Archive | Horizon RSS feed for this section

Troubleshooting Horizon TrueSSO aka Horizon Enrollment Server like a Ninja!

10 Oct

If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature:

  • If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools. This will provide you the ability to see the following snap-ins in read-only mode:
    • Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status
    • Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc.
SNAGHTML6730c9ff

  • Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message
    • [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM]
      “debugEnabled”=”true”
      “traceEnabled”=”true”
    • How to know whether the end-users logged in via TrueSSO – Interactive_SmartCard_Logon will be visible in the Horizon Agent (if Trace Log is enable)image
    • If TrueSSO is not used and SAML – CLEAR(Text)_PASSWORD is used you will receive the following in Horizon Agent logs (if trace is enable
      image
  • If you have two Issuing CA’s for High Availability and redundancy then make sure you import the TrueSSO template by Clicking Certificate Templates > New > Certificate Template to Issue. Select “TrueSsoTemplate” from the “Enable Certificate Templates” dialog and press “OK.” on the other Issuing CA. If you skip this step it will complain in Horizon Administrator dashboard – The primary and secondary enrollment server is not connected to the certificate servers “XXXXXX
  • Read and learn to use the VMWare Fling es_diag.exe it will provide a lot of information from the Horizon Enrollment Server stand point and equip you to troubleshoot issues with Certificate Servers.
    • /ListConfigs
    • /ListEnvironment
    • /EnrollmentTest

My colleague Tarique Chowdhury has posted few troubleshooting steps in the following post under Section – Testing it will provide more details as to what to look in the logs.

Log Entries 1
Log Entries 2

I hope you find this post useful during the Horizon TrueSSO aka Enrollment Server troubleshooting.

Thanks,
Aresh Sarkari

Top 10 lessons during Horizon TrueSSO deployment aka Horizon Enrollment Servers

6 Oct

Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application.

Let me share my top 10 lessons learnt from the deployment:

  1. In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive)
    • CPU – 4 vCPU
    • Memory – 10 GB RAM
    • HDD – 80 GB
  2. Make sure the “Group Scope” is selected as “Universal” for the  Active Directory Group in which the Enrollment Server – Computer Account is added
  3. On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment Servers (Computer Account) has Read and Enroll
  4. If you are deploying more than one Enrollment Server go in the Horizon ADAM database and add the following value to load balance between two Enrollment Servers:
    cs-view-certsso-enable-es-loadbalance=true
  5. For Large scale AD deployments, it is recommend to add the registry for “ConnectToDomains”=domainname.com
    HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service

    ConnectToDomain
  6. Make Sure the template to be used for TrueSSO, you have selected the check box “Do not store certificate and request in the CA database” and run the following command on the CA server. (without quotes)
    “certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS”

    TrueSSO Template Properties
  7. To support Smartcard Logon the following Requirements must be met by the Domain Controller or Kerberos Authentication Certificate:
    • Template name should be Domain Controller or Kerberos Authentication Certificate
      Kerberos Template Properties
    • DNS Name should be selected under Subject Name
      Subject Name Properties
    • Key Usage Extension should be “Digital Signature” and “Key Enciphement
      Key Usage Extension
  8. Make sure the the CA issuing Domain Controller Certificates has the following requirements met (Use GPO’s to deploy the below)
    • Add the Root Certificate to the Enterprise NTAuth Store
    • Add the Root Certificate to Trusted Root Certification Authorities
    • Add an Intermediate Certificate to Intermediate Certification Authorities
  9. Use the True SSO Diagnostic Utility Fling to troubleshoot Enrollment Server, Active Directory PKI Settings and Enterprise CA
  10. On the Domain Controllers under the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
    A key with the “Issuing CA Certificate” thumbprint needs to be created on all the domain controllers participating in the TrueSSO. Ideally if the Step 7&8 are done correctly you should not run into this problem. (In our case we had to open-up a Microsoft Case to get this resolved as we were receiving KDC errors.)

My colleague Tarique Chowdhury has written three awesome blog post on the TrueSSO feature make sure to check them out:

Introduction https://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html

Advance https://blogs.vmware.com/euc/2017/02/horizon-7-sso-advanced-features.html

Setting up in Labhttps://blogs.vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html

I hope you find this post useful during the Horizon TrueSSO deployment

Thanks,
Aresh Sarkari

Horizon 7.2 – RDS Farm with View Composer fails on “Customizing”

21 Jul

While creating a RDSH Farm in Horizon 7.2 using View Composer – Linked Clones and Custom Specification Manager the creation would fail on “Customization” within the View Administrator console. Upon investigation within the vCenter the Windows Servers 2012 R2 RDS Session host VM’s where not getting a valid IP and receiving the169.x.x.x APIPA addresses.

After researching quite a bit the most common solution to the problem was:

  • Un-install and re-install vmwaretools
  • Un-install and re-install Horizon Agent 7.2 on RDS Master Image

After performing the above two steps the issue completely changed from getting 169.x.x.x APIPA address to a proper DHCP server routable address. However, we are getting a different error this time:

Windows could not finish configuring the system after a generalized sysprep”.

windows error-sysprep

Final Solution

Within the master image we were using the MacAfee VSE Agent Patch 7 as the antivirus protection. This particular version was causing the issue with the sysprep to fail during customization.

After following the below MacAfee KB and installing VSE Patch 9 the error was resolved and customizing of the RDS VM as per the Custom Specification Manager was successful.

Reference Link:
Windows could not finish configuring the system (Sysprep fails when VirusScan Enterprise Patch 7/8 is included in a Windows installation image)

I hope this solution will save time to get the Horizon 7.2 RDSH Farm created quickly.

Thanks,
Aresh

Error accessing iOS devices – VMware Horizon View 7.x and F5 BIG IP APM 12.x

6 Feb

If you have recently upgraded to Horizon 7.x and use BIG IP APM version 12.1 you may realize that your Apple iPad and iOS devices don’t work. The following error message on the Horizon View Client is noticed. (Screenshot from iPad)

iPad Error

Error: The Horizon server connection failed. Error the connection timed out.

Resolution:
In our scenario all the other devices such as Android, Windows etc. was working fine. To fix this problem we had to create a new F5 iRule(Name it F5-APM-iOS-fix):

when HTTP_REQUEST {

if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
}
Note: Make sure you apply this iRule on the existing Horizon View iApp or/else it will not allow you to apply the iRule, may get a error message.

Reference KB Article:
K84958121:
Accessing VMware Horizon 7 through the BIG-IP APM system

Thanks,
Aresh

Collect Horizon View Connection Server Logs in vRealize Log Insight

12 May

If you are using the VMware Horizon View Content Pack for Log Insight it will capture the Connection Server logs (Log-Date.txt and Debug-Date.txt etc.). However, it doesn’t work out of the box by deploying the Content Pack alone. You will have to enable the View GPO (vdm_common.adm) onto the Connection Servers in order to get the logs captured by Log Insight. In our scenario without the GPO it was only able to capture the Windows Events Application, System and Security only.

You need to perform the following steps:

  1. Download the Horizon 6 View GPO Bundle (VMware-Horizon-View-Extras-Bundle-3.5.0-2999900.zip) from https://my.vmware.com Downloads section. The Build number will depend on your version of Horizon View
  2. Extract the View Common Configuration Template (vdm_common.adm) from the zip bundle and copy it over to the domain controller
  3. Create a new OU and name it E.g. ViewServers and move all the Connection Server machine accounts into that OU
  4. Open gpmc.msc on the domain controller go to the newly created OU – ViewServers and “Create a new GPO and link it here” give a name to the GPO as ViewLoginsight and then click on Edit
  5. Go to Computer Configuration –> Policies –> Administrative Templates right click open “Add/Remove Templates” to import the vdm_common.adm file.
  6. Go to Computer Configuration –> Policies –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Common Configuration –> Log Configuration
  7. Select “Send Logs to Syslog server” choose Enabled under the Send logs to Syslog Server type – Debug|LogInsightIPAddress (E.g. Debug|10.10.10.1, Info|10.10.10.1, Trace|10.10.10.1)
  8. On the Connection Server VM make sure you have the following entry added. Navigate to %ProgramData%\VMware\Log Insight Agent\
  9. Open the liagent.ini file in any text Editor (Notepad, Notepad ++ etc.)
  10. Add the following configuration parameters to the file
    [filelog|ViewMain]
    
    directory="C:\ProgramData\VMware\VDM\logs"
    include=log-*.txt;debug-*.txt
    exclude=wsnm_starts.txt
    Note: We are only capturing the logs from Connection Server and not from the View Agent (deployed on the desktops). We have removed the pcoip_server and pcoip_agent from the default string as mentioned under Tech Specs in Solution Exchange portal page.
  11. Save and Restart the VMware Log Insight Agent service.

You will be able to see the Horizon View Connection Server logs getting captured to the Log Insight Manager: (Example below)

CSLoginsight

There is also a detailed blog post on this topic by one of my colleague Sivaprasad click on this link – http://incloudnet.com/2015/01/08/view-loginsight-support/

Thanks,
Aresh

Monitoring Horizon View Connection Server LDAP Replication

29 Feb

You wish to monitor the LDAP replication traffic between the Horizon View Connection servers (CS) in your environment, Simply run the following command against all the replicating CS individually. Note: Run the following command on a CS or make sure Windows Remoting enabled to execute from a remote machine.
CON1:

repadmin /showrepl con1.example.com:389 /errorsonly

repadmin
if you got the above response means inbound/outbound replication is successful on this CS

Suppose you have 4 CS within your environment, you would like to monitor the replication across all of them. One could ‘Schedule a Task’ to check replication every 4 hours between the CS and send the report to concern monitoring team for further action. In my case, I am running this command from a remote machine which has SMTP enabled to send emails.


CON1 – CON4:

repadmin /showrepl con1.example.com:389 /errorsonly

repadmin /showrepl con2.example.com:389 /errorsonly
repadmin /showrepl con3.example.com:389 /errorsonly
repadmin /showrepl con4.example.com:389 /errorsonly

Type the following in a notepad and save it as batch file and save as ‘replication.cmd’

How to check Outbound Partners of Connection Server
In case you want to see the outbound replication partners of the CS you will have to run the following command on each server.(By default inbound is always visible)

repadmin /showrepl con1.example.com:389 /repsto


How to check replication status with Cloud Pod Architecture enabled
The only difference when testing the replication of CS with CPA is the port number is different, you will have to run the following command

repadmin /showrepl con1.example.com:22389


This was a quick way to monitor the LDAP replication between CS!

Thanks,
Aresh

Installing Horizon View Connection Server 6.2.2 (Replica Server)

16 Feb

In this blog post I will be capturing the steps involved in the installation of Replica Connection Servers. The post is mainly for people who want to have a glance at the installation steps for Horizon 6 View Connection Server (64 bit) 6.2.2 – Build Number: 3508079

View experts please skip this post, if you are already familiar with the steps.

Installation of the Replica Horizon 6 Connection Server

Step 1: Right click on the Connection Server package and select ‘Run as Administrator’

View-CS-Replica

Step 2: Click on ‘Next’. The version number show’s as ‘6.2.2’

View-CS-Replica

Step 3: Click on ‘I accept the terms in the license agreement’ and select ‘Next’

View-CS-Replica

Step 4: Leave the installation in the default directory and select ‘Next

View-CS-Replica

Step 5: This is the Replica (Second) Connection Server of the environment select ‘Horizon 6 Replica Server’ and ‘Install HTML Access’. ‘IPv4’ is selected by default and click on ‘Next’

View-CS-Replica

Step 6: Enter the FQDN of the primary Connection Server ‘con1.example.com’

View-CS-Replica

Step 7: Click ‘Configure Windows Firewall automatically’ and select ‘Next’

View-CS-Replica

Step 8: Click on ‘Install’ to begin installing Connection Server

View-CS-Replica

Step 9: Watch the Progress

View-CS-Replica

Step 10: Uncheck ‘Show the readme files’ and click on ‘Finish’

View-CS-Replica

Step 11: On your desktop there will be an Icon ‘Horizon 6 Administrator’

View-CS-Replica

Step 12: Enter the ‘Username’ and ‘Password’

View-CS-Replica

Checkout the next blog post:
Installing Horizon View Connection Server 6.2.2 (Standard Server)
Installing Horizon View Composer Server 6.2.2

Thanks,
Aresh

Installing Horizon View Connection Server 6.2.2 (Standard Server)

16 Feb

In this blog post I will be capturing the steps involved in the installation of first Connection Servers aka Standard Server. This post is mainly for people who want to glance the installation steps for Horizon 6 View Connection Server (64 bit) 6.2.2 – Build Number: 3508079

View experts please skip this post, if you are already familiar with the steps.

Installation of the First (Standard Server) Horizon 6.2.2 Connection Server

Step1: Right click on the Connection Server package and select ‘Run as Administrator’

CS-Install-Standard

Step 2: Click on ‘Next’. The version number show’s as ‘6.2.2’

CS-Install-Standard

Step 3: Click on ‘I accept the terms in the license agreement’ and select ‘Next’

CS-Install-Standard

Step 4: Leave the installation in the default directory and select ‘Next

CS-Install-Standard

Step 5: As this is the first Connection Server of the environment select ‘Horizon 6 Standard Server’ and ‘Install HTML Access’. ‘IPv4’ is selected by default and click on ‘Next’

CS-Install-Standard

Step 6: Enter the super secret password for recover the backup’s and select ‘Next’

CS-Install-Standard

Step 7: Click ‘Configure Windows Firewall automatically’ and select ‘Next’

CS-Install-Standard

Step 8: Enter the group name in ‘domainname\groupname’ format and select ‘Next’

CS-Install-Standard

Step 9: If you may want to participate in the UEIP program, select ‘Participate’ and click ‘Next’

CS-Install-Standard

Step 10: Click on ‘Install’ to begin installing Connection Server

CS-Install-Standard

Step 11: Uncheck ‘Show the readme files’ and click on ‘Finish’

CS-Install-Standard

Step 12: On your desktop there will be an Icon ‘Horizon 6 Administrator’

CS-Install-Standard

Step 13: Enter the ‘Username’ and ‘Password’

CS-Install-Standard

Step 14: Check the version in About 6.2.2

CS-Install-Standard

Checkout the next blog post:
Installing Horizon View Connection Server 6.2.2 (Replica Server)
Installing Horizon View Composer Server 6.2.2

Thanks,
Aresh

Horizon View 6.2 Secondary Credentials for One-way trust

30 Nov

Horizon View 6.2 introduced a new feature for the Active Directory One-way trust. If you have installed and configured Connection Server (CS) and at the time of performing entitlements under ‘Users & Groups’ or browsing the ‘AD Container’ under the (Guest Customization) during the pool creation you will encounter the following error message in View Administrator console:

Query Error

Follow these steps in order to fix the issue by adding the Secondary Credentials on the CS using vdmadmin command.

  1. Go to the CS server and open the Command prompt using the Admin privileges
  2. Change the directory path to C:\Program Files\VMware\VMware View\Server\tools\bin>
  3. Command to Add the Secondary Credentials:
    vdmadmin -T -domainauth -add -owner domain\viewadminUIuser -user domain\trustdomainuser -password trustdomainpassword
  4. Command to Remove the Secondary Credentials:
    vdmadmin -T -domainauth –remove-owner domain\viewadminUIuser -user domain\trustdomainuser
  5. Command to View all the Secondary Credentials for specified accounts
    vdmadmin -T -domainauth –list -owner domain\viewadminUIuser
  6. Repeat Step 3 multiple times, if you have more than One View Administrator that needs the capability to entitle Users & Groups or Creation of Desktop pools

Usage Notes:
Next to the –owner switch you need to add the user account use to logging into View Administrator Console
Next to the –user switch enter the credentials or service account of the trust domain where the User, Groups, OU Structure etc. reside

After you have added the secondary credentials, you will be able to perform ‘User & Group’ entitlements along with the ability to browse the ‘AD Container’ during the desktop pool creation in View Administrator console.

More details about the Secondary Credentials can also be found in the View Administrator Guide (Page No. 237)

Thanks,
Aresh

Collect Horizon View Composer Logs in vRealize Log Insight

4 Nov

If you are using the VMware Horizon View Content Pack for Log Insight it doesn’t capture the View Composer logs. As you are using the Log Insight instance to centralized all your logs, you may want to capture the Horizon View Composer logs please follow these steps:

  1. Install the log Insight Agent on the Horizon View Composer server VM within your environment
  2. Navigate to %ProgramData%\VMware\Log Insight Agent\
  3. Open the liagent.ini file in any text Editor (Notepad, Notepad ++ etc.)
  4. Add the following configuration parameters to the file
    [filelog|ViewComposer]
    directory=”C:\ProgramData\VMware\View Composer\Logs”
    include=vmware*.log
    exclude=vmware-viewcomposer-audit.log;vmware-sviconfig.log

  5. Save and Restart the VMware Log Insight Agent service.

You will be able to see the Horizon View Composer logs getting captured to the Log Insight Manager: (Example below)

LogInsight

Thanks,
Aresh