In Horizon 2111 (or 8.4 if you prefer the old naming pattern) you can experience an issue with TrueSSO and Enrollment Server not beeing able to connect to Certificate Authority. This happens when ES and CA are co-hosted on a single Windows Server VM.
In the debug logs you might see those lines:
"2021-12-23T00:00:55.592+01:00 DEBUG (0670-0EEC) <CaConnectionThread> [wsnm_certenroll] CertSrvInterface::ConnectToCa(): Failed to CoSetProxyBlanket of the ClassFactory Object 0x800706D3 2021-12-23T00:00:55.592+01:00 DEBUG (0670-0EEC) <CaConnectionThread> [wsnm_certenroll] Failed to connect to ca: 'vdemo-HCES-CA' : 0x00000000800706D3 (The authentication service is unknown."
And in the Horizon Admin Console there will be an issue reported with TrueSSO:
This issue is related to some changes in the service authentication mechanism implemented in Enrollment Server code. To resolve it, force the Enrollment Server service to use NTLM when authenticating to the CA service by adding those registry values:
a. HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware VDM\\Enrollment Service\\UseNTLMAuthenticationToCa => TRUE b. HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware VDM\\Enrollment Service\\UseKerberosAuthenticationToCa => FALSE