we've set up our workspace environment to support internal logins with Kerberos SSO, and external Logins with Username/Password. That means we have 2 connectors, one with Windows Authentication enabled (the internal one) and one without Windows Authentication.
We did set up the identity providers as described in the documentation (IdP Discovery) The internal conector is the first one, and we defined the IP-Adress ranges from our corporate network. The external connector matches all possible IPs and is the second in the list.
As long as we connect from internal clients everything is fine. When we connect to the Workspace FQDN by browser from an external client, the user gets a Login-Page, can login and access WebApplications and/or View Desktops without entering the password again. External client means that this client is a corporate notebook which is not connected to the corporate network.
Problems occur if the Workspace client on that notebook is connected to the Worskpace FQDN. Then it is not possible to open the Workspace FQDN with Internet Explorer. We get a "page cannot be displayed". When looking at the logfiles it seems as those request are getting redirected to the INTERNAL connector which tries to to Kerberos Authentication. We are able to login if we use the URL https://WORKSPACE-FQDN/hc/login . It is possible to access files that way, but SSO with either Webapps or View Desktops are not working.
After closing Workspace Client and restarting the browser, everything is working as expected.
Any ideas ?
It probably has nothing to do with the client. Tonight i did connect from a pc at home (no Connection to Enterprise network, Not Connected to domain, etc) when browsing to the workspace fqdn, a Login Box appears in Internet explorer, if i cancel it, i get directed to the Login Screen . Seems like Routing to the connector va is not working correctly