How to fix VMware View Server certificate revocation check connection error?
Dear community,
For about 2 weeks, I feel a revocation of the certificate check error in our environment Horizon see 6.2. The strange thing is that, within 12 hours about two (replication) connection servers and the vCenter Server / server of composer (on the same machine) are considered as having invalid certificates, even if, in fact, they are valid (CA certificates). We use no security servers.
The view admin console shows the following for servers connection:
The server certificate is not approved.
The server certificate cannot be verified.
For the vCenter, he said (that I have validated manually the certificate):
No problems found.
Certificate is not approved, but the thumbprint of the certificate is accepted.
With the connection series on 'full', States that the login server logs for the vCenter server:
TRACE (B 17-0 - 0E98) < VCHealthUpdate > [NativeKeyVault] validateCertificateChain response: {result = FAIL, EndEntityReasons = cantCheckRevoked, ChainReasons = invalid, SelfSigned = false, EndErrorCode = 16777280, EndInfoCode = 258, ChainErrorCode = 16777280, ChainInfoCode = 256, PolicyErrorCode =-2146885613}
As far as I can see there no similar entries for login server certificates in the newspaper.
At the moment I am under the environment with composer and vCenter certificates manually valid and invalid connection (red) server certificates (as view clients and browsers are not disabled).
I already checked that I am able to do everything 'green' again via setting the registry key 'CertificateRevocationCheckType'2 (as described here Configure the server certificates certificate revocation check). This brings me to the conclusion that one of the intermediate certificates cannot be validated. So, I had the information a "version" of an intermediate (intermediate certification authority) certificate has been revoked. There seems to be no coincidence - like the time point is as well, but this particular version does not appear to be used in the servers of my connection.
However, even with full logging enabled, I can't information which (intermediate) certificate cannot be validated and why. I expected to see something like 'OCSP verification' or 'check the CRL' but I can't find it in the newspapers. However, I noticed that one of the intermediate certificates lacked the OCSP URL (even if the field "Authority Information Access" existed). Of course I updated the certificate with a version that contains the OCSP URL, but it has not changed anything.
In addition, I checked manually all of the certificates in the chain with openssl (for OCSP) and CRLs as well, but everything seems to be OK (all URLS are accessible and no opportunity of certificate has been revoked). Actually, I do not interpret the error as "that the connection to the server is an invalid certificate because it has been revoked", but "it cannot check if it has been revoked. The servers do not need a proxy and nothing configured, so (I checked the proxy settings system context, also).
For now, the problem is not critical, such as 'red' status connection server has no effect on our customers and so I could turn off certificate revocation check (or switch to check that the certificate of the server (2)). But of course, I would really solve the problem.
Is there someone who can give me a hint on what to check, for example, how do I know which certificate cannot be controlled and why? Someone had the same or a similar problem? Support VMware is working on the problem as well, but they seem don't know is not the problem, either.
I appreciate the thoughts and responses! Thank you!
Best regards
Fabian
Dear community,
During this time, I was able to correct the error described at the beginning of this thread. Jump to the end to see what could probably help you...
- At first, I installed an additional standalone VMware View Server connection in order to check the following related certificates:
- VMware support always told me to renew my certificates because they "were not valid" etc. - even if in fact they were (like external URL calls and attested manual verification and tests).
- That's why I created new additional certificates for the login server and configured to include the vCenter even as my production environment - only difference was I didn't inlcude the composer who runs the server vCenter himself.
- The result was that the server was "green" including both the vCenter Server certificate which could be 'not reliable' by the environment of production - strange, huh?
- After I reset the additional server to a turned wink where connection to the server was not yet installed (before that, I uninstalled the connection to the server in case there is information in vCenter thereon) and reinstalled as a replica of the production environment server. Somehow I expected this, but still quite strange the vCenter Server (and composer) now again was considered "invalid", even if the certificate of the server connection itself considered still valid and green. For test purposes, so I put certifice revocation checking on '2' (only one server certificate check) - but only on the 'old' production servers' and 'magical' everything has been considered valid. So as I see it, there seems to be some sort of information stored on the 'old' connection servers that makes them believe that invalid certificates and that the information is replicated on the third server unless I lower the revocation of the certificate controls on these servers. Altervative explanation could be that VMware View does not accept certificates with aliases that do not include the 'real' server name - that is / was in fact certificates the old servers connection. The new server certificate connection included the real name and the alias. I understand if this is the case, but then I expect that it be documented somewhere (I have not found this information) and also wouldn't understand why it worked without problem for several years before.
- After finding that out, I created new certificates for the 'old' connection servers, including aliases and real names and replaced the certificate on one of the servers (and restarted the login server) - only a few successfully. Once I put the revocation checking on '4' again on this server, the login server certificate was still considered valid, but not the vCenter and certificate of composer.
- Now, I've uninstalled the old login server (removed from the view) and reinstalled completely (including an update of the 2008 R2 2012 R2 OS) and after I have it reintegrated into the environment, everything remained green - as long I have will activate revocation checking on the second login server "old." This is why I did the same with this (completely reinstalled and reinstated it) and now everything is green with the revocation checking enabled on all replicas of server connection.
- The next step I uninstall the additional replica because I created only for troubleshooting purposes.
So what will no doubt help in similar cases:
- Reinstall the servers of connection one by one, including:
- Uninstalling html access (if used), uninstall the login server to view, uninstall 'VMware' AD LDS Instance.
- Removal of the connection to the server of replication group: run "s - r s uninstalled_ vdmadmin.exeservername" on one of the servers connection remaining.
- Reinstall/Update OS (may not be necessary, but I did not test that)
- Reininstall, return to the login server replica. If you used the certificates which included only the alias of the server I recommend you to create new ones, including the name of the server as well, but maybe it's not necessary as well. If you want to keep the certificates which only inlcude the alias it will be necessary to install this certificate after the first replication of the servers (see below).
My question for technicians of VMware/developers: It is supported to use certificates include only the server alias. Otherwise why it worked before and where is it documented? Where are certificate cached information so that simply replace the certificate was only some, and not a complete success (see above). FYI - when I paired initially replicas that I had to install the CA (including only the pseudonym) after the first replication - now with certificates (including the server name and the alias), I could install the certificate before you replicate (= the login server installation).
Tags: VMware
Similar Questions
-
AnyConnect client perform on ASA Server cert revocation checking? Can be configured?
Environment: AnyConnect Secure Mobility Client v 3.1.04066
The AnyConnect client performs a check of the revocation of the certificate server returned by the SAA during an installation of the VPN program? If so, should I use the info on the AIA server certificate, or can the OCSP or URL CRLDP be configured in the client?
And server certificates revocation checking can be disabled (for example in the profile, or an update of the register)?
Note that I speak NOT of the SAA on the submitted client certificate revocation checking. All my extensive google-fu could only find information on this topic - but this is different, this is similar to a browser revocation checking on server of a Web site certificate.
We evaluate using an identity certificate from an internal CA for the VPN profile - but there is a catch-22/egg of the chicken problem if the AnyConnect client performs a check required of OCSP on cert, since there is no access to the OCSP URL until this only after connected. This could be resolved by having for example a CRLDP the external URL to a .crl file, or suppressor revocation checks in the AnyConnect client.
Thank you!
I think at some point, this has been replaced of anyconnect, because he was the cause of many problems, but has been reintroduced in anyconnect 4.1, but still not enabled by default. So no, I don't think that the version you are using is doing this.
-
With VMware View Server using LDAPS (port 636)
I've been responsible for something that seems impossible/not supported.
VMware View Server uses port 389 for LDAP. My task is to do view to use instead the port 636 (LDAP over SSL). The accusation is that the replicated servers in VMware View data not encrypted between other on port 389.
So far in my quest, I did no progress in this project. However, I was able to test that manual connections can now be performed (with ADSI Edit) with port port SSL 636 other replicated servers view. Problem is that the view seems to have hard-coded to use port 389 and cannot be moved to use LDAPS.
There are instructions to do something like this in vCenter (http://www.vstable.com/2012/01/27/vcenter-5-active-directory-web-services-error-1209/) (Security Virtual Lab: & amp; nbsp;) Architecture - Blog - proSauce), but nothing related to the sight of the surfaces in a Google search.
Someone at - it have a Yes or whinny if possible?
EDIT: Moved to the correct community.
It is not easy being responsible for something impossible!
Connection view servers have an AD LDS instance, and replication between servers using the AD LDS replication. This is a replication mechanism secure by using the replication RPC, LDAP and Kerberos and secure without having to implement LDAP over SSL on 636.
The articles you refer to are actually on the definition of a port number unused LDAPS access of Web Active Directory Services with vCenter Server to get rid of an event without danger. It does nothing to do with replication between LDAP servers. View prevents remote access Active Directory Web services anyway with a specific firewall rule so that remote users have no access to it.
The only reason why you can use LDAPS with AD LDS is if you support simple LDAP connections. The use of SSL would mean that the simple bind passwords are not sent in the clear. In the case of the view, simple LDAP connections are not enabled in any case.
In summary, what you're trying to do is useless.
Mark
-
Connection to the Server VMware View farm doesn't not connections to the foreign gateway server?
We know a pernicious problem between our
External security gateway and our internal view connection server. (I have the terminology right?)
After a few days of running normally, users trying to get
to connect to the gateway of external security using the VMware View Client will not
Download the logon panel. He invites you to their
the server must connect, but won't the login Panel and the user
Finally will get a time-out error.
Experiments have shown that the only way to solve this problem is
in the reboot / restart the Server VMware View internal connection.
Meanwhile, internal users can use VMware view
Client to connect to the internal server without problems, don't ask that of the
external server have problems.
Review the journal on the external sever I hear.
Information, '102', ' 25/04/2010.
"21: 55:20", "VMware View", "9", "NT".
"Connection test AUTHORITY\SYSTEM","(Request1224) AJP failed:"
com VMware.VDI.ob.tunnelservice.CX: unable to write data to the server: java.net.SocketException:
"Connection reset by peer: socket write error."
And then this message is repeated.
Warning, "104", "26/04/2010.
' 09: 08:04 ","VMware View","9","NT ".
AUTHORITY\SYSTEM"," (Request1236) request failed: "
com VMware.VDI.ob.tunnelservice.CX: cannot read the server: java.net.SocketException:
Reset connection. "
Examine the dumps of the internal server, I see a lot
connections listed in the external security gateway which in my opinion should not
exist yet because there are no active sessions.
TCP 10.1.1.67:8009 123.456.789.123:1274 ESTABLISHED
TCP 10.1.1.67:8009 123.456.789.123:1294 ESTABLISHED
TCP 10.1.1.67:8009 123.456.789.123:1300 ESTABLISHED
TCP 10.1.1.67:8009 123.456.789.123:1311 ESTABLISHED
TCP 10.1.1.67:8009 123.456.789.123:1312 ESTABLISHED
.
.
.
Both servers run the 4.0.1 level.
Someone at - it advice?
Thank you
.. .pjpg
I had something similar happen a year where every two days I have to restart internal broker for connections that was paired to the Security server. We have opened a ticket with VMware support, and it took a good 5 months to get the issue developed and the solution ended up being to change a value of timeout on the file server.xml on the broker for connections. I don't know if it's the same problem that you encounter, but if you already have a ticket open with VMware you can refer to our old 1147071161 SR and may save you time.
If you have found this device or any other useful post please consider the use of buttons useful/correct to award points
-
Problem in installing VMware View Server connection
Hello
As the first step to install the VMware View Manager, I tried to install the connection to the VMware View server on a virtual machine to Windows 2003 Server SP2. This machine is added to a domain under our Windows Active Directory. I can connect to the machine using user accounts that are on the directory to active directory. My problem is that when I try to install the view connection server, I get an error message indicating
"The computer is a member of a domain, but no server connection was found. Please make sure that the computer is properly connected to a domain and that a domain controller is available before to perform this installation again'.
Because I can log into the machine using accounts in active directory, I assume that the computer is properly connected in the field. I also confirmed that there is a domain controller in active directory. I tried to do the installation under an account that has administrative privileges for the object active directory, but also a local administrator account. Could someone suggest where I could go wrong?
Thanks in advance
Concerning
Varun
You have validated that DNS and WINS are configured correctly on the server you are trying to intall the broker for connections on?
If you have found this device or any other useful post please consider the use of buttons useful/correct to award points
-
The VMware VirtualCenter Server service stopped with the error service special 2 (0x2).
I tried all listed in other postings, but our VSphere 4 server resides on a SQL server server.
I tested the connection odbc with the SA password and it works, it rebooted several times now, tried to stop all services and bringing up one at a time, but whenever a dependency is not. I get this error in the system log, the VMware VirtualCenter Server service stopped with the error service special 2 (0x2).
And
VMware VirtualCenter Management Web Services service depends on the VMware VirtualCenter Server service which failed to start because of the following error:
The service has returned a service-specific error code.
Application log says this
The description for event ID 1000 from source VMware VirtualCenter Server can not be found. Either the component that triggers this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event is on another computer, the display information had to be saved with the event.
The following information has been included in the event:
Could not initialize the VMware VirtualCenter. Closing...
the message resource is present, but the message is not in the string/message table
I don't know how to fix it. It was working fine yesterday. Nothing has changed. Or has anyone experience this problem and have a solution?
see if that helps
-
When I try to connect to my remote server the message "an ftp error occurred - cannot establish a connection to the host." How can I get the server to which to connect with dreamweaver?
After spending most of the day on this I found that my password required to upgrade... so two of my sites are now meet Dreamweaver. And the other will be taken care by the owner of the Web site. Thank you, Nancy!
gay
-
The installation of VMWare View Server program
Hello
I have a solution of ESXi, vSphere 5 where I host all my virtual servers with a virtual vCenter Management Standard. I'm working on that I need for a configuration of VMWare View and I was hoping someone here could help me.
I have 12 physical blades to host my VMWare View solution (according to the calculations of number of jobs) and I have VMWare View Bundle licenses.
Ive been reading through the notes and he says that this set comes with an edition of vCenter.
A few questions:
My existing vCenter instance should be used to manage the VMWare View host or do I need to install a separate instance of vCenter VMWare View and use the license in the bundle?
I guess I should install ESXi instances in the beam that will allow me to supply only desktop computers?
If I have servers connection and composer, should they be hosted in Clusters VMWare View or the cluster of servers existing vsphere 5?
If this is the case, I also have a question about the network configuration. When I install the ESXi for VMWare View, will I still have a requirement for a management console, the vmkernel, and the 'Front End' (for users IP address) vnic to the vswitch?
Another question about the round rbin DNS. I try to also install Connection 2 and 2 servers of composer whose load is balanced. Anyone has any info on setting up of Robin DNS?
Thank you very much
We use a 6 with network storage based physical NETWORK adapter configuration.
You will have a default port for management. vMotion is split to its own IP address, and these two vmkernel ports are on the same vSwitch, with natachasery used by one and waiting for the other.
iSCSI must be separated from its own vSwitch and pair of NICs as well supported by linked vmkernel ports for redundancy and load balancing.
This leaves at least another vSwitch and pair of natachasery to the actual traffic of vm.
-KjB
Post edited by: kjb007: said vSwitch
-
Hello
I am designing a VDI solution and I have a question about the vCentre server that comes with the view license first. This is a license fully functional vCentre or a watered-down version that allows to manage only the ESX hosts running vSphere for desktops. I would have a few regular vSphere ESX hosts to the server infrastructure, vSphere for hosting desktops to virtual desktops, but manage all hosts of the vCentre even.
Thank you!
The vCenter Server you get with a view is a regular version, which can be used to display the VM client as well as view (connecting to server.) server infrastructure Use is limited to the above by the EULA (license agreement).
If you plan to use a vCenter Server as well as your non-View server infrastructure, you need to obtain a separate license for vCenter Server and hosts for non-View systems to be licensed. However, technically, you can manage everything through one instance of vCenter.
André
-
Login to view server does not accept connections from Microsoft RDP
Hello everyone and thank you for taking the time to help me in my attempt to jump into the world of the VM.
I managed to get everything up and running with little trouble, but I'm a bit confused on the subject of clients.
I understand that the PCoIP connection method is preferred... but I want to better understand the methods of connection and keep soft things as possible. Being as I'd like to be able to connect to the pool by using the customer view and Microsoft's RDP client provided with windows, but I meet an obstacle.
My office pool was initially set PCoIP preferred, but allowing users to substitute... I could not connect via the view client no problem for my pool of offices not persistent, but not with the Microsoft RDP client using the address of the connection manager. If I put the IP address of one of the XP VM in the pool I can connect via RDP, but not via the connection manager.
I get the pool to be favorite RDP that allows the user override... no change.
So I'm confused as to how it works... is the connection broker/manager only work with the client of the view, or I would be able to connect anyway?
Am I missing some setting? I did my setup based on the 'evaluation' guide, then maybe there's a checkbox miss me.
The pool works seamlessly with VMware view client but not MS RDP. Pointers on where to find would be greatly appreciated.
Here is my config of pools:
Number of workstations (at a minimum): 10
Number of workstations (maximum): 10
Number of workstations (available): 2
Stop commissioning error: Yes
VM naming pattern: NPVM
Tags: all the
What VM is not in use: do nothing
Turn off and remove the virtual machine after the first use: No.
Automatic disconnection after disconnection: never
Allow users to reset their desktop: false
Allow multiple sessions per user: No.
By default the display protocol: Microsoft RDP
Allow users to override the default protocol: True
Quality of Adobe Flash: do not control
Adobe Flash limitation: disabled
Josh
Chicagojsh001 wrote:
ITTech2002, in your response you said
«No need to use the MS RDP Client directly, but it is a good work-around if necessary.»
You say that you cannot connect to the pool of offices with the help of MS RDP, rather you need to connect to PCs by IP address rather than the broker for connections are so?
View client appealed to RDP and PCOIP according to which selected protocol. The display client uses the broker for connections to allocate your session, provide the usb redirection and map printers. So in a sense, you can use RDP with the broker for connections with no problems, but there must be through the client view.
If you have found this device or any other useful post please consider the use of buttons useful/correct to award points
-
Tried to install the Lego NXT 2.0 software (programming robotics), a message "file 'mib.cab' required for this installation is corrupt and cannot be used. A message gives the error code 2350. Someone knows how to fix a corrupted file mib.cab?
Try in the Forum of programs:
http://social.answers.Microsoft.com/forums/en-us/vistaprograms/threads
See you soon.
Mick Murphy - Microsoft partner
-
VMware View 4.5 - disconnected sessions connect to black screen or simply close after 5 seconds...
In collaboration with VMware View 4.5 using images of Windows XP Pro SP3 and connection through PCoIP, everything works perfectly on cloned VMs with the exception of reconnects.
If I have a user disconnect from their office and then tries to reconnect to the desktop, the screen will be black, if you act quickly, you can retrieve the screen if you enter any keyboard input, but it will come back as if CTRL-ALT-DEL was pressed as I see the pop-up "Windows Security". I checked for the screensavers screen or something like that and nothing so far.
Do not have this problem in 4.0.1.
Any help would be appreciated!
Thank you
Shane
You have the same problem with a desktop XP vanilla without modification? Are there of the sureties or banner of the GPO applied to these desktop computers?
May panic if there is a logon banner.
____________
blog.eeg3.net | Useful links related to VMware
If you have found this device or any other post useful, please consider the use of buttons useful/correct for award points.
-
Could not connect to the server. Please check connectivity and server address
Hi all
Today, when I connect my 9.5 (2) of the new ASA 5512 customer of office. My anyconnect popup warning 'Could not connect to server. "Please check address connectivity and the Internet server.
I can ping and accessible by the asdm or ssh and my anyconnect can connect other 5512 ASA.
Other desktop PC can also connect. Only my PC can't.
I removed the other band of VPN client program. But always popup message even.
I think that my PC has a problem. But I don't know how to fix it.
Hello
There may be several reasons behind it.
Can I know you're only experiencing this issue?
If yes could check you if you can remove the XML profile and test it:
%ProgramData%\Cisco\Cisco AnyConnect secure mobility Client\Profile
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Overview of VMware View Server
Hello
My view Horizon 5.3.0 Server ws_TunnelService.exe uses ipv6 I did not allowed.
I was wondering if I could disable or y at - it another way to deal with it?
I tried to disable ipv6 setting in the windows registry, but ws_TunnelService.exe always uses ipv6 traffic.
Hi all
The question can be solved by editing the registry of Vmware---> JAVA_OPTS
Add in
Djava.net.preferIPv4Stack=trueKind regards
HiangLeong
-
What NAT ports in the firewall for VMware View Server Security?
We have a Cisco ASA and I wonder what are the ports I need NAT from the outside to the Security Server? I'm assuming that port 443, but don't know if this is correct or if maybe other ports must be open.
Thank you!
Brian
This KB should help you, http://kb.vmware.com/kb/1027217.
Maybe you are looking for
-
Mid 2012 Macbook pro with 2 monitors generic?
I have a 15 inch mid 2012 Macbook pro (the one with an optical drive), there a mini-Display port and a firewire port. I have a few spare Dell monitors and I want to set up two monitors to it. I know there is a DVD-I or VGA adapter mini-Display, but
-
Please help me! My account is in perfect condition, but when I try to call through my Skype to Go, the only thing I hear is,"this number has been disconnected, altered or is no longer in service. » Please let me know what happens. I'm so frustrated.
-
Satellite P70-A-112 - Windows 8 - Bug with the Application Manager & display
Hello I bought this Toshiba laptop in August with 8 (64-bit) windows integrated. It all started yesterday, when Windows has crashed due to a "BAD_POOL_HEADER" error Since then, I can't access the "Start" menu in Windows 8, can't run all the applicati
-
Give permission to the domain users to replace the file in the folder created by domain admin
We have a domain controller in our network. also we have the domain users and domain administrator. We create a batch file that copies a file to the folder by using a script to the server policy when users open a session input/output. However if the
-
How can repair you windows explore-"Windows Explorer has encountered a problem and needs to close."
As of late, when I open any photo or video files (those that I opened in the past) I get that dreaded "Windows Explorer has encountered a problem and needs to close... blah, blah, blah! I could not find any information on this error, except the one p