Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Category: Horizon

App Volumes Apps On Demand – Certificate Issue

Horizon Suite 2212 is GA since last week and of course I already upgraded all my lab with this new release.

I was particularly interested by the Application on Demand so directly manage App Volumes application on RDS with all entitlement done within the Horizon Console.

The principle consist of adding App Volumes server in Horizon and then assign it to an “Automated” farm.

Now when you add you App Volumes Server into Horizon, you’ll certainly need to import App Volumes certificates into the “Trusted Root Certification Authorities” folder and then restart Horizon Services on all you Connection Servers.

Now even if doing that, you can encounter the following issue, with Enterprise signed certificate :

I had this issue on my lab, so to get it solved, I had to generate a new certificate for my App Volumes server using a new Template.

This is how to do it ….

Continue reading…

Horizon Cloud Connector 2.3.0 – Connection Server Monitoring Service – Failed

Some time it happens that Connection Server Monitoring Service appears to be failed (but it worked before) and we see a lot of restart attempts.

There’s many reason for this to happen (like proxy error etc..) but I personally first try this workaround and it worked all the times :

1 – SSH to Horizon Cloud Connector using ccadmin and then do a su – to login as root
2 – Go to /opt/container-data/data/csms/store/keep
3 – Do a copy of csms-config.json to csms-config.json.bak
4 – Edit csms-config.json

# su -
# cd /opt/container-data/data/csms/store/keep
# cp csms-config.json csms-config.json.bak
# vi csms-config.json

5 – change cmsTenantConfig to : null and set lifeCycle to : “PAIR”

  "baseConfig" : {
    "version" : "1",
    "csmsIdentity" : "038eeb6a-159c-4ee5-89d0-xxxxxxxxxxxx",
    "salt" : "df3e8624-2478-4d6f-bd94-xxxxxxxxxxxxx",
    "keyLength" : 128
  "cmsTenantConfig" : null,
  "applianceConfig" : {
    "podType" : "VIEW",
    "podCapacityType" : "GENERAL",
    "podId" : "4cfd1101-1f73-4691-aa39-xxxxxxxxxxxx",
    "podName" : "Cluster-HZN-01",
    "podLocationJson" : "{\"p\":[43.29695,5.38107],\"id\":\"b32f5cf4-7413-4877-92c4-xxxxxxxxxxxxx\",\"n\":\"Marseille, France\"}"
  "lifeCycleConfig" : {
    "lifeCycle" : "PAIR",
    "lastUpdateTimestamp" : 1668683604710

6 – restart csms :

# kubectl get pod -n cms-system
NAME                   READY   STATUS    RESTARTS   AGE
csms-79df9554f-jcprn   1/1     Running   0          27m
# kubectl delete pods -n cms-system csms-79df9554f-jcprn

After a few minutes, it should be green again… if not open a ticket 🙂

Change the Expiration Period for Service Provider Metadata on Connection Server

Well, this procedure is in the documentation, but I put it here so I can access it more quickly.

You need to do this when you have to use SmartCard or Certificate through UAG as an example.


  1. Start the ADSI Edit utility on your Connection Server host.
  2. In the console tree, select Connect to.
  3. In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int.
  4. In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the Connection Server host followed by port 389.For example: localhost:389 or
  5. Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click CN=Common in the right pane.
  6. In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values:.
  • cs-samlencryptionkeyvaliditydays=number-of-days
  • cs-samlsigningkeyvaliditydays=number-of-days

In this example, number-of-days is the number of days that can elapse before a remote Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated

Awaited feature now available on Horizon 2103… Join VM in untrusted Domains

One year ago I posted a feature request for one of my customer who require to deploy Instant Clone VM on many Active Directory domain without Trust Relationship within each other and with the domain used by the Horizon Connection Server, so what was my surprise when I received the Announcing General Availability of Horizon Enterprise 2103 and saw this feature is now available 🙂

New Release of Horizon Enterprise 2103 and Unified Access Gateway 2103

What’s New?

  • Horizon Server
    • Added support for “Global Access Group”
    • Added support for open source database — “PostgresSQL”
    • Added support for untrusted domain
    • Pegged unabated growth of event database
    • Ability to pre-assign computer names to instant clone desktops
    • Delivered View API parity REST APIs
  • Horizon Agents & Clients
    • Teams offload Mac client
    • USB redirection for HTML Access & Chrome client
    • Pen redirection iOS & Android
    • HEVC 444 Intel GPU Linux client
    • Bandwidth control for integrated printing
    • Serial port improvements, auto mapping, ID passing
    • Agent hot patch via MSP
    • Expose HCA, H.264/H.265 enablement and networking client settings to registry and GPO template
    • Drop 32-bit support Windows agent, Linux agent and client
  • App Volumes
    • Support for Windows 10 Enterprise multi-session on Horizon Cloud on Azure
    • App Volumes Command-Line Capture Program for working with App Volumes and MSIX formatted VMDK and VHD packages
    • Global option to allow the same packages to work across both VDI/RDSH regardless of the packaging OS used
  • Dynamic Environment Manager
    • Replication of the Script folder in SyncTool
    • Simplification of computer environment configuration
    • Support for late arrival of system environment variables in agent configuration for computer environment settings
    • Improvements in default printer logic to roam default printer settings for redirected printers

VMware Horizon on Windows Server Core 2019

I recently have a customer requesting to install VMware Horizon on a Windows 2019 Core server. Most of customers prefer to have the “Desktop Experience” but for security reason some other prefer to limit to shell only interface.

Before installing VMware Horizon, ensure that all updates are applied to Windows 2019 Core (I had some strange behavior before doing that, like impossible to have the Flex Admin console or get “Login failed” on the new HTML 5 consoles)

The first main concern is getting signed certificate ready so Horizon will use it instead of its self signed certificate.

After copying the certificate in a local folder :

1 ) From the Administrator command prompt, type “powershell” to execute PowerShell command

Composer Firewall Port

Ok by default Composer must be in the same domain or at list have Trust Relationship with domains where Linked Clone will be deployed….

But with Composer you can also deploy on other domains, the caveat however is that you can’t browse the OU on Horizon Admin console so you need to Copy/Past or write the full path for the correct OU.

That said, if you look at the firewall port required by Composer, unless 18433 between Horizon Connection Server (brokers) and Composer plus 1433 to join the Ms SQL Server, nothing is really explained and a doubt can exist about which port is required (and also who create account in the domain). So here the answer 🙂 :

First I confirm, Composer server is responsible to reach the AD domains and create Computer accounts. So the required port are :

Source                  Destination        Ports                 Service

Composer           AD Controllers   88/TCP                  Kerberos

Composer           AD Controllers   135/TCP               RPC

Composer           AD Controllers   389/TCP               LDAP

Internal View Composer error – another reason..

Ok, I know that View Composer is depreciated but sometime we don’t have other choice to use it, eg. when you need to deploy VMs is a more cost effective way than Full Clone on domain with no Trust Relationship with the one on which the brokers is joined to.

So I have a customer who have 3 domains with trust relationship:

  • dom-adm for all admin account
  • dom-res for all computers account (composer and brokers are on this domain)
  • dom-usr for all users accounts

We created a service account in dom-adm for Composer and added it to “Administrator” local group in Composer server.

When I tried to add Composer server on Horizon admin console, it failed with the “Internal View Composer error. Contact your administrator.” message and absolutely nothing into the log, both on Composer and Horizon logs (sic.)

I first suspected an issue with the certificate but even after putting a signed certificate the issue was the same.

Finally I created a service account for Composer in the dom-res domain and used it to add Composer on my vCenter… and it worked !!