logs". Search the log file for "Unexpected Origin". If you see an entry similar to this, then that will be the problem.

2017-03-29T11:23:24.748+01:00 ERROR (1230-1198) <Thread-32> [SimpleAJPService] (ajp:broker:Request2) Unexpected Origin: https://vdi.myco.com

You can easily resolve this by adding a line in the locked.properties file which is usually in "C:\Program Files\VMware\VMware View\Server\sslgateway\conf".

Either add a line at the end of locked.properties with:

checkOrigin=false

to turn off origin checking (not recommended), or add a line to specify an additional hostname that can be accepted. From the error message above, I could add:

balancedHost=vdi.myco.com

The name used here is the same hostname as seen in the error message. There are also options to specify multiple hostnames.

Once you've changed locked.properties file you then need to restart the VMware Horizon View Connection Server service.

You can find more information about this in the Origin Checking section of the documentation here - Documentation for VMware Horizon 7 version 7.0

Let me know if this resolves it.

ALEX_TSM
Enthusiast
Enthusiast

Hello, I have almost the same problem with Horizon 7.1 and AP 2.9

But, in my case I have no problem only with Safari 10.1 (mac, ipad ...) any other browsers on any devices have the problem.

I have changed the locked.properties lot of times - so far, not having any luck.

The main question is - why the issue is so depends on which type of brouser you use? If i have wrong type of settings - why everything is working via Safari, but nothing works via anothers?

I realy can't understand it!!!  Can someone please explain it?

0 Kudos
fcjxxl
Contributor
Contributor

Hi markbenson​​,Thank you for your reply.

I created the locked.properties file and added a line at the end of it with checkOrigin=false.

Well, Chrome now works fine, but unfortunately Safari occurs another problem.

The login form now is appeared in the login page(but with 4 console errors beneath, other browsers don't have these errors)

QQ20170406-113141@2x.png

When I logged in and click an app, the app doesn't run or appear, it just a empty page and still has the 4 console errors above.

I don't know what causes this, can you help me?

markbenson
VMware Employee
VMware Employee

The main question is - why the issue is so depends on which type of brouser you use? If i have wrong type of settings - why everything is working via Safari, but nothing works via anothers?

I realy can't understand it!!!  Can someone please explain it?

It's because not all browsers insert the "origin" request header in the HTTP POST requests made to Horizon. With the security protection of origin checking, when Chrome and Safari connect they do insert the origin header and therefore when Connection Server is incorrectly configured, it will fail. IE and Firefox only work because they do not insert the origin request header. With developer tools network trace on the browser, you can see the request headers and look for "origin". It does also depend on browser versions as well as browser types as to whether they use the origin request header.

You can easily identify if this is your problem by looking at the debug log file on Connection Server. If you see a message like:

Unexpected Origin: https://192.168.0.209

(with the hostname or IP address that the browser client used) then this is certainly the main issue and needs to be corrected.

You will also see that requests made to /broker/xml will respond with an HTTP error 404 when this is misconfigured.

When you correct the locked.properties file, you need to restart the Connection Server service (or reboot) for the setting to take effect.

ALEX_TSM
Enthusiast
Enthusiast

Hello markbenson,

Very big thanks for your reply!

Now, I completely understand how it works.

0 Kudos
357831400
Contributor
Contributor

I met the same problem. So why is just Safari?

0 Kudos
markbenson
VMware Employee
VMware Employee

So why is just Safari?

It's because Safari puts in the origin request header. Refer to my previous post.

Mark

0 Kudos
357831400
Contributor
Contributor

Thanks for reply, but I already added a line at the end of locked.properties with checkOrigin=false, so there will no more origin problems, right?

0 Kudos
InfiniVirt
Contributor
Contributor

0 Kudos
fai_chrisb
Contributor
Contributor

So the odd thing on mine is, that I have both added the external URL to the files on both connection servers which my UAG appliances connect to, and (to test) turned off origin checking. I am still getting this issue.

When I review the logs, the unexpected origin error is there, but it is with the same external URL that I have added to the locked.properties file.

0 Kudos