You can use the system health dashboard in View Administrator to quickly see problems that might affect the operation of the True SSO feature.

For end users, if True SSO stops working, when the system attempts to log the user in to the remote desktop or application, the user sees the following message: "The user name or password is incorrect." After the user clicks OK, the user is taken to the login screen. On the Windows login screen the user sees an extra tile labeled VMware SSO User. If the user has the Active Directory credentials for an entitled user, the user can log in with AD credentials.

The system health dashboard in the top-left portion of the View Administrator display contains a couple of items that pertain to True SSO.

Note:

The True SSO feature provides information to the dashboard only once per minute. Click the refresh icon in the upper-right corner to refresh the information immediately.

  • You can click to expand View Components > True SSO to see a list of the domains that are using True SSO.

    You can click a domain name to see the following information: a list of enrollment servers configured for that domain, a list of enterprise certificate authorities, the name of the certificate template being used, and the status. If there is a problem, the Status field explains what it is.

    To change any of the configuration settings shown in the True SSO Domain Details dialog box, use the vdmutil command-line interface to edit the True SSO connector. For more information, see Commands for Managing Connectors.

  • You can click to expand Other Components > SAML 2.0 Authenticators to see a list of the SAML authenticators that have been created for delegating authentication to VMware Identity Manager instances. You can click the authenticator name to examine the details and status.

Note:

In order for True SSO to be used, the global setting for SSO must be enabled. In View Administrator, select Configuration > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.

Table 1. Broker to Enrollment Server Connection Status

Status Text

Description

Failed to fetch True SSO health information.

The dashboard is unable to retrieve the health information from the broker.

The <FQDN> enrollment server cannot be contacted by the True SSO configuration service.

In a POD, one of the brokers is elected to send the configuration information to all enrollment servers used by the POD. This broker will refresh the enrollment server configuration once every minute. This message is displayed if the configuration task has failed to updated the enrollment server. For additional information, see the table for Enrollment Server Connectivity.

The <FQDN> enrollment server cannot be contacted to manage sessions on this connection server.

The current broker is unable to connect to the enrollment server. This status is only displayed for the broker that your browser is pointing to. If there are multiple brokers in the pod, you need to change your browser to point to the other brokers in order to check their status. For additional information, see the table for Enrollment Server Connectivity.

Table 2. Enrollment Server Connectivity

Status Text

Description

This domain <Domain Name> does not exist on the <FQDN> enrollment server.

The True SSO connector has been configured to use this enrollment server for this domain, but the enrollment server has not yet been configured to connect to this domain. If the state remains for longer than one minute, you need to check the state of the broker currently responsible for refreshing the enrollment configuration.

The <FQDN> enrollment server's connection to the domain <Domain Name> is still being established.

The enrollment server has not been able to connect to a domain controller in this domain. If this state remains for longer than a minute, you might have to verify that name resolution from the enrollment server to the domain is correct, and that there is network connectivity between the enrollment server and the domain.

The <FQDN> enrollment server's connection to the domain <Domain Name> is stopping or in a problematic state.

The enrollment server has connected to a domain controller in the domain, but it has not been able to read the PKI information from the domain controller. If this happens, then there is likely a problem with the actual domain controller. This issue can also happen if DNS is not configured correctly. Check the log file on the enrollment server to see what domain controller the enrollment server is trying to use, and verify that the domain controller is fully operational.

The <FQDN> enrollment server has not yet read the enrollment properties from a domain controller.

This state is transitional, and is only displayed during startup of the enrollment server, or when a new domain has been added to the environment. This state usually lasts less than one minute. If this state lasts longer than a minute, either the network is extremely slow, or there is an issue causing difficulties accessing the domain controller.

The <FQDN> enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time.

As long as the enrollment server reads the PKI configuration from a domain controller, it keeps polling for changes once every two minutes. This status will be set if the domain controller (DC) has been unreachable for a short period of time. Typically this inability to contact the DC might mean the enrollment server cannot detect any changes in PKI configuration. As long the certificate servers can still access a domain controller, certificates can still be issued.

The <FQDN> enrollment server has read the enrollment properties at least once but either has not been able to reach a domain controller for an extended time or another issue exists.

If the enrollment server has not been able to reach the domain controller for an extended period, then this state is displayed. The enrollment server will then try to discover an alternative domain controller for this domain. If a certificate server can still access a domain controller, then certificates can still be issued, but if this state remains for more than one minute, it means the enrollment server has lost access to all domain controllers for the domain, and it is likely that certificates can no longer be issued.

Table 3. Enrollment Certificate Status

Status Text

Description

A valid enrollment certificate for this domain's <domain name> forest is not installed on the <FQDN> enrollment server, or it may have expired

No enrollment certificate for this domain has been installed, or the certificate is invalid or has expired. The enrollment certificate must be issued by an enterprise CA that is trusted by the forest this domain is a member of. Verify that you have completed the steps in the View Administration document, which describes how to install the enrollment certificate on the enrollment server. You can also open the MMC, certificate management snap-in, opening the local computer store. Open the Personal certificate container and verify that the certificate is installed, and that it is valid. You can also open the enrollment server log file. The enrollment server will log additional information about the state of any certificate it located.

Table 4. Certificate Template Status

Status Text

Description

The template <name> does not exist on the <FQDN> enrollment server domain.

Check that you specified the correct template name.

Certificates generated by this template can NOT be used to log on to windows.

This template does not have the smart card usage enabled and data signing enabled. Check that you specified the correct template name. Verify that you have .completed the steps described in Create Certificate Templates Used with True SSO.

The template <name> is smartcard logon enabled, but cannot be used.

This template is enabled for smart card logon, but the template cannot be used with True SSO. Check that you specified the correct template name, verify that you have gone through the steps described in Create Certificate Templates Used with True SSO. You can also check the enrollment server log file, since it will log what setting in the template is preventing it from being used for True SSO.

Table 5. Certificate Server Configuration Status

Status Text

Description

The certificate server <CN of CA> does not exist in the domain.

Verify that you specified the correct name for the CA. You must specify the Common Name (CN).

The certificate is not in the NTAuth (Enterprise) store.

This CA is not an enterprise CA or its CA certificate has not been added to the NTAUTH store. If this CA is not a member of the forest, you must manually add the CA certificate to the NTAUTH store of this forest.

Table 6. Certificate Server Connection Status

Status Text

Description

The <FQDN> enrollment server is not connected to the certificate server <CN of CA>.

The enrollment server is not connected to the certificate server. This state might be a transitional state if the enrollment server just started, or if the CA was recently added to a True SSO connector. If the state remains for longer than one minute, it means that the enrollment server failed to connect to the CA. Validate that name resolution is working correctly, and that you have network connectivity to the CA, and that the system account for the enrollment server has permission to access the CA.

The <FQDN> enrollment server has connected to the certificate server <CN of CA>, but the certificate server is in a degraded state

This state is displayed if the CA is slow at issuing certificates. If the CA remains in this state, check the load of the CA or the domain controllers used by the CA.

Note:

If the CA has been marked as slow, it will retain this state until at least one certificate request has been completed successfully, and that certificate was issued within a normal time frame.

The <FQDN> enrollment server can connect to the certificate server <CN of CA>, but the service is unavailable.

This state is issued if the enrollment server has an active connection to the CA but it is unable to issue certificates. This state is typically a transitional state. If the CA does not become available quickly, the state will be changed to disconnected.