On the UAG under Horizon Settings do you have "Enable Windows SSO" enabled?
You mention the UAG has the certificate of the connection servers loaded. The UAG and connection server(s) should have different certificates.
Double authentication is normal with 2FA.
- 1st prompt is for radius
- 2nd is for AD
Assuming you don't have 2FA configured and are getting double authentication prompt?
The issue can be with Load Balancer configuration.
I have seen this issue with F5 and Netscalar. After enable "Session Persistence" in LB, the issue was fixed.
To isolate, you can by pass the Load Balancer and check if you are prompted twice. If not, then you may need to check the Load balancer configuration.
NOTE: If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate onto the View Connection Server instances or UAG that it is off-loading. The same SSL server certificate must reside on both the off-loading intermediate server and the off-loaded View servers.
I am using NSX for load balancing, configured SSL Session Passtrough and SSID for persistence so i think that maybe that isn't the issue?
Just to isolate the issue, could you bypass the Load Balancer and check if you are being prompted twice.
I will try that and tell you about the results. Thanks!
we have the same issue, how did you solve it?
This problem is usually caused by a misconfigured load balancer. If the load balancer routes Horizon client requests to the wrong UAG appliance, that UAG will know nothing about the session and will request authentication again from the user. Check the affinity timeout setting. It should usually be set to the session lifetime (e.g. 10 hours).
We've got the same problem with a "A10" load balancer. After enabling persistence and cookie based persistent rule, the problem was solved for us.
When a user connects to the environment, there are two phases.
PRIMARY HORIZON PROTOCOL (PHASE 1)
The user enters a hostname at the Horizon Client and this starts the primary Horizon protocol. This is a
control protocol for authentication, authorization and session management. It uses XML structured
messages over HTTPS. This protocol is sometimes known as the Horizon XML-API control protocol. In a
load balanced environment, the load balancer distributes client connections across the available set of
SECONDARY HORIZON PROTOCOLS (PHASE 2)
After the Horizon Client has established secure communication to one of the UAG appliances, the user
authenticates. If this authentication attempt is successful, then one or more secondary connections are
made from the Horizon client. These secondary connections can include:
• HTTPS Tunnel used for encapsulating TCP protocols such as RDP, MMR/CDR and the client
framework channel (TCP 443)
• Blast display protocol (TCP/UDP 443 & TCP/UDP 8443)
• PCoIP display protocol (TCP/UDP 4172)
These secondary Horizon protocols must be routed to the same UAG appliance to which the primary
Horizon protocol was routed. The reason for this is so that UAG can authorize the secondary protocols
based on the authenticated user session. If the secondary protocols were to be misrouted to a different
UAG appliance to the primary protocol one, they would not be authorized and would therefore be
dropped in the DMZ and the connection would fail.