Horizon DaaS – Horizon view client – password change not working

Posted on March 26, 2019

When you start the horizon client and you get a popup to change your password, or the admin requires you to change the password. It could happen that you receive a message to input a valid username and password…

If you enable the debug mode on you tenant appliance:

  • login to your tenant appliance.
  • vi /usr/local/desktone/release/active/conf/desktone-log4j.xml
    Change the row: <logger name=”com.desktone” level=”info” /> to <logger name=”com.desktone” level=”debug” />

When you retry the password reset you will see messages like:
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] brokerVersion=14.0
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] request=do-submit-authentication
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: windows-password-expired
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: oldPassword
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: Abc123!!
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: newPassword1
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: D3sktop!
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: newPassword2
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] character data: D3sktop!
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] Finished parsing request ‘do-submit-authentication’
2019-03-22 12:39:32,340 DEBUG [com.desktone.view.broker.util.ViewClientSAXHandler]-[https-openssl-apr-4443-exec-9] Finished processing all requests: [do-submit-authentication]

2019-03-22 12:39:32,472 WARN [org.apache.directory.kerberos.client.KdcConnection]-[https-openssl-apr-4443-exec-9] failed to change the password
org.apache.directory.shared.kerberos.exceptions.KerberosException: error response
at org.apache.directory.kerberos.client.KdcConnection._getTgt(KdcConnection.java:301) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at org.apache.directory.kerberos.client.KdcConnection.getTgt(KdcConnection.java:181) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:535) [dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at com.desktone.directory.activedirectory.ActiveDirectoryAccessManager.doChangePasswordKerberos(ActiveDirectoryAccessManager.java:3903) [dt-directory-server-impl-8.0.0.jar:?]

2019-03-22 12:39:32,477 DEBUG [com.desktone.directory.activedirectory.ActiveDirectoryAccessManager]-[https-openssl-apr-4443-exec-9] doChangePasswordKerberos, caught ChangePasswordException for user: t.test_test, domain: NETBIOSDOMAIN, error: 2, kerberosError: 24
org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException: Request failed due to a hard error in processing the request.
at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:619) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at com.desktone.directory.activedirectory.ActiveDirectoryAccessManager.doChangePasswordKerberos(ActiveDirectoryAccessManager.java:3903) [dt-directory-server-impl-8.0.0.jar:?]
at com.desktone.directory.activedirectory.ActiveDirectoryAccessManager.changePasswordKerberos(ActiveDirectoryAccessManager.java:3871) [dt-directory-server-impl-8.0.0.jar:?]
Caused by: org.apache.directory.shared.kerberos.exceptions.KerberosException: error response
at org.apache.directory.kerberos.client.KdcConnection._getTgt(KdcConnection.java:301) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at org.apache.directory.kerberos.client.KdcConnection.getTgt(KdcConnection.java:181) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
at org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:535) ~[dt-kerberos-client-2.0.0-M22.jar:2.0.0-M22]
… 34 more
2019-03-22 12:39:32,483 WARN [com.desktone.view.broker.ViewClientServlet]-[https-openssl-apr-4443-exec-9] Please input valid username and password.

Somehow it does not tell you the real issue… After contacting VMware Support, they asked me to check the users in AD (afterwards this was to easy :-)). I saw that the users where not equal, the Pre-windows 2000 was like “t.test_test” and the UPN was like t.test.

So I made them both t.test_test, and tried to reset the password again. Now I was able to change the password like it should be.

 

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *