Tuesday, August 6, 2013

View Connection Server with SmartCard authentication enabled fails with error: Smart Card or Certificate authentication is required (2013044)

This issue occurs if all the required root or intermediate certificates have not been loaded into the keystore on the View Connection servers.
In the DoD space, this issue may also occur if newer CACs are signed by the new root and intermediate certs were released since the keystore was created.

Resolution

To resolve this issue, add the required root or intermediate certificates to the keystore.
To add the required root or intermediate certificates to the keystore:
  1. Log in to the Connection Broker as an administrator.
  2. If the Connection Broker is running Windows 2003 Server or Windows 2008 Server (not R2), install the Microsoft Windows Management Framework Core package to get PowerShell.
  3. If you are a DoD customer using DoD issued CAC cards, perform the steps in the Additional Steps for DoD Customers section below and then go to Step 6.
  4. Using Windows Explorer, navigate to the root of your C drive and create a new folder named Certs.
  5. Copy all root and intermediate certificates required by your organization to validate SmartCards to the C:\Certs folder.
  6. Download the 2013044_make_keystore.zip file from vmware.
  7. Extract the make_keystore.ps1 PowerShell script from the attached .zip file to the C:\Program Files\VMware\VMware View\Server\sslgateway\conf folder.
  8. Click Start > All Programs > Accessories.
  9. Right-click Windows PowerShell and click Run as administrator.
  10. Run this command:

    cd "\Program Files\VMware\VMware View\Server\sslgateway\conf"
  11. Run this command:

    Set-ExecutionPolicy unrestricted 
  12. Answer Y when prompted.
  13. Run this command in a single line:

    .\make_keystore.ps1 -CertDir C:\Certs -Password storepass -KeyStore keystore -LockedProperties locked.propertiesWhere storepass is a password that you want.

    Note: The password must be at least 6 characters and must be enclosed within quotes if it contains spaces or special characters.

  14. Click Start > Administrative Tools > Services.
  15. Right-click the VMware View Connection Server service and click Restart.


Note: A downloadable package of all the DoD root and intermediate certificates is already available. Ensure to follow this procedure with the latest version every few months to make sure new CAC cards authenticate in your environment as new CA certs are released.
  1. Go to the URL https://www.dodpke.com/InstallRoot/ and download the latest version of the InstallRoot#.##wJRE-#u##.msi package.
  2. After the download completes, double-click the downloaded package. You may be prompted with a security warning.
  3. Click Run to continue with the installation.
  4. In the Setup Wizard welcome screen, click Next three times to accept the default settings.
  5. In the Ready to Install scree, click Install.
  6. Click Finish.

    The InstallRoot program should automatically open. If it does not open, start it using the Start menu.

  7. Click Advanced Mode
  8. Click DoD NIPRNet Certificates and then click Select/Deselect All.
  9. Click Export Selected.
  10. Navigate to the root of your C drive and create a new folder called Certs.
  11. Open the Certs folder.
  12. Click OK.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)