Solved: TrueSSO not working

khaydin · ‎03-10-2023

I'm doing a POC of VMware Horizon 8 and we're trying to get TrueSSO setup with Okta as the IDP. When the UAG is set to SAML and Passthrough, the Okta SAML part works fine then it prompts for credentials so that part of the login process works fine. Its when I change over the UAGs to SAML authentication only that things stop working. When you try to go in through the Okta App or the Horizon Client, it successfully authenticates with Okta and in the case of the Horizon Client, passes back to the horizon client but then fails on the TrueSSO part.

I went through the TrueSSO setup guide and the TrueSSO + Okta SAML guides. I've also used the fling for troubleshooting TrueSSO but the error that I get when performing an enrollment test does not help out very much in diagnosing the issue. The issue seems to be something to do with my CA but I don't even know where to start in diagnosing this. I've google'd the error and someone on reddit had the same issue but no resolution was ever posted.

As this is a POC, it is a trial and vmware support isn't an option. I've attached some pictures. The horizon client error is after Okta sends me back to the Horizon client. The other picture shows the output of the Enrollment Server fling running the enrollment test - its failing to get a Cert from my CA but the reason is pretty generic.

khaydin · ‎03-12-2023

I did resolve this issue, here is a line in a debug log from a connection server that lead me in the right direction:

com.vmware.vdi.broker.filters.FatalAuthException: SAMLAuth: Error instantiating PAEContext for myuser@MYDOMAIN1.com: com.vmware.vdi.adamwrapper.ad.NoTrustAuthException: Failed to find user for SAML/Certificate authentication

Basically what my issue was was that during our migration to Microsoft 365 we had to add a UPN suffix to all mail enabled users and change them over to the new UPN suffix. This was because our internal domain and external domain didn't match. The external domain matched our email addresses.

I setup Okta SAML app originally to use the OKTA username (as the documentation suggested) which would send the username in the format indicated in the log above. I changed the OKTA SAML App to send the EMAIL ADDRESS instead, which would send it in the format of myuser@MYDOMAIN2.com which matched what my UPN actually was set to.

After doing this my TrueSSO worked and I was able to get into my desktop.

Biggest thing I can recommend to anyone troubleshooting a similar issue is to put all your Horizon servers into a higher logging level, then open each log in Notepad++ and try the login again. After it fails, examine the logs for any new lines.

View solution in original post

Mickeybyte · ‎03-11-2023

@khaydin

It looks like it fails on requesting the certificate for the user. Can you try the following command:

es_diag.exe /ListEnvironment

This will show you the CA and the certificate templates you've configured and if they are valid or not.

Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.

khaydin · ‎03-12-2023

I figured that part out, the issue was how i was inputting my username into the command. I think i was doing domain.com\username, when I changed it to domain\username it worked fine. Once that was sorted out It did successfully request a certificate. That still wasn't the actual problem but I also resolved that, so I will post that separate from this reply.

khaydin · ‎03-12-2023

I did resolve this issue, here is a line in a debug log from a connection server that lead me in the right direction:

com.vmware.vdi.broker.filters.FatalAuthException: SAMLAuth: Error instantiating PAEContext for myuser@MYDOMAIN1.com: com.vmware.vdi.adamwrapper.ad.NoTrustAuthException: Failed to find user for SAML/Certificate authentication

Basically what my issue was was that during our migration to Microsoft 365 we had to add a UPN suffix to all mail enabled users and change them over to the new UPN suffix. This was because our internal domain and external domain didn't match. The external domain matched our email addresses.

I setup Okta SAML app originally to use the OKTA username (as the documentation suggested) which would send the username in the format indicated in the log above. I changed the OKTA SAML App to send the EMAIL ADDRESS instead, which would send it in the format of myuser@MYDOMAIN2.com which matched what my UPN actually was set to.

After doing this my TrueSSO worked and I was able to get into my desktop.

Biggest thing I can recommend to anyone troubleshooting a similar issue is to put all your Horizon servers into a higher logging level, then open each log in Notepad++ and try the login again. After it fails, examine the logs for any new lines.

All

TrueSSO not working