Problem while Connecting Horizon 7.12 to vCenter
I was setting up a quick Horizon 7.12 PoC environment and ran into a bit of trouble getting Horizon to talk to vCenter. Every time I tried to add the vCenter server to the Horizon environment, I got an error: "Certificate validation failed" and gave me no option to accept the certificate. This was more than a little confusing because the vCenter server had a proper certificate signed by the enterprise CA and we verified that our Connection Server, as a domain member, trusted that CA and could even browse to vCenter via the web browser with no certificate issues.
So, I did what we all do in this sort of situation; I started digging through the the logs. Eventually, I found the line that I needed in the C:\programdata\vmware\vdm\logs\debug-<date>.txt log file on the Connection Server (after searching for my vCenter server's name to help narrow down the contents of the log): "Permission to perform this operation was denied."
Well, that struck me as interesting. Does Horizon keep its own trusted certificate authority list, I wondered. What more permissions could it possibly need to interact with this hypothetical CA list? But then I got to thinking that maybe that whole certificate validation error message was a false positive, and maybe something else went wrong and it just so happened to be near the phase when certificates are being checked...
So I took a look at the permissions on the vCenter server for our service account. Whoops, we'd forgotten to actually assign it a role in vCenter! Well, that was an embarrassing mistake. I went ahead and gave the account permissions to access vCenter, then wouldn't you know it, but the next time we went to add the vCenter Server to the Horizon configuration it all went perfectly!
So, there you have it. If you're getting that "Certificate validation failed" message when adding a vCenter server to Horizon, it might be worth double-checking that your service account has the access that you think it does!
So, I did what we all do in this sort of situation; I started digging through the the logs. Eventually, I found the line that I needed in the C:\programdata\vmware\vdm\logs\debug-<date>.txt log file on the Connection Server (after searching for my vCenter server's name to help narrow down the contents of the log): "Permission to perform this operation was denied."
Well, that struck me as interesting. Does Horizon keep its own trusted certificate authority list, I wondered. What more permissions could it possibly need to interact with this hypothetical CA list? But then I got to thinking that maybe that whole certificate validation error message was a false positive, and maybe something else went wrong and it just so happened to be near the phase when certificates are being checked...
So I took a look at the permissions on the vCenter server for our service account. Whoops, we'd forgotten to actually assign it a role in vCenter! Well, that was an embarrassing mistake. I went ahead and gave the account permissions to access vCenter, then wouldn't you know it, but the next time we went to add the vCenter Server to the Horizon configuration it all went perfectly!
So, there you have it. If you're getting that "Certificate validation failed" message when adding a vCenter server to Horizon, it might be worth double-checking that your service account has the access that you think it does!
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,