Symptoms
  • Recently restored a Horizon 7 7.2 or later Connection Server to a new server from a LDAP backup.
  • After this server is restored, Horizon is unable to communicate to the vCenter Server
  • Errors similar to the following are seen in the Horizon Connection Server logging
2018-04-28T14:26:32.000-07:00 ERROR (0F1C-144C) <MessageFrameWorkDispatch> [MessageFrameWork] BCryptDecrypt FAILED, status={Data Error}
An error in reading or writing data occurred. (0xC000003E)
2018-04-28T14:26:32.000-07:00 DEBUG (0F1C-144C) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=decipherWithDerivedKey, ok=0, msecs=15
2018-04-28T14:26:32.000-07:00 ERROR (0F1C-144C) <MessageFrameWorkDispatch> [ws_java_bridgeDLL] BCryptDecrypt FAILED, status={Data Error}
An error in reading or writing data occurred. (0xC000003E)
2018-04-28T14:26:32.001-07:00 DEBUG (0F1C-1934) <VCC-2bea4481-f3cc-4029-a116-03d127b4b4d3-1524950206086> [ServiceConnection25] Problem connecting to VirtualCenter at <vCenter-FQDN> com.vmware.vdi.logger.Logger.debug(Logger.java:44)
com.vmware.vdi.crypto.SecurityManagerException: decrypt: Cannot decrypt: Cipher scheme decryption failed.
 Cause
Sensitive information, such as passwords and licensing information, is stored in the LDAP database in an encrypted form. The decryption key for this data is stored in the Horizon Connection Server KeyVault located locally on each of the Connection Servers.
If a Connection Server is totally lost and must be restored from an LDAP backup to a newly installed guest OS then this KeyVault will not be present and the newly installed Connection Server will be unable to decrypt this sensitive information.
 Resolution
Reinputing and confirming the various username and passwords as well as the License Keys allows the newly installed Connection Server to encrypt this information using the encryption key contained in the new KeyVault.

To reinput the vCenter Server user and Composer user password:
  1. In the Horizon admin UI Navigate expand the View Configuration section of the Inventory.
  2. Click on the Servers option.
  3. Under the vCenter Servers tab select the vCenter Server entry you would like to update and click on Edit.
  4. In the Edit vCenter Server window click on Edit once again under the vCenter Server Settings section.
  5. Confirm the username is correct and then clear and input the password for this user. Click Ok to confirm the password.
    1. If you have a Standalone Composer configured at this point click on Edit under the View Composer Server Settings.
    2. Again, confirm the username is correct and then clear and input the password for this user. Do not click Ok at this time.
    3. Click on Verify Server Information, this will confirm the password previously input in Step 2.
    4. Once the domain information is loaded, please select the Composer Domain user you wish to update and click Edit...
    5. Once again, confirm the username is correct and then clear and input the password for this user. Click Ok.
    6. Click Ok to confirm all of the Composer information.
  6. Finally Click Ok to confirm all of the vCenter and Composer information.
To reinput the Instant Clone Domain Admin user password:
  1. In the Horizon admin UI Navigate expand the View Configuration section of the Inventory.
  2. Click on the Instant Clone Domain Admins option.
  3. Select the Instant Clone Domain Admin you wish to update and click Edit....
  4. Confirm the username is correct and then clear and input the password for this user. Click Ok to confirm the password.
To reinput the License Key Information:
  1. In the Horizon admin UI Navigate expand the View Configuration section of the Inventory.
  2. Click on the Product Licensing and Usage option.
  3. Under the Licensing section click the Edit License... option.
  4. Input your License Key and click Ok to confirm the License Key.
 Workaround
In the event that you need to fully restore a Connection Server which was part of an existing, still operational, cluster then the better option is to install the Connection Server as a replica Connection Server of one of the existing Connection Servers. The replication process will share the cluster master key with the newly installed Connection Server and allow the server to decrypt the sensitive LDAP information.