So I re-deployed the vApp (again!) paying close attention as I went. As per usual, the initial database setup failed because I entered my FQDN for the gateway, so it didn't match. Following the helpful posts already out there for this (Workspace install fails with Error Creating admin user) I used the connfigurator-va wizardssl.hzn to recreate a rootca for the environment based on my FQDN instead of gateway-va and then let it push it all out to the other vApps. I then logged into each and pulled down my private rootca and ran c_rehash, etc (another helpful post! - Adding MS signed Certs to Horizon Workspace « Carlos' Corner) I am actually using my UNIX background and openssl to be my own private CA and signing all my certs. I created the SAN cert and added it to the SSL setup on Configurator-va and Connector-va. Oddly, both of those server don't seem to be accepting the SAN cert that includes their FDQN, but that's for another day... My Horizon Workspace FQDN does show as trusted by by installed private RootCA (which does show the other DNS names for the service-va, configurator-va, data-va and connector-va, but like I said - a battle for another day) so that's a good thing. I joined my workspace to my domain - so far so good! Activated the View Pools in configurator-va - sync'd - good. Accepted my view connection server's crt and set up the SAML trust. Still good. Sync'd my AD View Users Group which already had a couple of linked clone pools entitled to them. Good. Logged into the FQDN of my Workspace and clicked on the Computers - saw my 3 pools. Clicked on one and after a few seconds launched into a new blast window. Success! I logged out and logged in on a different machine, and something I was seeing before but didn't pay much attention to was the connector-va setting of 'use windows authentication' I couldn't figure why whenever I browsed to my Horizon Workspace a non-vmware window pops up asking for access my FQDN:443 with a user and pass. It's that setting - duh. I'm not yet sure what that gives me, so it's off for now.
Thanks for all the input - it's good to know there are others with some of the same issues. This is still v1.0, so there is bound to be some of those gotchas. It's finicky with time drift even less than 10 seconds seems to have a negative impact. Had to ensure my ESXi servers were solid (never worried much in the past with MS AD being pretty tolerant with small drifts) I tired setting my vApps to a NTP, but they seemed to like being left to the default of syncing to the ESXi host. See how that pans out. Certs are a bit finicky depending on your deployment. Obviously the connector-va and configurator-va don't need to be signed by a CA as they are internal, but still be nice to have then internally signed...
Now I'm onto integrating ThinApps to Desktops as well as the web interface.
I banged my head against the wall with my first Citrix XA and XD setup (before there was VDI in a box!) and it was the best way to learn.
I'm sure I'll stumble along as I finish my PoC, but I'm very happy with the results from today. I'm still planning on comparing my successful logs with the logs I pulled from my old vApp deployment and seeing what it was that was broke. I think it was that I was missing a PTR record for my FQDN in MS DNS. I think I just had the forward lookup for both the original gateway-va and the FQDN, but only a reverse for gateway-va. Would explain why I was never able to connect BACK to the gateway when accessing a desktop. Oops.
A