After recently upgrading the VMware Horizon Connection Servers in a VDI environment I am new to managing, end users complained that they could no longer access their virtual desktops. They stated that when they connected via the VMware Horizon Client for Windows, they received an HTTP 421 error similar to the screenshot below.
Honestly, I had never heard of the HTTP 421 error code, so I had to look it up. My Google search results stated an HTTP 421 error is a “Misdirected Request” error.
This had me scratching my head as no changes were made to the configuration of the VMware Horizon Connection Servers that the end user is using. To make things more interesting, I could not reproduce the error when connecting to the VMware Horizon Connection Servers myself using the Windows or web clients.
It appears that other users have encountered this error as a quick search of the VMware KB site yielded the following result: Error 421 while connecting to Horizon via HTML Web Console after an upgrade to 2306, 2111.1, or Later. This KB article discusses a change in a default setting within VMware Horizon that blocks connections to the Connection Server using the name or IP address of a proxy, gateway, or load balancer not defined in locked.properties configuration file. In the case of this setting change, it doesn’t matter if you initially set the checkOrigin or enableCORS settings to false.
However, after reading the KB article, it still did not make sense why some end users were receiving this error message, as I could not reproduce it. My coworker and I scratched our heads while trying to figure out what could be happening until we realized that these users were indeed connecting to the VMware Horizon Connection Servers using a CNAME record instead of the Connection Servers’ FQDNs. Aha! It now made complete sense what was happening. I tested this out by accessing the CNAME entry via my browser, and sure enough, a lovely HTTP 421 error.
So what is the fix for this situation? It is pretty easy! Per the KB, you must define values in your locked.properties for each DNS entry or IP address that a user might use to access your Connection Servers utilizing portalHost.# entries. The KB article Cross-Origin Resource Sharing (CORS) with Horizon 8 and load balanced HTML5 access. (85801) goes into these settings in detail, but the general idea is that for each DNS entry or IP address, you create a numbered entry in the configuration file, such as these:
So, if you are preparing to upgrade an existing environment or deploy a new environment, make sure that all DNS entries and IP addresses used to access your VMware Horizon environment are defined in the locked.properties for every one of your VMware Horizon Connection Servers.
Get Notified of Future Posts