Solution: VMware View 5.1 Security Server – Server´s certificate cannot be checked

Solution: VMware View 5.1 Security Server – Server´s certificate cannot be checked

I think, I´m not alone with certificate problems after upgrading to View 5.1.

Since View 5.1, VMware moves all certs from the JAVA Keystore (JKS) in the Windows Keystore. And some customers may got problems after upgrading if they are using an external signed certificate (like me)…

In my case, all my Security Servers was shown up red in the View Administrator Dashboard.

And I´ve seen the following error message:

So what can we do to get these the Security Servers “green“…

A small workaround is to disable the Certificate Revocation Check of your internal View Connection Servers which are paired with your Security Servers. You can do that in the Windows Registry:

 

If you are setting the “CertificateRevocationCheckType” to “1“, you will disable checking your certs.

If you are setting the “CertificateRevocationCheckType” to “4“, you will enable checking your certs.

 

But this is only a “workaround”. If you are disable the revocation check, you can get troubles if your certificate isn´t anymore valid or was revoked. But your Security Server will walk back to “green“.

 

Correct Solution:

The Security Servers will stay “red” when you have setup a proxy server for internet access in your company. The Revocation Check will be execuded of your paired Connection Servers (The servers behind the Security Servers). The main problem: By default, the VMware View Connection Server Service is started with the “local system” account. This account cannot use the proxy settings of IE (by default in Server 2008R2).

So the simplest way to solve this is to set the correct proxy settings via “netshell“.

Do that on your internal Connection Servers which are paired with your Security Servers. Let your Security Servers untouched.

At first you can set your proxy settings via Internet Explorer. After this start a command line window as Administrator and enter the following:

netsh (press enter)

winhttp (press enter)

show proxy (press enter)

Now you can see that the proxy was set to DIRECT connection. With this setting VMware View can´t check the revocation list over the internet, the connection will be blocked!

Now set the correct proxy settings:

netsh winhttp> import proxy source=ie

With this command, all your proxy settings of IE will be imported. You can check the settings after importing with “show proxy”.

Now you can see: The proxy was set for the context!

 

At last you must restart your VMware View Connection Server Service of your internal Connection Servers. Your Servers will start checking the revocation list. This may take several minutes. After checking it will looks like this!

 

4 Replies to “Solution: VMware View 5.1 Security Server – Server´s certificate cannot be checked”

  1. Thanks for this explanation and solution.
    I was searching the web since the release of View 5.1

Leave a Reply

Your email address will not be published. Required fields are marked *