VMware Horizon Community
Zaluudai
Contributor
Contributor
Jump to solution

Horizon 8.4 - Authenthication failed from Horizon client

Hello Everyone,

I deployed Horizon environment but faced a little issue. now can connect admin users via horizon client. but can't connect domain users via horizon client. attached error screenshot. Error messege: "Authentication Failed" on horizon client

Please help to resolve this. Thank you. 🙂

PS: domain users can log in to virtual machines. 

Thank you.

 

 

 

 

Reply
0 Kudos
1 Solution

Accepted Solutions
Zaluudai
Contributor
Contributor
Jump to solution

Hi,

This problem solved that we configured according to vmware kb.

https://kb.vmware.com/s/article/2021808

Thank you.

 

View solution in original post

10 Replies
mrkasius
Hot Shot
Hot Shot
Jump to solution

Hi @Zaluudai ,

Are the users entitled to the specific desktop pool?

Reply
0 Kudos
Zaluudai
Contributor
Contributor
Jump to solution

Hi Mrkasius.

Thanks for reply,

Desktop pool is entitled to all users.

Is there any configuration or permission for domain users to use horizon client? 

Thank you again.

Reply
0 Kudos
mrkasius
Hot Shot
Hot Shot
Jump to solution

Hi Zaluudai, 

Normally desktop pool entitlement is ok. Have you tried it from multiple different clients?

Reply
0 Kudos
Zaluudai
Contributor
Contributor
Jump to solution

Hi Mrkasius,

Yes, we tried different clients. Do we need to configure specific permission on AD? 

Reply
0 Kudos
Zaluudai
Contributor
Contributor
Jump to solution

Hi,

This problem solved that we configured according to vmware kb.

https://kb.vmware.com/s/article/2021808

Thank you.

 

ASchoenbeck
Contributor
Contributor
Jump to solution

Hello, wie faced the same error and the article is now offline.

Reply
0 Kudos
Anto1le
Contributor
Contributor
Jump to solution

Hello Guys,

We are also facing this problem. it begun last week with only horizon client and then now web client is also impacted. 

We are connecting to horizon from workspace one access

OS affected is win10 with Feb Updates, 

any kind of browser chromium based or Firefox.

we also try different client version.

It looks like the saml artifact and connection info cannot be forwarded anymore from Workspace One Access web page to the horizon client/web client despite updating site permission settings in the web browser.

I thought it was related to Computer Corporate security policies being pushed but connection from personal computer are also affected now.

We have a SR open with the support. I will let you know if we have a resolution
If any of you have idea to share or some info about the KB mentioned in the earlier post feel free to share
Many thanks,

Antoine

Reply
0 Kudos
ASchoenbeck
Contributor
Contributor
Jump to solution

Hi again,.

Maybe its another construction site but we use a loadbalancer (ssl bridge) and could connect with our Client 8.4 to our connectionserver but starting the virtual client results in the authentication failed error. With the 8.1 Client we can establish a connection to the server AND client. Whats the difference here? No hint in the logfiles.

The 2nd, but solved problem was, the connection to the html access also failed, but solved with creating the locked.properties and balancedHost entry.

https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-installation/GUID-BFF2E726-A5EB-4105-A0EA-F...

@Anto1le maybe you could also try the 8.1 Version, just to be sure.

Thanks alot

Alex

Reply
0 Kudos
Anto1le
Contributor
Contributor
Jump to solution

Hi Alex,

The problem occurs on two pods on production for more than a year with the exact same "standard" design with LB, UAG, etc on which we haven't changed anything.

I confirm that the locked.properties is correctly set and we have tested different client version - actually the web client also facing the problem.

Are you using Workspace One Access for authentication ?

Because to us the problem come with Workspace One Access that we are using for MFA and SSO. Connection to horizon is working fine when we bypass WS1.
We expect a feedback on log analysis I will share the result as soon as I have it.

 

Reply
0 Kudos
Anto1le
Contributor
Contributor
Jump to solution

Hello,

VMware Support were able to find the root cause of the problem : time difference between the Connection Server / Domain and the Horizon Clients / Universal Clock were exceeding a 15s threshold and was causing the SAML authentication to failed

We had a NTP misconfiguration on our PDC that was causing domain members, including Horizon Connection Server to be 30s in advanced from the universal clock.

The related errors found on the Connection Server was :

2023-03-03T10:18:03.697Z ERROR (14AC-21D8) <ajp-nio-127.0.0.1-8009-exec-10> [SamlAuthFilter] (SESSION:3677_***_cee0) Problem determining assertion from SAML Auth: Assertion _afd5918839f75c001ea3a81819e330c8 is not valid before 2023-03-03T10:18:20.062Z. Too early by 1365 milliseconds (including 15000 ms leeway)

Fixing the NTP misconfiguration and synchronization with the Universal clock resolved the problem.

Reply
0 Kudos