This blog post serves as an update to the following I wrote back in April 2018:
"Your user account is disabled" error is thrown after upgrading VMware Horizon View to 6.2.0 or 6.2.1
http://terenceluk.blogspot.com/2016/04/your-user-account-is-disabled-error-is.html
I finally got the go-ahead to upgrade the environment and did not want to move from 6.0.1 to the latest 7.4.0 in one shot so I decided to upgrade to 6.2.0, then upgrade the agents to 6.2.1, upgrade servers to 7.4.0 and finally upgrade the agents to the latest version. Knowing that I was going to run into the error as described in the post above, I allocated extra time for troubleshooting because I wasn’t convinced that this was a bug due to the limited information available and the comments people left on the post. What I ended up discovering through troubleshooting was that this wasn’t a bug but rather an Active Directory domain issue so I hope to provide this update in case someone runs into the same issue.
Problem
You’ve completed an upgrade of VMware Horizon View and noticed all functions operate as expected aside from users trying to connect from external via the Security Server, who are from another domain in the same Active Directory forest. The error below is what they receive when they attempt to connect:
Your user account is disabled.
These users from another domain but in the same Active Directory forest have no issues connecting from the internal network.
Solution
Before I begin, let me provide information as to how the domains are configured.
Active Directory Forest Root Domain: contoso.com
Domain in the same forest but separate tree: fabrikam.com
The domain in which the Horizon View environment is deployed in is contoso.com but fabrikam.com users use this environment as well. Users from contoso.com can authenticate without any issues but fabrikam.com users cannot authenticate via the View Security server.
Seeing that users were able to connect from the internal network but not external, I logged onto the View Connection server that is paired with the View Security server handling external connections, reviewed the event logs and found the following error:
Log Name: System
Source: NETLOGON
Event ID: 5516
Level: Error
The computer or domain BMVV01 trusts domain fabrikam.com. (This may be an indirect trust.) However, BMVV01 and fabrikam.com have the same machine security identifier (SID). NT should be re-installed on either BMVV01 or fabrikam.com.
The above error log led me to believe that we may have a duplicate SID issue between the View Connection server paired with the View Security server and the fabrikam.com domain controllers (all domain controllers share the same SID) so I went ahead to PsGetsid64.exe from the SysInternals tools to compare the SIDs and confirmed that they were all identical:
There are several ways address this but the way I resolved the issue was deploy a new View Connection server with a unique SID, and then swap out the server with the duplicate SID.
My understanding as to why the desktop fails to launch for the user is because authentication takes place between the View Connection server and the domain controller but because both servers have the same SID, the process fails and View falsely believes the user’s account is disabled.
Hope this helps anyone who may encounter this problem.
1 comment:
Great blog post Terence, well written and the way you explain the issue and solution is easy to understand.
Post a Comment