Horizon Connection Server: Windows Server 2019 runnig Horizon Connection Server 8.8, with a secondary server tethered to it for high availability
Thin Client: Windows 10 LTSC running Horizon Client 8.1.0
Hello all, first post.
In this airgapped environment, we'll have 12 thin clients hooked up to 12 VDIs and we're using YubiKeys for user authentication. How it ideally works is: user sticks YubiKey into physical thin client, logs into Windows. They pull up the Horizon Client, select the Horizon Connection Server, then log in with their YubiKey and access the VDI. I'm having some issues, however. I'll try to keep it concise while also giving as many details as possible.
In the connection server, the 'Smart card authentication for users' is set to Required and the smart card authentication for administrators is set to optional. 'Use Secure Tunnel connection to machine' is also checked. When I log into Windows on the thin client with the YubiKey and try to connect to my connection server via the Horizon Client, I get the error 'Smart Card or Certificate authentication is required'.
Okay - I read that you have to add the useCertAuth=true parameter to your locked.properties on your connection server. So, I do that and restart the connection server. Now when I try to reconnect with the thin client, I get a different error. The green loading bar gets to about the 98% filled mark, then just stops. It sits there for ten seconds or so, then errors out with 'Error: Timeout was reached'. Not only is this an issue, but with the useCertAuth=true in the locked.properties, I cannot connect to the web interface on my connection server. When trying to launch the Horizon Administrator Console, Edge just says 'ERR_CONNECTION_REFUSED'.
I've verified Windows has the Smart Card Logon and Client Authentication cert for this test user. With or without the useCertAuth=true setting toggled, all the VMware services seem to be running on the connection server.
Does anyone have any rough ideas on where to look? Thanks in advance for reading 🙂
Here are the contents of my locked.properties file:
Minor update: Even with all the parameters of the locked.properties file removed except for useCertAuth=true, it still errors out with the timeout issue. I don't think one of these other parameters is causing the problem.
Update 2: Per Mickey's comment, I created a truststorefile.key with my CA root certs (and all other relevant certs, just to be safe) inside it, and updated my locked.properties to:
This fixed my being unable to connect to the Horizon Administrator Console issue that was listed above. However, my Horizon Client is now erroring out with the message 'Smart Card or Certificate authentication is required' again, despite the useCertAuth=true parameter set into the locked.properties file. Any further ideas? Thanks for all the help.
Update 3: I got it working. My final issue was the checkbox for 'log in as current user' in the Horizon Client was selected. Thanks!
You already added the userCertAuth=true to your locked properties, but there's more you need to do. You have to import your CA root cert into a Java keystore file and specify that file also in the locked.properties file. All steps are details in the documentation referenced above.
If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
You already added the userCertAuth=true to your locked properties, but there's more you need to do. You have to import your CA root cert into a Java keystore file and specify that file also in the locked.properties file. All steps are details in the documentation referenced above.
If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
I added the certs for the root CA to this truststore.key file (as well as every other cert relevant to these machines I could find, just to be safe). This solved the issue regarding being able to launch the Horizon Administration Console web interface. However, now the Horizon Client is saying 'Smart Card or Certificate authentication is required' again, even with the useCertAuth=true in place on the connection server. Anyone have any ideas? I appreciate all the help!
I love the idea but that sounds like a lot of work. Do you ahve this automated somehow? What does the rest of your environment look like? Do you have UAGS?
Our environment is very tiny and I wouldn't recommend that route for anyone with more than like, twenty users. I'm sure there is a way to automate this process but I'm not that smart and wouldn't know how to do it.
This might be related to the smartcard configuration on the ThinClient then. I don't know. Does the Thin client sees the Yubikey as smartcard? I know there are multiple options with Yubikey, so you might check the compatibility with your ThinClients.
If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
