lihe183 Posted November 1 Posted November 1 I configured Mobile SSO on Android, but it always shows the error message ‘Access Denied, Failed to Use Certificate’, Why?
Employee Sascha Warno Posted November 5 Employee Posted November 5 I assume Access is onpremises? How many nodes and what is the load balancer setup?
lihe183 Posted November 6 Author Posted November 6 17 hours ago, Sascha Warno said: I assume Access is onpremises? How many nodes and what is the load balancer setup? thanks for your supports , For VIDM, there are three nodes in the server, and port 5262 is configured for layer 4 direct pass-through. Not UAG Servers
lihe183 Posted November 6 Author Posted November 6 (edited) Currently, the web can perform certificate authentication through the Tunnel, but Boxer cannot connect and displays “Access Denied,Failed to login with certificate.” The Boxer version is 24.09, UEM version is 23.10.36, and VIDM version is 24.07. Edited November 6 by lihe183
Employee Sascha Warno Posted November 15 Employee Posted November 15 This is an overview of the flow and involved ports and systems I created before. From the log you shared step 5 is not returning certificate information. This usually means it connects to the wrong node(wrong setting on LB around XFF) or no cert was presented(which would mean wrong Tunnel config). You need to follow the flow and check if all nodes connect to the correct partner. Use the certproxy and horizon logs. Certproxy auth.pdf 2
Simon Frankiewicz Posted November 17 Posted November 17 Hi @Sascha Warno I also struggled to understand the LB settings for Android Mobile SSO. Can you advise how to set up MobileSSO for a single-node server instance bypassing LB.
Employee Sascha Warno Posted November 18 Employee Posted November 18 If you bypass LB with a single node you would still need to have the whole XFF and remote port setup if you do not use force destination. If you force a destination you can point to localhost and it would redirect locally. You might need to set change components.certproxy.strictssl=false in the runtime-config.properties so.
lihe183 Posted November 18 Author Posted November 18 On 11/15/2024 at 8:29 PM, Sascha Warno said: This is an overview of the flow and involved ports and systems I created before. From the log you shared step 5 is not returning certificate information. This usually means it connects to the wrong node(wrong setting on LB around XFF) or no cert was presented(which would mean wrong Tunnel config). You need to follow the flow and check if all nodes connect to the correct partner. Use the certproxy and horizon logs. Certproxy auth.pdf 460.27 kB · 8 downloads hank you very much for your reply. We obtained the following error message from the logs. Do we need to configure the following on F5? --------------------------------------------------------------------------------------------- 2024-11-09T05:50:03,091 ERROR (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certproxy.RemoteIpPortProvider - Unable to obtain remote port from header: RemotePort, header is missing 2024-11-09T05:50:03,091 INFO (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-09T05:50:03,091 INFO (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - No certificates were provided by the browser -------------------------------------------------------------------- Current F5 Configuration Changed F5
Employee Sascha Warno Posted November 18 Employee Posted November 18 Correct you need to add a Request Header Insert with the RemotePort info. Also you will require that XFF to let the node that receives the request know on which node it can find the cert info. 1
lihe183 Posted November 18 Author Posted November 18 24 minutes ago, Sascha Warno said: Correct you need to add a Request Header Insert with the RemotePort info. Also you will require that XFF to let the node that receives the request know on which node it can find the cert info. Thanks you very much for your reply. We have configured VIDM on F5 as follows. Not sure if it’s correct?
lihe183 Posted November 18 Author Posted November 18 13 minutes ago, Sascha Warno said: We had the following setup, Thank you very much for your guidance. We will try to make the changes during the change window this week. If there are any issues, we will contact you again.
Shahid1003 Posted November 18 Posted November 18 (edited) I am getting the same error while setting up my website. Edited November 18 by Shahid1003
lihe183 Posted November 19 Author Posted November 19 On 11/18/2024 at 11:43 PM, Sascha Warno said: We had the following setup, Thank you very much for your help.We made the changes on the F5 according to the steps, but the result we got is the same error as before.
lihe183 Posted November 19 Author Posted November 19 On 11/18/2024 at 11:43 PM, Sascha Warno said: We had the following setup, We made the changes on the F5 according to the steps, but the result we got is the same error as before.
Employee Sascha Warno Posted November 19 Employee Posted November 19 You will have to check the certproxy logs from your nodes and correlate them with horizon logs to see the back and forth between the services. Search in the certproxy logs if you find ProxyToServerWorker entries, so that it actually is creating a connection to the LB or Horizon service. Then if that worked check in horizon log to see if that one tries to connect to on on the nodes on 5262 or 5263(whichever you configured as admin port) to a clientData/xxxxx endpoint with a random number which was the remotePort used.
lihe183 Posted November 20 Author Posted November 20 (edited) 13 hours ago, Sascha Warno said: You will have to check the certproxy logs from your nodes and correlate them with horizon logs to see the back and forth between the services. Search in the certproxy logs if you find ProxyToServerWorker entries, so that it actually is creating a connection to the LB or Horizon service. Then if that worked check in horizon log to see if that one tries to connect to on on the nodes on 5262 or 5263(whichever you configured as admin port) to a clientData/xxxxx endpoint with a random number which was the remotePort used. Thanks for your support, I have obtained the following file logs. tail -f /opt/vmware/horizon/workspace/logs/horizon.log 2024-11-20T08:19:38,483 INFO (Thread-10) [VIDM01;-;-;;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xxx.xx 2024-11-20T08:19:38,488 INFO (Thread-10) [VIDM01;-;xxx.xxx.xxx.xx;23470ed729f5ffc:xxx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-20T08:19:38,488 INFO (Thread-10) [VIDM01;-;xxx.xxx.xxx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx 2024-11-20T08:19:38,489 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-20T08:19:38,489 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx 2024-11-20T08:19:38,509 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.controller.auth.LoginController - Start authenticating LiHeA with embedded auth broker 2024-11-20T08:19:38,520 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.federationbroker.FederationBrokerService - MFA id/phonenumber not found. MFA registration required for user: LiHeA 2024-11-20T08:19:38,520 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.federationbroker.FederationBrokerService - Adding MfaContext 4278d1eb-a598-4a38-95ae-b1b0510dc824 to cache 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - No certificates were provided by the browser 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - CertProxy authentication failure, no certificate provided 2024-11-20T08:19:38,528 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.login.event.LoginEventListener - get source -> com.vmware.horizon.federationbroker.FederationBrokerService@19d9810e 2024-11-20T08:19:38,529 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.rest.RestUtils - Clearing relay state 97b6b17c-a6c8-49cc-aabf-0360f49b3f29 from session. 2024-11-20T08:19:38,534 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.encryption.EncryptionServiceDBImpl - Sign data for keyContainer: VIDM01:st 2024-11-20T08:19:38,539 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found 2024-11-20T08:19:38,539 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx 2024-11-20T08:19:38,546 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.identity.policy.AccessPolicyChainedAuthMethodService - No Auth method found to authenticate user for Policy UUID: dcf3c17d-6c56-42bd-9402-b78e8e0a2b7b, Is default Policy: true, User-Agent: AndroidMobile 2024-11-20T08:19:38,548 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.login.event.LoginEventListener - get source -> com.vmware.horizon.service.controller.auth.LoginController@695d3c50 2024-11-20T08:19:38,548 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login failed. 2024-11-20T08:19:38,549 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login failed. 2024-11-20T08:19:38,550 INFO (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.controller.auth.LoginController - Failing login, resourceUuid: null, userInput: LiHeA@wuxiapptec.com, username: LiHeA, domain: xxxxxx.com Edited November 20 by lihe183
Employee Sascha Warno Posted November 20 Employee Posted November 20 You will have to set the logs to debug to see the actual requests happening. And like I said certproxy log as well.
Employee Sascha Warno Posted November 20 Employee Posted November 20 for changing the log level check https://docs.omnissa.com/bundle/workspace-one-access-installation-guideV22.09/page/SettingtheWorkspaceONEAccessServiceLogLeveltoDEBUG.html for certproxy that needs to be done in the certproxy location in /opt/../certproxy/conf/cert-proxy-log4j.properties 1 1
lihe183 Posted November 20 Author Posted November 20 3 hours ago, Sascha Warno said: for changing the log level check https://docs.omnissa.com/bundle/workspace-one-access-installation-guideV22.09/page/SettingtheWorkspaceONEAccessServiceLogLeveltoDEBUG.html for certproxy that needs to be done in the certproxy location in /opt/../certproxy/conf/cert-proxy-log4j.properties Thank you very much for your support and assistance. I've send log file to you .
Simon Frankiewicz Posted November 21 Posted November 21 Hello, my question about Workspace ONE Access without LB has been solved. In addition to the changes that needed to be made, I had an incorrect Root certificate from Workspace ONE Tunnel. I don't know if this could be the problem, but it worked for me almost immediately. When I downloaded the Root CA certificate from the Customer group, the problem was solved. Previously, it was downloaded from the Global group Tomorrow I will add an entry in the community of what I have set up, maybe it will be useful to others..
lihe183 Posted November 25 Author Posted November 25 On 11/20/2024 at 8:47 PM, Sascha Warno said: for changing the log level check https://docs.omnissa.com/bundle/workspace-one-access-installation-guideV22.09/page/SettingtheWorkspaceONEAccessServiceLogLeveltoDEBUG.html for certproxy that needs to be done in the certproxy location in /opt/../certproxy/conf/cert-proxy-log4j.properties Thank you very much for your support and assistance. I've send debug logs to your email. The same issue is still occurring. I’m not sure if you have identified the root cause from the logs.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now