Use this information to troubleshoot the Workspace ONE Access integration with VMware Horizon, Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, or Horizon Cloud Service on IBM Cloud.

Users Unable to Launch Horizon Applications or Desktops

Users are unable to launch Horizon applications or desktops from the Workspace ONE Access Intelligent Hub app or portal and the following error appears in the user interface:.

Error launching resource. Please contact your IT Administrator.

This error might occur if the SAML metadata on the Horizon Connection Server instances expired after the last sync. This error might also occur if you added or updated network ranges or policies.

Solution

  1. In the Workspace ONE Access console, select Resources > Virtual Apps Collections.
  2. Select the Horizon virtual apps collection and click Sync > Sync with safeguards or Sync > Sync without safeguards to sync Horizon resources to Workspace ONE Access again.
  3. Click Edit to edit the virtual apps collection, click Next in the wizard until the last page appears, then click Save.
    Important: This step is important if you added or updated network ranges or policies. You must save the virtual apps collection again for the changes to take effect.

Horizon or Horizon Cloud Virtual Apps Collection Certificate Error

With Workspace ONE Access connector 21.08 or later, when you try to add or sync a Horizon or Horizon Cloud (Horizon Cloud Service on Microsoft Azure with Single-Pod Broker or Horizon Cloud Service on IBM Cloud) virtual apps collection in the Workspace ONE Access console, you might get the following error:

Enterprise service connectorFQDN(EIS) response: Unable to get certificate from the URL: https://FQDN/SAML/metadata/sp.xml

The log file contains an SSLHandshakeException error, such as:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

or

javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching Server found.

Solution: This error occurs because the Virtual App service does not trust the certificate presented by Horizon or Horizon Cloud. Ensure that the Horizon Connection Servers, or the Horizon Cloud tenant's underlying Horizon servers, have valid certificates signed by a trusted Certificate Authority (CA).

If the Horizon servers have self-signed certificates, you must upload the certificate chain to the Workspace ONE Access connector instances on which the Virtual App service is installed to establish trust between the connectors and the Horizon servers. This is a new requirement beginning with Workspace ONE Access connector 21.08. You upload the certificates using the connector installer. See Installing VMware Workspace ONE Access Connector for more information.

If you still get an error after adding the certificates using the connector installer, the certificates might not have uploaded correctly. You can upload the certificates manually.

Follow these steps to upload the certificates manually.

  1. Log in to the Workspace ONE Access connector server.
  2. Copy the Horizon server's certificate to the connector server.
  3. Open a Command Prompt window.
  4. Run the following command to go to the Workspace ONE Access folder.

    cd C:\Program Files\Workspace ONE Access

  5. Run the following command to install the certificate.

    .\Support\scripts\installRootCa.bat -ca "root-ca-file" -trustStore ".\Virtual App Service\conf\certs\cacerts" -trustStorePwdFile ".\Virtual App Service\conf\certs\cakeystore.pass"

  6. Restart the service VMware Virtual App Service.