Jump to content

I configured Mobile SSO on Android, but it always shows the error message ‘Access Denied, Failed to Use Certificate’


Recommended Posts

Posted

I configured Mobile SSO on Android, but it always shows the error message ‘Access Denied, Failed to Use Certificate’, Why?

屏幕截图 2024-11-01 182815.png

屏幕截图 2024-11-01 182533.png

屏幕截图 2024-11-01 182101.png

Posted
17 hours ago, Sascha Warno said:

I assume Access is onpremises? How many nodes and what is the load balancer setup? 

thanks for your supports ,

For VIDM, there are three nodes in the server, and port 5262 is configured for layer 4 direct pass-through.

Not UAG Servers 

 

 

Posted (edited)

Currently, the web can perform certificate authentication through the Tunnel, but Boxer cannot connect and displays “Access Denied,Failed to login with certificate.” The Boxer version is 24.09, UEM version is 23.10.36, and VIDM version is 24.07.


 

屏幕截图 2024-11-06 130011.png

Edited by lihe183
  • 2 weeks later...
  • Employee
Posted

This is an overview of the flow and involved ports and systems I created before. From the log you shared step 5 is not returning certificate information. This usually means it connects to the wrong node(wrong setting on LB around XFF) or no cert was presented(which would mean wrong Tunnel config). You need to follow the flow and check if all nodes connect to the correct partner. Use the certproxy and horizon logs.

Certproxy auth.pdf

  • Thanks 2
  • Employee
Posted

If you bypass LB with a single node you would still need to have the whole XFF and remote port setup if you do not use force destination. If you force a destination you can point to localhost and it would redirect locally. You might need to set  change components.certproxy.strictssl=false in the runtime-config.properties so.

Posted
On 11/15/2024 at 8:29 PM, Sascha Warno said:

This is an overview of the flow and involved ports and systems I created before. From the log you shared step 5 is not returning certificate information. This usually means it connects to the wrong node(wrong setting on LB around XFF) or no cert was presented(which would mean wrong Tunnel config). You need to follow the flow and check if all nodes connect to the correct partner. Use the certproxy and horizon logs.

Certproxy auth.pdf 460.27 kB · 8 downloads

 

hank you very much for your reply. We obtained the following error message from the logs. Do we need to configure the following on F5?

---------------------------------------------------------------------------------------------
2024-11-09T05:50:03,091 ERROR (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certproxy.RemoteIpPortProvider - Unable to obtain remote port from header: RemotePort, header is missing
2024-11-09T05:50:03,091 INFO  (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-09T05:50:03,091 INFO  (Thread-6) [L01MDMVIDM0xxx;-;xx.xx.xxx;######:10.xxx.xxx-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - No certificates were provided by the browser

--------------------------------------------------------------------

Current F5 Configuration

 

F5_0.thumb.png.4815ca24749fa8cb8dbf926696d86a27.png

Changed F5F5.thumb.png.695ae4b0ae4783c27f0709d21a3c6b1f.png

 

  • Employee
Posted

Correct you need to add a Request Header Insert with the RemotePort info. Also you will require that XFF to let the node that receives the request know on which node it can find the cert info. image.thumb.png.57a3020d3a5a52041d79b30bfe371604.png

  • Like 1
Posted
24 minutes ago, Sascha Warno said:

Correct you need to add a Request Header Insert with the RemotePort info. Also you will require that XFF to let the node that receives the request know on which node it can find the cert info. image.thumb.png.57a3020d3a5a52041d79b30bfe371604.png

Thanks you very much for your reply.

We have configured VIDM on F5 as follows. Not sure if it’s correct?

F5_2.png.406566801265a65ac4a78225d427a080.png

Posted
13 minutes ago, Sascha Warno said:

We had the following setup,

 image.thumb.png.dde337b6db529ae9ac7de1ae5f5a7a36.png

Thank you very much for your guidance. We will try to make the changes during the change window this week. If there are any issues, we will contact you again.

Posted
On 11/18/2024 at 11:43 PM, Sascha Warno said:

We had the following setup,

 image.thumb.png.dde337b6db529ae9ac7de1ae5f5a7a36.png

Thank you very much for your help.2024-11-20002715.thumb.png.11216a876996f4538f03e172fee4a981.pngWe made the changes on the F5 according to the steps, but the result we got is the same error as before.

Posted
On 11/18/2024 at 11:43 PM, Sascha Warno said:

We had the following setup,

 image.thumb.png.dde337b6db529ae9ac7de1ae5f5a7a36.png

We made the changes on the F5 according to the steps, but the result we got is the same error as before.

  • Employee
Posted

You will have to check the certproxy logs from your nodes and correlate them with horizon logs to see the back and forth between the services. Search in the certproxy logs if you find ProxyToServerWorker entries, so that it actually is creating a connection to the LB or Horizon service. Then if that worked check in horizon log to see if that one tries to connect to on on the nodes on 5262 or 5263(whichever you configured as admin port) to a clientData/xxxxx endpoint with a random number which was the remotePort used.

Posted (edited)
13 hours ago, Sascha Warno said:

You will have to check the certproxy logs from your nodes and correlate them with horizon logs to see the back and forth between the services. Search in the certproxy logs if you find ProxyToServerWorker entries, so that it actually is creating a connection to the LB or Horizon service. Then if that worked check in horizon log to see if that one tries to connect to on on the nodes on 5262 or 5263(whichever you configured as admin port) to a clientData/xxxxx endpoint with a random number which was the remotePort used.

Thanks for your support, I have obtained the following file logs.


 

 tail -f /opt/vmware/horizon/workspace/logs/horizon.log
 


2024-11-20T08:19:38,483 INFO  (Thread-10) [VIDM01;-;-;;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xxx.xx
2024-11-20T08:19:38,488 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xxx.xx;23470ed729f5ffc:xxx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-20T08:19:38,488 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xxx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx
2024-11-20T08:19:38,489 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-20T08:19:38,489 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx
2024-11-20T08:19:38,509 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.controller.auth.LoginController - Start authenticating LiHeA with embedded auth broker
2024-11-20T08:19:38,520 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.federationbroker.FederationBrokerService - MFA id/phonenumber not found. MFA registration required for user: LiHeA
2024-11-20T08:19:38,520 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.federationbroker.FederationBrokerService - Adding MfaContext 4278d1eb-a598-4a38-95ae-b1b0510dc824 to cache
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - No certificates were provided by the browser
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapterBase - CertProxy authentication failure, no certificate provided
2024-11-20T08:19:38,528 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.login.event.LoginEventListener - get source -> com.vmware.horizon.federationbroker.FederationBrokerService@19d9810e
2024-11-20T08:19:38,529 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.rest.RestUtils - Clearing relay state 97b6b17c-a6c8-49cc-aabf-0360f49b3f29 from session.
2024-11-20T08:19:38,534 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.encryption.EncryptionServiceDBImpl - Sign data for keyContainer: VIDM01:st
2024-11-20T08:19:38,539 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.adapters.certproxy.CertProxyAuthAdapter - cert proxy token not found
2024-11-20T08:19:38,539 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.util.FrontEndUtils - Android SSO request with clientIP xxx.xxx.xx.xxx
2024-11-20T08:19:38,546 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.identity.policy.AccessPolicyChainedAuthMethodService - No Auth method found to authenticate user for Policy UUID: dcf3c17d-6c56-42bd-9402-b78e8e0a2b7b, Is default Policy: true, User-Agent: AndroidMobile
2024-11-20T08:19:38,548 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.login.event.LoginEventListener - get source -> com.vmware.horizon.service.controller.auth.LoginController@695d3c50
2024-11-20T08:19:38,548 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login failed.
2024-11-20T08:19:38,549 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.components.authentication.monitoring.LoginMetricsPublisher - Login failed.
2024-11-20T08:19:38,550 INFO  (Thread-10) [VIDM01;-;xxx.xxx.xx.xxx;23470ed729f5ffc:xx.xxx.xx.xx;-] com.vmware.horizon.service.controller.auth.LoginController - Failing login, resourceUuid: null, userInput: LiHeA@wuxiapptec.com, username: LiHeA, domain: xxxxxx.com
 

Edited by lihe183
Posted

Hello, my question about Workspace ONE Access without LB has been solved. In addition to the changes that needed to be made, I had an incorrect Root certificate from Workspace ONE Tunnel. I don't know if this could be the problem, but it worked for me almost immediately. When I downloaded the Root CA certificate from the Customer group, the problem was solved. Previously, it was downloaded from the Global group

Tomorrow I will add an entry in the community of what I have set up, maybe it will be useful to others..

Posted
On 11/20/2024 at 8:47 PM, Sascha Warno said:

for changing the log level check https://docs.omnissa.com/bundle/workspace-one-access-installation-guideV22.09/page/SettingtheWorkspaceONEAccessServiceLogLeveltoDEBUG.html

for certproxy that needs to be done in the certproxy location in /opt/../certproxy/conf/cert-proxy-log4j.properties

Thank you very much for your support and assistance. I've send debug logs to your email.

The same issue is still occurring. I’m not sure if you have identified the root cause from the logs.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...