Seeing this error pop up on one of my UAG's that is behind a load balancer in my DMZ. The other seems to work fine.
A reboot of the UAG's does not resolve it. Some of the posts during a Google search says a CS reboot will fix it, and it seemed to work a couple of days ago when I tried.
I guess it is starting to pop up every couple of days now.
Does anyone know what causes this?
Hi GTO455
Are you using vIDM in the environment? Or the client is directly connecting through UAG?
Hello,
The client is connecting directly through the UAG.
Do you have SAML enabled on connection servers or are you are using TrueSSO in the environment? Go to View admin page > servers > connection servers > edit > authentication.
If it is enabled and set to required or workspace mode, users have to login through workspace portal only otherwise you will get this error. Other than that make sure there are no certificate issue on any of the servers in environment and they all are in timesync.
Yes we have SAML enabled, not truSSO. This is only happening on 1 UAG appliance, the other authenticates just fine. I checked the time earlier, and they are all on point, and pointing to the same NTP server.
This occurred last week too, but a reboot of the Connection servers fixed the issue.
I believe it is Connection server related because the UAG denotes AUTH SUCCESS when a connection attempt is made. I found the following on the Connection log server during the same login attempt.
2020-04-17T12:20:26.336-04:00 ERROR (1898-20B4) <ajp-nio-8009-exec-4> [Decrypter] (SESSION:9805_***_ab1d) Failed to decrypt EncryptedKey, valid decryption key could not be resolved
2020-04-17T12:20:26.378-04:00 ERROR (1898-20B4) <ajp-nio-8009-exec-4> [Decrypter] (SESSION:9805_***_ab1d) Error decrypting encrypted key org.opensaml.xmlsec.encryption.support.Decrypter.decryptKey(Decrypter.java:717)
Original Exception was java.security.InvalidKeyException: Unwrapping failed
If you have selected SAML authentication as required you may change it to "Allowed" as per: Configure a SAML Authenticator in Horizon Console
Both are set to Allowed.
Were you ever able to get this resolved?
Yes. Sorry for the late reply on this.
We have 2 UAG's and 2 Connection Servers in our environment. Both UAG's are behind a load balancer and use the same certificate for the external URL.
I was downloading the Metadata from both UAGS and adding them to the Connections servers. This was incorrect. Since it is the same certificate, the metadata was the same.
Instead, I downloaded the metadata from one UAG and gave it the name of the external url, added it to one Connection server, then enabled the same server metadata on the second Connection server.
