Microsoft Patch causing SSO Handshake Timeouts with Horizon View 5.2

Every second Tuesday of the month Microsoft releases patches for the different operating systems and running applications of the vendor.  Before applying those patches to the operating systems and applications, an extensive testing process is needed. When all patches are behaving correctly the can be applied to the environment. When the extensive testing isn’t fulfilled completely, this can cause some strange behavior. At a customer site which is running a VMware Horizon View 5.2 environment this causes problems within their vCenter deployment.

One of the patches wasn’t tested enough and causes after patching and restarting the server an non functional vCenter Services. Within the log files different message directing to problems with connecting to the vCenter SSO services.

2014-02-20T06:43:08.260+01:00 [04512 error ‘Default’] SSLStreamImpl::BIORead from SSL(TCPClientSocket(this=00000000080f42d0, state=CONNECTED, _connectSocket=TCP(fd=-1), error=(null)) TCPStreamWin32(socket=TCP(fd=500) local=<IP vCenter Service>:56161,  peer=<IP SSO Service>:7444)) timed out
2014-02-20T06:43:08.260+01:00 [04512 error ‘Default’] SSLStreamImpl::DoClientHandshake for SSL(no stream): SSL_connect failed with BIO Error
2014-02-20T06:43:08.260+01:00 [04512 error ‘HttpConnectionPool-000001’] [ConnectComplete] Connect failed to <cs p:000000000abf25c0, TCP:grnap756.duo.local:7444>; cnx: (null), error: class Vmacore::Ssl::SSLHandshakeTimeoutException(SSL Exception: The SSL handshake timed out local: <IP vCenter Service>:56161 peer: <IP SSO Service>:7444.)
2014-02-20T06:43:08.260+01:00 [04440 error ‘[SSO][SsoCertificateManagerImpl]’] [CreateAdminSsoServiceContent] SSLHandshakeTimeoutException while trying to connect to SSO Admin server: SSL Exception: The SSL handshake timed out local: <IP vCenter Service>:56161 peer: <IP SSO Service>:7444.).

The VMware knowledge base article 2036170 wrote about patches which could be the source of the problem. With this customer new patches were placed on those systems the same morning. After some digging around in the patches one of them popped out. Patch 2862973 made changes to the MD5 hashing algorithm for Microsoft root certificates. And especially for server authentication which was used on this particular environment. After removing the patch on the systems, we we’re able again to start the vCenter Services.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s