On the UAG under Horizon Settings do you have "Enable Windows SSO" enabled?

You mention the UAG has the certificate of the connection servers loaded. The UAG and connection server(s) should have different certificates.

Double authentication is normal with 2FA.

- 1st prompt is for radius

- 2nd is for AD

Assuming you don't have 2FA configured and are getting double authentication prompt?

The issue can be with Load Balancer configuration.

I have seen this issue with F5 and Netscalar. After enable "Session Persistence" in LB, the issue was fixed.

To isolate, you can by pass the Load Balancer and check if you are prompted twice. If  not, then you may need to check the Load balancer configuration.

NOTE: If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate onto the View Connection Server instances or UAG that it is off-loading. The same SSL server certificate must reside on both the off-loading intermediate server and the off-loaded View servers.

I will try that and tell you about the results. Thanks!

This problem is usually caused by a misconfigured load balancer. If the load balancer routes Horizon client requests to the wrong UAG appliance, that UAG will know nothing about the session and will request authentication again from the user. Check the affinity timeout setting. It should usually be set to the session lifetime (e.g. 10 hours).

Look at Load Balancing across VMware Unified Access Gateway Appliances

Hello,

We've got the same problem with a "A10" load balancer. After enabling persistence and cookie based persistent rule, the problem was solved for us.

When a user connects to the environment, there are two phases.

( Resource: https://pdfs.loadbalancer.org/Vmware_Horizon_Deployment_Guide.pdf )

PRIMARY HORIZON PROTOCOL (PHASE 1)

The user enters a hostname at the Horizon Client and this starts the primary Horizon protocol. This is a

control protocol for authentication, authorization and session management. It uses XML structured

messages over HTTPS. This protocol is sometimes known as the Horizon XML-API control protocol. In a

load balanced environment, the load balancer distributes client connections across the available set of

UAG's.

SECONDARY HORIZON PROTOCOLS (PHASE 2)

After the Horizon Client has established secure communication to one of the UAG appliances, the user

authenticates. If this authentication attempt is successful, then one or more secondary connections are

made from the Horizon client. These secondary connections can include:

• HTTPS Tunnel used for encapsulating TCP protocols such as RDP, MMR/CDR and the client

framework channel (TCP 443)

• Blast display protocol (TCP/UDP 443 & TCP/UDP 8443)

• PCoIP display protocol (TCP/UDP 4172)

These secondary Horizon protocols must be routed to the same UAG appliance to which the primary

Horizon protocol was routed. The reason for this is so that UAG can authorize the secondary protocols

based on the authenticated user session. If the secondary protocols were to be misrouted to a different

UAG appliance to the primary protocol one, they would not be authorized and would therefore be

dropped in the DMZ and the connection would fail.