RDP to Horizon View 7 desktop fails with TLS 1.0

This week I was working on a great Horizon View 7 project. During the project I was asked why it wasn`t possible to create a remote session (RDP) to a View Desktop. I was a bit surprised that this wasn`t possible but I parked the question so that I could dive into it later. A day later when working on the Autocad desktop templates (with vGPU), I suddenly faced the same unexpected issue. Curious as always I wanted to know what was preventing such a simple task. So the troubleshooting began…

Before we dive into the bits and bytes, a bit more background info on the project:

Customer Information:
The customer builds large offshore facilities for the oil and gas industrie.
The facilities they have built are really of the scale and awesome to see.

Project Information:
Horizon View 7
Several use cases containing:

  • Windows 7 x64
  • RDSH Applications
  • vSGA and vGPU
  • Access Points
  • RSA two-way factor authentication

Thin, zero and fatt-clients

Problem description:
So back to the problem, what is exactly happening.
I will first describe the two different situations which led to the problem.

Situation 1:
One of the requirements of the project was that the customer could connect to their physical desktop from the Horizon View Client and browser. To meet this requirement we installed the Horizon View Agent on the specific physical desktops, and created a manual pool within Horizon View. After this, the users could connect to their “own” physical desktops managed by Horizon View with the choice out of three connection protocols namely: PCoIP, RDP and Blast (HTML5).

Now one of the admins tried to make a remote desktop connection (RDP) within his Horizon View session, with another physical desktop where the Horizon View Agent was installed. He instantly bumped into the following error:
Error-01

Situation 2:
In the second situation I was preparing the desktop template for the Autocad users. In this desktop vGPU was enabled which causes a black console screen from within vSphere Client. This black screen is by design because the NVIDIA drivers are taking over the VGA functionality of the VMware Tools. Normally I connect to the desktop template through RDP and customize it, but now I bumped into the same error as with situation 1 I had to find an alternative.

Because I didn`t want to lose much time on this error I installed the “Horizon View Direct Connect Agent Plugin”. Horizon-View-Direct-Connect-Plugin
With this plugin you can connect directly through the Horizon View Client with the desktop. With this connection I customized the template so the “vGPU Pool” could be deployed.
Direct-Connect-Client-02

Troubleshooting:
So in the first part of the troubleshooting I checked if RDP connections where allowed by the desktop.
RDP had to be enabled because otherwise the Horizon View Administrator will give a “protocol error” on the desktop.
Nonetheless I started checking the remote desktop connection options and found out they were greyed out.
Some Group Policies restricted the ability to choose otherwise than what the admins configured.
System-Properties-01

In my case it was pretty easy to isolate the desktop from the Group Policies by using “block inheritance” on the organizational unit (OU) from the desktop. This ended up in the ability to change the options for this section. Too bad, this made no change and the error returned.
System-Properties-02

To be 100% sure this had to do something with the Horizon View Agent I uninstalled the agent. After a quick reboot I tried again to make a connection to the desktop through RDP. This time it worked!!! So the problem had to be related to the Horizon View Agent…
System-Logon

After this result I started to dig into the log files. Not long after I started my search, everything began to point to the Transport Layer Security (TLS).

Solution:
After reading the letters TLS I instantly thought about the changes made in the supported TLS versions within Horizon View version 6.2 and higher. Which change is there exactly made you wonder? By improving security throughout the connections they disabled version TLS 1.0 and enabled versions TLS 1.1 and 1.2. Release Note 6.2 within Windows 7.

The RDP connection from Windows 7 is configured to use TLS 1.0, but by installing the Horizon Agent TLS version 1.0 got disabled. Thereby it wasn`t possible to connect to the desktop through a RDP connection. Thank god Microsoft provided an OPTIONAL update (WHY optional?!) with the following number KB3080079. This update enables TLS 1.1 and 1.2 in Windows 7, caution TLS 1.0 will not be disabled!

This patch is also suitable for Microsoft Server 2008R2 SP1 Servers. This can come handy when you are working with RDS-servers.

Leave a Reply

Your email address will not be published. Required fields are marked *