At first, when you upgrade VMware Horizon to 2306 while using VMware Workspace ONE Access as the broker everything works fine. However, after a while, after a reboot of the Access Connectors, Horizon will stop syncing with Workspace ONE Access.
In Workspace ONE Access you will see an error when trying to sync Horizon. Also when removing the Horizon config in Workspace ONE Access you will not be able to add it again stating that your password is incorrect.
In the Workspace ONE Access Connector logs it will show an Unexpected status code 421.
2023-09-13 15:05:41,146 GMT WARN ****01:eis (Adapter-Task-23) [VDRONE;da7416b4-5b08-4219-8625-e754dbb97aed;127.0.0.1;60f35812-79fd-4ed5-9185-bddebe2f7016;-] com.vmware.vidm.eis.view.ViewApiClient – Login failed for broker server **********, failover to replication brokers will be attempted com.vmware.vim.vmomi.client.common.UnexpectedStatusCodeException: Unexpected status code: 421
Why is this happening?
Well with the release of Horizon 2306, allowUnexpectedHost is by default false. See changelog.
Normally you would add balancedHost=view.example.com to the locked.properties file and such however my guess is that the route from the Access Connector is now untrusted and you cannot add that as an option in the locked.properties.
Horizon 2111.2, 2209.1, 2212.1, and 2306:
- Cross-Origin Resource Sharing (CORS) is enabled by default. See Cross-Origin Resource Sharing.
- Security configuration setting balancedHost can now accept a list for those with more than one load balancer. The syntax is exactly the same as portalHost. (Release Notes )
|Security configuration setting allowUnexpectedHost has changed from true to false.|
|This means that connections using the name or IP address of a proxy, gateway or load balancer that is not defined in locked.properties will fail, even if checkOrigin and enableCORS are both set to false.|
- Please see Error 421 while connecting to Horizon via HTML Web Console after an upgrade to 2306,2111.1 or Later (93915) for additional details.
- For a step-by-step walkthrough of configuring Locked.properties, please see Horizon Server: Troubleshooting Configuration Issues with Locked.properties(94578)
This Article’s purpose is to outline some common questions seen as a result of these changes.
Potential Symptoms seen as a result of the change:
- HTML access is stuck in the “Waiting” screen due to the lack of configuration in “locked.properties”
- An alert appears on an HTML5 access attempt “Failed to connect to the Horizon Connection Server”
- Create a file named locked.properties
- Open with a text editor and add allowUnexpectedHost=true
- Add file to C:\Program Files\VMware\VMware View\Server\sslgateway\conf
- Reboot the connection server or restart services.
Now the synchronisation between Workspace ONE Access and Horizon will work again. Worked on this with Dennis Sigmond, and eventually we found the fix but this is something that will be addressed internally too.