Hi

We've been struggling with this error message for weeks, and need to restart the Horizon Connection server on a daily basis to allow users to open their desktops.

The full error the user sees is: 

This horizon server expects to get your login credentials from another server. Not directly through the client's login screen. If you are using horizon from another application please use that application.

The connection server logs show errors relating to global catalog and SAML:

2022-10-28T08:11:29.404+01:00 ERROR (1524-12A8) <MessageFrameWorkDispatch> [ws_winauth] Failed to bind to GC: (SUCCEEDED)

2022-10-28T08:33:46.621+01:00 DEBUG (1524-183C) <ajp-nio-127.0.0.1-8009-exec-3> [ProperoAuthFilter] (SESSION:feea_***_8ba6) UPN optimization flow. Failed to find user using WinAuthAdAdapter. CsUpns = [user@domain.com], Exception = Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1

All the users reside in our 'parent' domain, however we have several subdomains that we don't have Horizon users in, and don't want to have any network connectivity to for security reasons, and so have added those to the exclusion list and search exclusion list using the vdmadmin command. We also implemented a registry entry to prevent recursive queries.

It seems as though Horizon is trying to communicate with those subdomains still. I can see traffic on our firewall on port 3268 from the Horizon connection server to the DCs of the subdomains around the same time of the above error.

I already have a case open with VMware support but it's taking a while to resolve, so I'm hoping the community may have some ideas.

We're using Horizon 8.6.0 build 20099816 version 2206, Workspace One Access 21.08.0.1, and Identity Manager Connector 19.3.0.0

Cheers