Symptoms
This problem can occur in environments, where multiple App Volumes Managers are configured to use per TCP connection load balancing.Writable volume will fail to mount for the user during login.The following error message is displayed to the user:
Connection Error (Manager "xxx.yyy"):
Unable to contact App Volumes Manager.
Virtualization is disablednote: "xxx.yyy" means App Volumes Manager hostname or IP address.
You see the NTLM authentication errors in the App Volumes Manager logs similar to:
“The LDAP authentication thread was removed by something else"“INFO NTLM: NTLM authentication result: Invalid”
Cause
In response to the March 2020 ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing, App Volumes Manager and agent have been upgraded to use channel binding from version 2.18.6 and App Volumes 4 (2006). App Volumes Agent use NTLM with 2 TCP connections in order to accommodate the channel binding change.
Resolution
For customers experienced this problem with VMware App Volumes 2.18.6 or App Volumes 4 (2006) or later, please ensure per TCP connection load balancing is not used in front of multiple App Volumes Managers.VMware recommends configuring the Load Balancer persistence to "Source address affinity persistence" (or source IP persistence). For detailed configuration instructions, please contact your load balancer vendor. For F5 LTM configuration with App Volumes, please refer to Load Balancing VMware App Volumes.
Related Information
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP SigningImpact of March 2020 LDAP Channel Binding & Signing Requirement for Microsoft Windows (ADV190023) on App Volumes EnvironmentsImpact of 2020 LDAP channel binding and LDAP signing requirement for Microsoft Windows in Horizon Enterprise environmentsVMware vSphere & Microsoft LDAP Channel Binding & Signing (ADV190023)Load Balancing VMware App Volumes
