VMware Horizon Community
jrhaakenson
Enthusiast
Enthusiast
‎11-29-2023 12:58 PM
Jump to solution

Horizon Smart Card Authentication through UAG not Prompting for Smart Card Credentials

I have smart card authentication enabled and set to Optional on my Horizon Connection Server (CS).  When I use a client (i.e. Horizon Client or Zero Client) to directly connect to my Horizon CS I properly receive the certificate and subsequent PIN prompts.  However when I use the Horizon Client to connect to my VMware Unified Access Gateway (UAG) I receive the initial UAG certificate and PIN prompt (x.509 Certificate authentication) but then during the Horizon CS user authentication stage I am defaulted to username/password.  How can I get the Horizon CS user authentication to prompt for smart card credentials when going through the UAG?  I have been reading a lot on configuring SAML and TrueSSO between the UAG and Horizon CS, but is this the only solution?  Is there a simpler solution?  After all the direct client connection to the Horizon CS prompts for smart card credentials properly, just not when the UAG is establishing the connection.

0 Kudos
2 Solutions

Accepted Solutions
yqowen
VMware Employee
VMware Employee
‎11-29-2023 07:18 PM
Jump to solution

Yes, SAML configuration is needed to make sure you do smartcard authentication with UAG and then SSO to Horizon CS.

Please follow docs https://docs.vmware.com/en/Unified-Access-Gateway/2309/uag-deploy-config/GUID-A311FD9F-29D2-4FB5-AEF...and https://docs.vmware.com/en/Unified-Access-Gateway/2309/uag-deploy-config/GUID-2A689F41-0A6A-4F41-A89... to configure the SAML between UAG and CS.

How can I get the Horizon CS user authentication to prompt for smart card credentials when going through the UAG?

No - we can't support that because with TLS mutual auth, there can't be any intermediate TLS termination between client and server. So when Smart Card is configured on CS, there can't be any TLS termination (UAG) between the client and CS.

View solution in original post

0 Kudos
jrhaakenson
Enthusiast
Enthusiast
‎11-30-2023 12:50 PM
Jump to solution

Thank You for the response.  Understood when using a UAG, smart card authentication with the Horizon Connection Server can only be configured by setting up SAML and TrueSSO to passthrough the authenticated smart card credentials from the UAG logon to the Horizon Connection server automatically.  There is no option to receive a second smart card certificate prompt during the Horizon Connection Server user logon phase when going through a UAG, even despite smart card authentication working with a direct connection from a client to the Horizon Connection Server (minus a UAG).  Good information to know.  Unfortunately my environment is not fully configured for smart card logon and users have multiple accounts that require a mixture of smart card and username/password authentication with our Horizon server.  So when using the UAG all will need to authenticate with the Horizon Connection server via username/password.  

View solution in original post

0 Kudos
3 Replies
yqowen
VMware Employee
VMware Employee
‎11-29-2023 07:18 PM
Jump to solution

Yes, SAML configuration is needed to make sure you do smartcard authentication with UAG and then SSO to Horizon CS.

Please follow docs https://docs.vmware.com/en/Unified-Access-Gateway/2309/uag-deploy-config/GUID-A311FD9F-29D2-4FB5-AEF...and https://docs.vmware.com/en/Unified-Access-Gateway/2309/uag-deploy-config/GUID-2A689F41-0A6A-4F41-A89... to configure the SAML between UAG and CS.

How can I get the Horizon CS user authentication to prompt for smart card credentials when going through the UAG?

No - we can't support that because with TLS mutual auth, there can't be any intermediate TLS termination between client and server. So when Smart Card is configured on CS, there can't be any TLS termination (UAG) between the client and CS.

0 Kudos
jrhaakenson
Enthusiast
Enthusiast
‎11-30-2023 12:50 PM
Jump to solution

Thank You for the response.  Understood when using a UAG, smart card authentication with the Horizon Connection Server can only be configured by setting up SAML and TrueSSO to passthrough the authenticated smart card credentials from the UAG logon to the Horizon Connection server automatically.  There is no option to receive a second smart card certificate prompt during the Horizon Connection Server user logon phase when going through a UAG, even despite smart card authentication working with a direct connection from a client to the Horizon Connection Server (minus a UAG).  Good information to know.  Unfortunately my environment is not fully configured for smart card logon and users have multiple accounts that require a mixture of smart card and username/password authentication with our Horizon server.  So when using the UAG all will need to authenticate with the Horizon Connection server via username/password.  

0 Kudos
yqowen
VMware Employee
VMware Employee
‎11-30-2023 05:33 PM
Jump to solution

@jrhaakenson wrote:

 Unfortunately my environment is not fully configured for smart card logon and users have multiple accounts that require a mixture of smart card and username/password authentication with our Horizon server.  So when using the UAG all will need to authenticate with the Horizon Connection server via username/password.  

I understand that you've configured the connection server to allow optional Smart card authentication because some users have smart cards, while others prefer using their AD username and password. With UAG, you can configure by setting the Auth Methods to "X.509 Certificate or Passthrough" and implementing SAML for Smartcard SSO. This configuration means that if a user has a smart card, they will be prompted for their smart card PIN when connecting to UAG; upon acceptance, they'll proceed with Smartcard SSO to the connection server. If a user doesn't have a smart card, authentication will pass through directly to the connection server where they'll be prompted for their AD username and password.

Which means, UAG also support optional Smart card authentication. Hope this will help.

0 Kudos