recently I got my connection server (and agent) updated to 7.13.2 from 7.13 and the UAG for this VDI has also been updated to 21.11.2 together.
Note that only one UAG is utilized in my VDI environment.
not sure which part goes wrong...I discovered that if create new AD domain users to access virtual desktops, they will be kicked while signing in. However, the old/existing AD user accounts can still access virtual desktops.
the clues i find in UAG logs are listed below:
"Tunnel connection closed (if any). Invalidating the session"
"Session bab3-***-0c66-***-72f6-***-7a66 marked unauthenticated"
"backend channel is closed"
"Sending not authenticated response for set-user-global-preferences request."
"Sending not authenticated response for do-logout request."
Just checked that the http secure tunnel, PCoIP secure gateway and blast secure gateway are all disabled on connection server.
It's quite confusing. Would it be issues between AD & UAG or AD & connection server?
Can anyone provide some hints please?
I use only the Horizon Client to access virtual desktops. Do you mean the diagnostic log files(support bundle) from Horizon Client?
My VDI environment is under an AD domain and only the "user name" (before the "@") is keyed-in to login.
However, I tried to login Horizon Client using UPN but the issues(that I mentioned) still there: the AD account is able to login and see the pool but launching desktops would fail during the "welcome" screen of windows.
Can you access the virtual desktops directly from the connection server?
Yes, only the existing(old) AD accounts can access desktops, via both the UAG and connection server.
However, the new created AD accounts just can't. They'll be logout while launching the desktop.
Its not a UAG issue, which is why I asked, really the only authentication done via a uag is radius if you have that enabled for the most part. Can you try and create a user that you can log directly into the connection server and see if that works, horizon uses integrated authentication for the logins, meaning it logs people in through the underlying OS, which is why you don't need to setup an authenticaiton sources. So we should see if you can even logon to the os. The other thing I'm wondering if there is a trust issue with the desktops, or maybe some sort of time issue causing an out of sync issue.
Guys, thanks for helping me.
Eventually I solved this problem via using a new golden image of windows 10.
So I concluded that the issue was caused by misconfigured settings within the Windows 10, it was not due to Active Directory.