- This topic has 4 replies, 2 voices, and was last updated 8 years, 6 months ago by mystlawer.
-
AuthorPosts
-
October 8, 2015 at 2:03 am #42130
Seems to be very little information out there, both from the vendors involved and on the forums.
The environment in question is XenDesktop 7.5, Web Interface 5.4, and Active Directory.
Our current XEN.INI looks like this
————-< Start XEN.INI >—————
;************************************************************************
;* General 1 *
;************************************************************************
autoload=1
EnableCacheIni=no;************************************************************************
;* General 3 *
;************************************************************************
Locale=English;************************************************************************
;* Time *
;************************************************************************
Timeserver=ntp.ourcompany.org \
Timeformat=”12-hour format” \
Dateformat=mm/dd/yyyy
TimeZone=’GMT – 08:00′ \
ManualOverride=yes \
Daylight=yes \
Start=030307 \
End=110107 \
TimeZoneName=”Pacific Standard Time” \
DayLightName=”Pacific Daylight Time”;************************************************************************
;* Network *
;************************************************************************
WDMService=no
SysMode=vdi toolbardisablemouse=no toolbarclick=yes
SignOn=Yes DefaultINI=vdi.ini
DisableDomain=yes
DomainList=”ourcompany.org”
BootpDisable=yes;************************************************************************
;* Self Service Password *
;************************************************************************
AddCertificate=star.ourcompany.org.crt
AddCertificate=NetworkSolutions_CA.crt
PasswordServer=https://xdc01.ourcompany.org AccountSelfService=yes connect=ica;************************************************************************
;* ScreenSaver *
;************************************************************************
ScreenSaver=10 \
Type=2 \
Image=ScreenSaver.jpg;************************************************************************
;* Device Customization *
;************************************************************************
AutoSignoff=yes Reboot=yes
Shutdowncount=3
Inactive=10
Desktop=ThinTermBK.jpg
PnliteServer=http://192.168.150.7:8081 \
storefront=no
————–< End XEN.INI >—————-The two certificate live on the FTP site in wnos\cacerts and are loading correctly as indicated by the event log on the Xenith 2 devices.
1. star.ourcompany.org is a wildcard cert purchased from Network Solutions
2. NetworkSolutions_CA is the root certificate for Network SolutionsThe end user experience differs depending on what you do, but none of it is working:
1. At the Wyse device logon screen there is a blue icon to the right of the password field. Rolling over this icon yields “Account locked or forgotten password? Please click for account self-service.
– Clicking the icon presents the user with the options of “unlock account” or “reset password if you have forgotten..”
– Selecting either and clicking next and you need to provide a username, and the domain.
– Clicking OK there yields the following error window “Connection failed, please be sure you can get to the server!”
– The event log shows two lines:
– SSL: error ERR_SSL_UNKNOWN_CERTIFICATE_AUTHORITY!
– SSL: unable to setup connection, (err=-7517)2. If a user who’s account password has expired attempts to login:
– An error window comes up indicating your “Windows password has expired. A session is launched to change the password. You will be able to change password in this session but you will not be permitted to complete the logon process. Please click OK below and logon to change to a new password.”
– Doing so you get a spinning wheel with connecting to password server
– After which another error windows comes up with “ICA[Password Server]: name resolution failed
– Event Log shows a DNS/WINS can’t resolve [https://xdc01.ourcompany.org]DNS does indeed work for said hostname.
I’ve imported the certs are .cer files, then after some forum results tried .crt files. No difference in end user experience.
Does anyone have this feature working? If so, any chance of getting some details about the configuration?
Thanks.
-<M>-October 8, 2015 at 1:17 pm #42131Can you tell me a bit more about the certificates?
Are they DER or Base encoded?
1024,2048 or 4096 bit encryption?CG
October 8, 2015 at 5:30 pm #42132I have tried both DER and Base-64. They export as CER files, and I initially used them as such until I found a few references that the they needed to be renamed to CRT for the Wyse units in question.
The cert for Network Solutions was provided by them, and I didn’t request it, so cannot verify what encoding format it is in.
The error seems to indicate the CA cert is not valid, or installed properly. But being in this business for quite some time I know that error messages are not necessarily all that accurate. I assume there is some sort of cert error though.
One thing I don’t understand is the Password Server. The minimal documentation says to point it to your XenDesktop Controller, which I have. But what needs to be running on said controller? Port 443 is open and hitting IIS, but I don’t see what is supposed to process incoming port 443 traffic in any fashion that will handle the password reset and self-service features.
-<M>-
October 9, 2015 at 3:46 pm #42138I’ver never worked with Password Server, so I cannot comment on this.
Are both certificates listed in the ThinOS Certificater Manager?
Are they shown as depended? One beneath the other?CG
October 9, 2015 at 7:57 pm #42141Yes, the certificates I installed on the Wyse Xenith 2 are nested. There are a total of four, and here is how they show up:
cacerts
AddTrustExternalCARoot.crt
UTNAddTrustServer_CA.crt
NetworkSolution_CA.crt
star.ourcompany.org.crt -
AuthorPosts
- You must be logged in to reply to this topic.