Archive | October, 2017

Persistence Profile – F5 LTM Load Balancing for VMware Unified Access Gateway Appliance

18 Oct

If you are using F5 LTM in the DMZ to load balance (LB) the VMware Unified Access Gateway (UAG) appliance, it is very important to use the iAPP or the F5 Deployment guide to set the Persistence Profile options properly or/else you might end up with issues.

Background:

The F5 LTM VIP for UAG Appliance was created manually without using the f5_vmware_view iApp and the Persistence Profile settings were manually configured. (I highly recommend to use the iApp and go through the F5 deployment guides)

Issue1:

The BLAST connection fails in the backend. The original SessionID request was going to UAG1 and due to the LB in the front the next request for the same SessionID was going to UAG2.

Log Snippet UAG1:
[2017-XX-XX 12:50:33.428] [INFO]    2289 [absg-master] – Added route 810DF5FF-*** to target 10.x.x.x|22443

Log Snippet UAG2:
[2017-XX-XX 12:50:35.589] [ERROR]    2723 [absg-worker] – Failed to resolve proxying route: 810DF5FF-***

As noted above the SessionID is the same but the initial BLAST connection request is going to different UAG appliance instead of going to the same appliance which it originally initiated.

Issue2:
You might time to time receive an Error Message “Your session has expired. Please re-connect the server” while entering the username, password and 2-factor authentication details on UAG landing page. It has to do with the timeout value on the F5 persistence profile – Source IP Address

Session has expired

Solution:
Whenever you have F5 LTM as the Load Balancer in front of UAG make sure you handle these three settings carefully to not run into the above described issue:

Timeout Value: Specifies the duration of the persistence entries.
This value should match the Horizon Administrator(Global Settings – View Administrator session timeout) time out value. The default value set on the F5 LTM is 180 seconds = 3 mins

Example – If the View Administrator session timeout is 480 mins

View Admin Session Timeout
Then we should set the same value under the F5 Timeout value in seconds

F5 Timeout Value

Mirror Persistence: If the active unit goes into the standby mode, the system mirrors any persistence records to its peer.

Mirror Persistence

We had this option un-check as it was a manually configured persistence profile

Match Across Services: All persistent connections from a client IP address that go to the same virtual IP address also go to the same node. The default is disabled

Match Across Services

We had this option un-check as it was a manually configured persistence profile

How does the overall Persistence of the profile look:
Persistence Profile f5

If you are using the F5 Horizon iApp for the configuration of the UAG VIP then you might not end-up with the above issue.

I hope you find these tips useful during the F5 LTM VIP creation for VMware Unified Access Gateway Appliance.

Thanks,
Aresh Sarkari


Troubleshooting Horizon TrueSSO aka Horizon Enrollment Server like a Ninja!

10 Oct

If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature:

  • If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools. This will provide you the ability to see the following snap-ins in read-only mode:
    • Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status
    • Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc.
SNAGHTML6730c9ff

  • Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message
    • [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM]
      “debugEnabled”=”true”
      “traceEnabled”=”true”
    • How to know whether the end-users logged in via TrueSSO – Interactive_SmartCard_Logon will be visible in the Horizon Agent (if Trace Log is enable)image
    • If TrueSSO is not used and SAML – CLEAR(Text)_PASSWORD is used you will receive the following in Horizon Agent logs (if trace is enable
      image
  • If you have two Issuing CA’s for High Availability and redundancy then make sure you import the TrueSSO template by Clicking Certificate Templates > New > Certificate Template to Issue. Select “TrueSsoTemplate” from the “Enable Certificate Templates” dialog and press “OK.” on the other Issuing CA. If you skip this step it will complain in Horizon Administrator dashboard – The primary and secondary enrollment server is not connected to the certificate servers “XXXXXX
  • Read and learn to use the VMWare Fling es_diag.exe it will provide a lot of information from the Horizon Enrollment Server stand point and equip you to troubleshoot issues with Certificate Servers.
    • /ListConfigs
    • /ListEnvironment
    • /EnrollmentTest

My colleague Tarique Chowdhury has posted few troubleshooting steps in the following post under Section – Testing it will provide more details as to what to look in the logs.

Log Entries 1
Log Entries 2

I hope you find this post useful during the Horizon TrueSSO aka Enrollment Server troubleshooting.

Thanks,
Aresh Sarkari

Top 10 lessons during Horizon TrueSSO deployment aka Horizon Enrollment Servers

6 Oct

Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application.

Let me share my top 10 lessons learnt from the deployment:

  1. In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive)
    • CPU – 4 vCPU
    • Memory – 10 GB RAM
    • HDD – 80 GB
  2. Make sure the “Group Scope” is selected as “Universal” for the  Active Directory Group in which the Enrollment Server – Computer Account is added
  3. On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment Servers (Computer Account) has Read and Enroll
  4. If you are deploying more than one Enrollment Server go in the Horizon ADAM database and add the following value to load balance between two Enrollment Servers:
    cs-view-certsso-enable-es-loadbalance=true
  5. For Large scale AD deployments, it is recommend to add the registry for “ConnectToDomains”=domainname.com
    HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service
    ConnectToDomain
  6. Make Sure the template to be used for TrueSSO, you have selected the check box “Do not store certificate and request in the CA database” and run the following command on the CA server. (without quotes)
    “certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS”
    TrueSSO Template Properties
  7. To support Smartcard Logon the following Requirements must be met by the Domain Controller or Kerberos Authentication Certificate:
    • Template name should be Domain Controller or Kerberos Authentication Certificate
      Kerberos Template Properties
    • DNS Name should be selected under Subject Name
      Subject Name Properties
    • Key Usage Extension should be “Digital Signature” and “Key Enciphement
      Key Usage Extension
  8. Make sure the the CA issuing Domain Controller Certificates has the following requirements met (Use GPO’s to deploy the below)
    • Add the Root Certificate to the Enterprise NTAuth Store
    • Add the Root Certificate to Trusted Root Certification Authorities
    • Add an Intermediate Certificate to Intermediate Certification Authorities
  9. Use the True SSO Diagnostic Utility Fling to troubleshoot Enrollment Server, Active Directory PKI Settings and Enterprise CA
  10. On the Domain Controllers under the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
    A key with the “Issuing CA Certificate” thumbprint needs to be created on all the domain controllers participating in the TrueSSO. Ideally if the Step 7&8 are done correctly you should not run into this problem. (In our case we had to open-up a Microsoft Case to get this resolved as we were receiving KDC errors.)

My colleague Tarique Chowdhury has written three awesome blog post on the TrueSSO feature make sure to check them out:

Introduction https://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html

Advance https://blogs.vmware.com/euc/2017/02/horizon-7-sso-advanced-features.html

Setting up in Labhttps://blogs.vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html

I hope you find this post useful during the Horizon TrueSSO deployment

Thanks,
Aresh Sarkari