Guys I am at a bit of a stand still with my Horizon 6 deployment and i am hoping to get some assistance. I have a connection server running on the 10.0.244.x network, works fine with smart card authentication. I have a security server in the DMZ, that will connect to the connection server over the allowed ports and that seems fine. However, i cannot connect to the security server (which is on the 172.14.x.x network just for reference) via smart card. I just get the error "Smart card authentication is required." I am forcing smart card authentication so the error is not incorrect, but i cannot figure out what is keeping the security server from passing smart card credentials to the connection server. I am cutting and pasting log snippets below to help hopefully:
Security server:
2016-01-26T14:17:23.180-06:00 DEBUG (0B20-1340) <pool-1-thread-13> [PooledProcessor] SSL handshake exception for /10.0.211.180:4708, error was: Received fatal alert: certificate_unknown
2016-01-26T14:17:24.258-06:00 DEBUG (0B20-16D4) <HandshakeCompletedNotify-Thread> [PooledProcessor] Using secure protocol TLSv1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2016-01-26T14:17:24.321-06:00 DEBUG (0B20-0A7C) <Thread-34> [SimpleAJPService] (ajp:broker:Request37) Request from /10.0.211.180: POST /broker/xml
2016-01-26T14:17:24.368-06:00 DEBUG (0B20-0D9C) <AJP-18> [SimpleAJPService] (ajp:broker:Request37) Response 200 OK [close]
Connection server:
2016-01-26T14:17:17.582-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839437581}},{"type":"SET","item":{"name":"ATTR_BROKER_VERSION","typ...
2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) read XML input
2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) added: set-locale
2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlRequestProcessor] (SESSION:9cca_***_bdab) added: configuration
2016-01-26T14:17:24.615-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlAuthFilter] (SESSION:9cca_***_bdab) Pre-Auth Processing: configuration
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Attempting to authenticate against gssapi
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Attempting to authenticate against cert-auth
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) Client did not use Certificate Authentication, skipping or failing
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) Failing Certificate authentication, fatal error for REQUIRED mode
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [CertificateAuthFilter] (SESSION:9cca_***_bdab) messageKey not set in HttpServletRequest
2016-01-26T14:17:24.616-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [EventLogger] (SESSION:9cca_***_bdab) Error_Event:[BROKER_USER_AUTHFAILED_GENERAL] "User null failed to authenticate": Node=VDI-IPPSA-View.ds.amrdec.army.mil, ClientIpAddress=10.0.211.180, Severity=AUDIT_FAIL, Time=Tue Jan 26 14:17:24 CST 2016, Module=Broker, UserDisplayName=null, Source=com.vmware.vdi.broker.filters.CertificateAuthFilter, Acknowledged=true
2016-01-26T14:17:24.617-06:00 DEBUG (1640-1118) <MessageFrameWorkDispatch> [MessageFrameWork] System::WriteWindowsEvent
2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [ProperoAuthFilter] (SESSION:9cca_***_bdab) Not authenticated, requesting login page for cert-auth
2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [AuthorizationFilter] (SESSION:9cca_***_bdab) paeCtx == null, forwarding to login page: /broker/xml
2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Start processing: set-locale,configuration
2016-01-26T14:17:24.617-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Processing: set-locale
2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Finished processing: set-locale, Result: ok
2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Processing: configuration
2016-01-26T14:17:24.618-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) Finished processing: configuration, Result: error, Error Code: AUTHENTICATION_FAILED, Error Message: Authentication failure, User Message: Smart Card or Certificate authentication is required.
2016-01-26T14:17:24.619-06:00 DEBUG (1198-1DB8) <ajp-nio-8009-exec-9> [XmlServlet] (SESSION:9cca_***_bdab) End processing: set-locale,configuration
2016-01-26T14:17:37.261-06:00 DEBUG (1198-0ED0) <DesktopControlSessions> [DesktopTracker] start session reader broadcast
2016-01-26T14:17:39.801-06:00 DEBUG (1198-0124) <VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] VMs checked for reconfiguration: 5; not checked for reconfiguration: 0
2016-01-26T14:17:39.801-06:00 DEBUG (1198-0124) <VirtualCenterDriver-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] (RePropagate cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int
2016-01-26T14:17:40.171-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Connecting instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk
2016-01-26T14:17:40.185-06:00 DEBUG (1198-29D4) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:40.185-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']
2016-01-26T14:17:40.434-06:00 DEBUG (1198-1978) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:40.434-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']
2016-01-26T14:17:40.639-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Connected instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk
2016-01-26T14:17:40.639-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [ServiceConnection25] Fetched reference objects for instance Publish VC Cert Task Instance at URL https://VDI-SVR2:443/sdk in 0 seconds. CBRC supported by VC: true
2016-01-26T14:17:40.657-06:00 DEBUG (1198-1588) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:40.658-06:00 DEBUG (1198-0EB4) <Publish VC Cert Task-1453235100421> [CertMatchingTrustManager] invalid certificate (as expected) for 10.0.244.56:18443 InvalidCertificateException[reasons:nameMismatch;notTrusted; subject:'C=US, ST=CA, L=CA, O=VMware Inc., OU=VMware Inc., CN=VDI-SED-COMPOSE, EMAILADDRESS=support@vmware.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, noTrust, ChainReasons: invalid']
2016-01-26T14:17:47.266-06:00 DEBUG (1198-0ED0) <DesktopControlSessions> [SDMessageManager] finished waiting, was waiting for 10000ms
2016-01-26T14:17:49.307-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [bm] Item on queue "Inbound JMS Worker" for 81 us, queue length = 0, available workers = 9 of 10
2016-01-26T14:17:49.308-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [r] RequestGetStatus: serverType = ice, server = null, localHostname = VDI-IPPSA-VIEW
2016-01-26T14:17:49.308-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [cc] Queuing request ABSGC29-2451
2016-01-26T14:17:49.308-06:00 DEBUG (1B28-102C) <ABSGC29> [cc] Handling request ABSGC29-2451, on queue for 18uS
2016-01-26T14:17:49.309-06:00 DEBUG (1B28-102C) <ABSGC29> [cc] Queuing receipt ABSGC-9297
2016-01-26T14:17:49.309-06:00 DEBUG (1B28-207C) <ABSGC29:C> [cm] Handling message ABSGC-9297, on queue for 28uS
2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [cs] Queuing request PSGC28-2477
2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1764) <PSGC28> [cs] Handling request PSGC28-2477, on queue for 25uS
2016-01-26T14:17:49.310-06:00 DEBUG (1B28-1764) <PSGC28> [cs] Sending GETCOUNTERS request PSGC28-2477
2016-01-26T14:17:49.310-06:00 DEBUG (1B28-0E00) <PSGC28:L> [df] Good response received for GETCOUNTERS request PSGC28-2477 in 555uS (parsed in 82uS)
2016-01-26T14:17:49.310-06:00 DEBUG (1B28-0E00) <PSGC28:L> [cs] Queuing receipt 9334
2016-01-26T14:17:49.311-06:00 DEBUG (1B28-1EBC) <PSGC28:C> [cm] Handling message 9334, on queue for 17uS
2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1C90) <MsgWorker#8> [r] IPsec Quick Mode Security Associations not currently active
2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [bm] Item on queue "Outbound JMS Responder" for 19 us, queue length = 0, available workers = 0 of 1
2016-01-26T14:17:49.312-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [m] Sending JMS message: CurrentStatus
2016-01-26T14:17:49.313-06:00 DEBUG (1B28-1A2C) <Outbound JMS Responder Thread> [m] Sent ObjectMessage in 990 us
2016-01-26T14:17:49.804-06:00 DEBUG (1198-0D50) <propagate-573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [VirtualCenterDriver] Determine actions for cn=ippsa,ou=server groups,dc=vdi,dc=vmware,dc=int: stats={errorVMs=0, available=1, suspendedVMs=0, dirtyForNewSession=0, poweredOffVMs=3, recentlyRecoveredVMs=0, total=5, customizingVMs=0, availableAssigned=0, busy=1, zombie=0, assigned=0, adminDisabled=0}, vmMaximumCount=5, vmMinimumCount=5, vmHeadroomCount=1
2016-01-26T14:17:50.273-06:00 DEBUG (1198-2604) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:50.274-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [CertMatchingTrustManager] invalid certificate (as expected) for VDI-SVR2:443 InvalidCertificateException[reasons:nameMismatch;notTrusted;cantCheckRevoked; subject:'EMAILADDRESS=support@vmware.com, CN=VMware default certificate, OU=vCenterServer_2015.03.27_222554, O="VMware, Inc."' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: nameMismatch, cantCheckRevoked, ChainReasons: partialChain']
2016-01-26T14:17:50.477-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [TrackerObject] Sync complete: VcCacheTrackedVCs:573f884e-f4e7-4a7c-b04f-184cd0c3c7be to version: 18725
2016-01-26T14:17:50.477-06:00 DEBUG (1198-23C4) <VcCache poller 573f884e-f4e7-4a7c-b04f-184cd0c3c7be> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"lastSeen","type":"LONG","longValue":1453839470477}}], v=18725, tn=VcCacheTrackedVCs, oi=573f884e-f4e7-4a7c-b04f-184cd0c3c7...
2016-01-26T14:17:53.347-06:00 DEBUG (1B28-207C) <ABSGC29:C> [az] getCoManagerStatus: CoController.queryHealth: request failed:
mid=ABSGC29-2451
reason=Timeout
2016-01-26T14:17:54.307-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] Processing health info from secure gateway BA-VMSEC
2016-01-26T14:17:54.308-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] IPsec status NOT_IN_USE for BA-VMSEC
2016-01-26T14:17:54.309-06:00 DEBUG (1198-18E0) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:54.310-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerObject] Sync complete: SGHealth:BA-VMSEC to version: 1273
2016-01-26T14:17:54.310-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839474309}},{"type":"SET","item":{"name":"ATTR_SG_VERSION","type":"...
2016-01-26T14:17:54.311-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [SGHealth] Processing health info from secure gateway VDI-IPPSA-VIEW
2016-01-26T14:17:54.312-06:00 DEBUG (1198-29D4) <MessageFrameWorkDispatch> [MessageFrameWork] ValidateCertificateChain ok=1, msecs=0
2016-01-26T14:17:54.312-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerObject] Sync complete: SGHealth:VDI-IPPSA-VIEW to version: 9297
2016-01-26T14:17:54.312-06:00 DEBUG (1198-214C) <SGHealth-federatedtask-1453235100843> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839474312}},{"type":"SET","item":{"name":"ATTR_SG_VERSION","type":"...
2016-01-26T14:17:54.554-06:00 DEBUG (1198-187C) <EnhancedSecurityManager$EnhancedSecurityTask-1453235101061> [EnhancedSecurityManager$EnhancedSecurityTask] Current mode: ENHANCED current level: ENHANCED
2016-01-26T14:17:57.583-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [CBHealth] IPsec status NOT_IN_USE for BA-VMSEC
2016-01-26T14:17:57.583-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerObject] Sync complete: BrokerHealth:VDI-IPPSA-VIEW to version: 15109
2016-01-26T14:17:57.584-06:00 DEBUG (1198-11EC) <CBHealthUpdate> [TrackerManager] Sending message: (TrackerMessage SYNC {}: {nn=VDI-IPPSA-View, u=[{"type":"SET","item":{"name":"HEALTH_LAST_UPDATE_TIME","type":"LONG","longValue":1453839477583}},{"type":"SET","item":{"name":"ATTR_BROKER_VERSION","typ...