Lab 6: Troubleshooting Certificates

Objective and Tasks


In this lab, you address problems related to the Horizon Connection Server certificate:

  1. Confirm Certificate Status for Horizon-01d.
  2. Create a Certificate Template for Horizon-01d.
  3. Request a New CA Signed Certificate.
  4. Verify New Certificate.
  5. Review Horizon-01d Logs.
  6. Create a Certificate Template for Horizon-01d.
  7. Request a CA Signed Certificate.
Task 1: Confirm the Certificate Status for Horizon-01d.
  1. Login to ControlCenter (Landing Desktop)
    • Username:administrator
    • password:Pa$$w0rd
  2. From the ControlCenter desktop, Launch Firefox browser
  3. Click on the Horizon-01d from saved Bookmark tab.
  4. Log in to the Horizon Console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Note: A warning triangle appears next to the FQDN of the Horizon Connection Server. This indicates that the certificate is not secure and trusted.
  5. From the ControlCenter desktop,
    • Open Remote Desktops > Site1 folder
    • Launch Horizon-01d.RDP.
    • You are automatically logged in as [email protected]
  6. Click Start menu, in the Search text box enter mmc and press Enter.
  7. Add the Certificates snap-in:
    • From the File menu select Add/Remove Snap-in...
    • Select Certificates and click Add.
    • Select Computer account and click Next.
    • Click finish
    • Click OK
  8. Review the Horizon Certificate.
    • Expand Certificates (Local Computer).
    • Expand Personal and click Certificates
    • Identify the hzn-01d.techseals.co certificate.
    • Notice the Issued To and Issued By column for hzn-01d.techseals.co certificate
    • Note: The certificate presented by hzn-01d.techseals.co is self-signed, which confirms that it is not issued by a trusted Certificate Authority (CA).
    • Minimize Horizon-01d RDP session
Task 2: Create a Certificate Template for Horizon-01d.
  1. From the ControlCenter desktop,
  2. Click Start
  3. In the Search text box enter mmc.exe
    • Press Enter
  4. Add the Certificate snap-in:
    • From the File menu select Add/Remove Snap-in...
    • Select Certificate Templates and click Add.
    • Click OK.
  5. Duplicate a certificate template
    • Click Certificate Templates (ControlCenter.techseals-CA).
    • Scroll to the bottom of the list and identify the Web Server template.
    • Right-click the Web Server template and select Duplicate Template.
  6. Configure the new certificate template
    • On the Compatibility page, change the Certification Authority to Windows Server 2008 R2 and click OK.
    • Change the Certificate Recipient to Windows 7 / Server 2008 R2 and click OK.
    • Click the General tab and change the Template display name to Hzn-01d.
    • Select the check box for Publish certificate in Active Directory.
    • Click the Request Handling tab and, select the check box for Allow private key to be exported.
    • Click the Cryptography tab and change that the Minimum key size is 1024.
    • Click the Security tab.
    • To allow authenticated users enroll this template, select Authenticated Users and the Enroll check box
    • Select Apply and OK to confirm the Template changes
    • You see that the new template is now present in the template list.
  7. Click Start:
    • In the Search text box enter Certification Authority and press Enter
    • Expand TechSeals-ControlCenter-CA and select Certificate Templates
    • Right click Certificate Templates and select New > Certificate Template to Issue
    • Select Hzn-01d and click OK.
    • You see that the Hzn-01d Template is available for enrollment.
Task 3: Request a New CA Signed Certificate.
  1. Return to the Hzn-01d remote connection.
  2. If necessary, open the MMC console and add the Certificates (Local Computer) snap-in.
  3. Request a new certificate for Hzn-01d
    • Under the Personal folder, right-click the Certificates folder
    • From the All Tasks menu, select Request New Certificate...
    • Select Next.
    • Select the Hzn-01d check box.
    • Click the More information in the required link
  4. Configure the new certificate
    • Click the Subject tab.
    • Change Full DN to Common Name from the Type dropdown menu.
    • In the text box, enter hzn-01d.techseals.co and click Add
    • Click the General tab, for the Friendly name enter vdm
    • Click the Private Key tab, expand the Key Options, and verify that the Make private key exportable check box is selected.
    • Click OK.
    • Click Enroll.
    • Click Finish.
Task 4: Verify a New Certificate.
  1. Verify the two certificates have their Friendly name set to vdm:
    • Right-click the certificate issued by hzn-01d.techseals.co (Self-Signed Certificate)and select Properties.
    • Change the Friendly name from vdm to vdm.old
    • Click OK.
  2. Restart Hzn-01d.
  3. Wait for the restart to finish and return to the ControlCenter desktop
  4. Wait a few minutes for all the services to start and refresh the Hzn-01d console
    • Horizon Services  can take upto 10 mins to start.
  5. You see an error saying Secure Connection Failed.
Task 5: Review the Hzn-01d Logs.
  1. Return to the Hzn-01d  remote connection.
  2. Open File Explorer and navigate to:
    • C:\ProgramData\Omnissa\Horizon\logs.
  3. Open the latest debug text file with Notepad++.
  4. Find the error message
    • Click Search and then Find
    • In the text box enter, you can search for either of these errors:-
      • Failed to find key
      • BROKER_SECURE_GATEWAY_CERT_NOTVALID
      • Server's certificate subject name does not match the server's External URL. Server's certificate is not trusted
      • Certificate thumbprint verification failed, no matching thumbprint
    • Select Find All in Current Document
    • Select the most recent occurrence of the entry
    • Look for messages that say there is a problem with the private key for vdm.
    • Note: The private key was set to exportable when enrolling the certificate, so it is important to verify that the Key Size is correct.

Note: You may not find these exact keywords, which is expected as logs can rotate or vary depending on the version. If that happens, proceed to the next step.

  1. Verify the private key size
    • Open the MMC console and navigate to the Personal Certificate section as described previously.
    • Double-click the hzn-01d.techseals.co certificate
    • Select Details
    • Select Public Key.
    • The key size is set to 1024 bits, which is too small. The Minimum key size setting, is the reason the certificate is failing.Verify the private key size
    • Open the MMC console and navigate to the Personal Certificate section as described previously.
    • Double-click the hzn-01d.techseals.co certificate
    • Select Details
    • Select Public Key.
    • The key size is set to 1024 bits, which is too small. The Minimum key size setting, is the reason the certificate is failing.
Task 6: Create a Certificate Template for Hzn-01d.
  1. From the ControlCenter desktop
  2. If necessary, click Start, in the Search text box enter mmc.exe and press Enter.
  3. Add the certificate template snap-in:
    • From the File menu select Add/Remove Snap-in...
    • Select Certificate Templates
    • Click Add.
    • Click OK
  4. Select Certificate Templates (ControlCenter.techseals.co).
  5. Scroll to the bottom of the list and identify the Web Server template.
  6. Right-click the Web Server template and select Duplicate Template.
  7. Configure the settings for the certificate template:
    • Click the Compatibility tab and change the Certification Authority to Windows Server 2008 R2.
    • When prompted, click OK.
    • Change the Certificate Recipient to Windows 7/Server 2008 R2.
    • When prompted, click OK.
    • Click the General tab and change the Template display name to New Hzn-01d.
    • Select the check box for Publish certificate in Active Directory.
    • Click the Cryptography tab and verify that the Horizon Connection Server 01 is 2048.
    • To allow authenticated users to enroll this template, click the Security tab and select the Enroll check box.
    • To confirm the template changes, select Apply and click OK.
    • A new template is created and listed in the template list.

8. Click Start:

  • In the Search text box, enter Certification Authority and press Enter.
  • Expand TechSeals-ControlCenter-CA and select Certificate Templates.
  • Right click Certificate Templates, and navigate to New > Certificate Template to Issue.
    • Select New Hzn-01d  and click OK.
    • You see that the New Hzn-01d template is available for enrollment.
    • To remove the certificate template, right click Hzn-01d and select Delete.
Task 7: Request a CA Signed Certificate.
  1. Return to the MMC console in Hzn-01d remote connection.

  If necessary, open the MMC console repeating the previous steps to open the Certificates (Local Computer) snap-in.

  1. To remove the broken certificate from the certificate store, right-click hzn-01d.techseals.co and select Delete.
  2. Request a new certificate:
    • Under Personal, right-click Certificates
    • From the All Tasks menu, select Request New Certificate...
    • Select Next.
    • Select Next.
    • Select the new Hzn-01d check box
    • Click the More information is required link.
  3. Configure the new certificate
    • Click the Subject tab, change Full DN to Common Name.
    • In the text box, enter the value hzn-01d.techseals.co and click Add.
    • Click the General tab and in the Friendly name text box enter vdm
    • Click the Private Key tab and expand the Key Options.
    • Verify that the Make private key exportable check box is selected.
    • Click OK.
    • Click Enroll.
    • Click Finish
  4. Restart the Hzn-01d VM.
    • Wait for the restart to finish.
  5. Return to the ControlCenter desktop.
  6. Wait a few minutes for all the services to start and refresh the Hzn-01d console.
  7. Verify that the Horizon Administrator loads without errors.

Note: A green lock appears next to the FQDN for the Horizon Connection Server. This indicates that the certificate is trusted

 

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.