Got it working last week! Just want to post this to help anyone else that may be having issues with the iApp or the configuration in general for smart card, SAML, etc. The part I don't understand is why the same connection from a web browser goes on to the SAML part of the connection (which I can see in APM but not sure where to find it on the Horizon side. I understand that all the failures are reactionary to the Connection server not being able to find a machine that it wants to send me to. All I see in the APM log at that point is "notice apmd: 01490005:5: /Common/horizon.app/horizon:Common:5f616461: Following rule 'fallback' from item 'View Client Cert Inspection' to ending 'Deny.'" The client's explanation is even more vague with "Authentication Failure." If I'm going there from the client, the next thing I see in the log is "Unverified CHANGEKEY message discarded, machine 'cn=ca70f223-b584-4cc4-a489-230b73bf92b6,ou=servers,dc=vdi,dc=vmware,dc=int' does not exist. I actually can see the cert getting there from the client and the browser (it is the same cert - and the correct one at that). The iApp will set this value on your client ssl profile to 60 seconds but I mention it in case you selected a pre-configured ssl client profile or for some reason are taking longer than 60 seconds to send certificate.īoneyard, I was able to access the logs on the connection server today. This means you have to enter smartcard pin and sent client certificate within 10 seconds of making your initial connection. You could also be hitting a time out issue regarding client side ssl handshake timeout, as the default is set to 10 seconds. Of course you will need to select a valid certificate (one that has been issued by a CA selected in question "Which CA certificate bundle do you want to use for your trusted certificate authorities?", and is valid). Doing so will make it so the client is able to view all client certificates rather then just certificates issued by the CA root certificate selected. Modify the question "Which CA certificate bundle do you want to use for your advertised certificate authorities?" to none. This could mean you are not sending a certificate at all, or perhaps are not sending one that matches your allowed CA issued certs. With that said, do you see the Access policy completing successfully for both clients or only HTML? There is an option in the iApp that might help a little during certificate selection, I point this out as I noted you are not passing certificate authentication when using the horizon client. I would open a support case, as they will be able to review log files to determine at which point authentication is failing and more quickly get your environment working. I could really use some guidance on this.
SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. The main thing is the APM log looks great.
#Vmware horizon client loading failed manual
If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. Both the View server and F5 have been configured according to the companion guide for the iapp. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template.
I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1.
0 kommentar(er)
