MiniKB: TrueSSO – Enrollment Server unable to connect to CA: The authentication service is unknown

In Horizon 2111 (or 8.4 if you prefer the old naming pattern) you can experience an issue with TrueSSO and Enrollment Server not beeing able to connect to Certificate Authority. This happens when ES and CA are co-hosted on a single Windows Server VM.

In the debug logs you might see those lines:

"2021-12-23T00:00:55.592+01:00 DEBUG (0670-0EEC) <CaConnectionThread> [wsnm_certenroll] CertSrvInterface::ConnectToCa(): Failed to CoSetProxyBlanket of the ClassFactory Object 0x800706D3
2021-12-23T00:00:55.592+01:00 DEBUG (0670-0EEC) <CaConnectionThread> [wsnm_certenroll] Failed to connect to ca: 'vdemo-HCES-CA' : 0x00000000800706D3 (The authentication service is unknown."

And in the Horizon Admin Console there will be an issue reported with TrueSSO:

This issue is related to some changes in the service authentication mechanism implemented in Enrollment Server code. To resolve it, force the Enrollment Server service to use NTLM when authenticating to the CA service by adding those registry values:

a. HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware VDM\\Enrollment Service\\UseNTLMAuthenticationToCa => TRUE
b. HKEY_LOCAL_MACHINE\\SOFTWARE\\VMware, Inc.\\VMware VDM\\Enrollment Service\\UseKerberosAuthenticationToCa => FALSE

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s