Hello,
we are currently evaluating Horizon Workspace. We are trying to get SSO working for our AD-Users. What we did so far
* Joined connector VA to the Domain
* Enabled Windows Authentication on the connector VA
* Added Connector VA URL FQDN to Local Intranet Sites, checked securty settings in IE
When we browse to https://fqdn-of-connector-va the user is authenticated without problems, but when browsing to https://workspace-fqdn the login screen appears.
Analyzing the Connector VA logs shows the following for the working scenario
2013-06-04 15:02:23,317 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,321 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au
thenticate:NEGOTIATE
2013-06-04 15:02:23,628 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:YIIIFgYGKwYBBQUCoIIICjCCCAagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYK
KwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB9AEggfMYIIHyAYJKoZIhvcSAQICAQBugge3MIIHs6ADAgEFoQMCAQ6iBwMFACAAAACjggZBYYIGPTCCBjmgAwIBBaEMGwpXSVRDT00uTkVUoikwJ6ADAgECoSAwHhsESFRUUBsWaC1jb25u
LXZhMDEud2l0Y29tLm5ldKOCBfcwggXzoAMCARehAwIBAqKCBeUEggXh5ThMi+tcL78Rpd9ANLdVQs6VqffxDfsJM0JKUhsoEQC6ErttZxafWBmmy1znDE/CpY/rwwu/AlOObeJ+Ii9gWQVUk8ezAgdThCfcyqwFquqCXZ77/HhZogCR
CtIbaT1ZRonQ+mnPuq4leaXYi+HeHVYrY0gLTVR0nW57JySrDjbaRrqidgoB65sKsvZ2E4Qfqeor+NXFz8RVhG32ABNnVrorpNYtO+0cOm+ZXQ+wImIdFhcf7FcgSK/J8YKcQTIkydfS4s8u9JDIqn7huM+YPhdDHtChBUUaVTe9Blz/
1sNFSN4IA2OOoQ9nqqGXeNVzMaAYnmYuJD2Bao8QbhtBvdJNiTd7Tlnjg4HoYC1D3pdDGMSwiTRJFhGfu+4El+rZe+Yha6n7A4UiycAnar28NVb2y7O3lQmwUFfs3WvsK7i19axEJv+KhhFcZt3MJZV3QNlikWYRZJ7wwzfRDRc+BVzv
Ov5xQc9ujs7YEjbwNVVwgjZRRlOAd0i9RFabfBaao88wkOveHG365pFH1IAHOVzmXPedO/+cF/pRDC4ccoMudx6nGlAY4ua9xaqx9P5ijzWMxwx62wCoEkdfiMzTlfmdvlJT3hT9x5SeQu9ljt4bEWUbDnQo06IUxTiiRgMBkNYBL6VH
o829U13KzpV/Z0202vimKvYboU2tNohBx6IFzWDert3PhktvUBT5i21vKR81fvVNc55FmmZWTceyL8wGv6p7lI0ajd0TH712UWz7J20C6D6CcT2UODQAKNgSM9EAx9AbqmrNyhRfZPa/dOBBUNWTg7bHCQ/GPL5h3UQH5lo47v25qD+y
DwI0sMikL7da7+Sx+mg04wSM595OLMkt7dGdVusOr/yjkZG14Ta19DJ4VuWn2pR+JM+3fpxSzMFVva9XHgmZwt2CuYuMqq+fSc8MBI/uT6Y7maoqPvWAN3seZxe2Tp0+jny6NoC/7K/91jyHORJ6dDSO15QNZd4WNdvl/GHc70XZNPPR
VUsUsaVeJ7e80hgCeKQxyT10vhcad1tfcSvbieDbKEcRcoCreq30vNFWkDqHt8cKrC2pv62igkJuAvpsFwROfIo483dbfob3qR0c20i+ICLC0xQw5BGJ3YO8/18GARn/ucsUtb3rBgzOZzFISlfJqZgegtR4FAyjnT77PZvRqQju1T4P
EbaCW1nU0WsguCLldrpbAI69hXN2dzP+Nb+ln9d15BVqLBk70HQSmPc6SjcJSCr00D86MGgldI5pgZczEJSPrGwwagkiZQGbJBUBkjB81SfrY5HmllaU6D7MF37WlCBMTPufy1h1qy4X4f3phJi9ooofHtiu3QGmqz9Hd093XyDThvd6
5s6mag+4vD+tpF0t4kcJ0ZRsinZNWdc/jO0am9ttmMj7pkMcQVAHJ33Fl8A+vZKQHA5i+tImdUhFOFZTX+JYN8yMPIUA5HqkHLCDTxcytwO7v6kRm/QNSHhWV9Z++96DZCz7xOWKdEuD15/rCFGEZEUnl+caTbFQcRGo3Xdr6evGia3d
+iFiJAbTuCIres2ylFXCe/Yfis1IDfaswUDEsbOeeROInGmRCj5ZfcE+11k1LUfNa9xPh9HFd5Abjt8fiButeDV2Xk6HM7/xjuNuhEBSo04GAJ4MHaY4Id8D00XSS+UgQeteJDOQnvu3LNYc80V2SysmXWu8zerYr6mgEuabiieBU+RW
ShryTcCxnw9jps+ZyoP2eV8dhrPWVGTOvN8Llq+O4AWp+eO0e+Yk+zjjBSJ3ZW+sFmuJ+xNmStFWdZ97cAOKFPvvwN6HOdP+2iMrWdVzhJLQaonPtJM2vt780y80VcQWRlXl9ij0tLNkyFYKfapg/LQKRvm4/lVESWi/o4H7IyWCZMUh
iPM9svYgvwNb2Xbcv6ihmgH9OM7/stSOf16OGEsbB1XzXkLgVLOQofg+vkC+3r+lHG64cqxCmgeVcDkyQtMGS0KDGpOpocpcVyFykqr27tisUCNNSYW+johjBRGkgZSkggFXMIIBU6ADAgEXooIBSgSCAUYWvQcbeNFTNyc0czVIDoFr
90AJyIrsbEAlckWB7h33tl2R9OEXauESBVChMsXNcixxCOenYCcnQK0mQ31CodyUdnvrKHp6XUUrwpD47ljGorTXz7oKc+9f0I36bMQxGuDTzmRMPUiugwgDP1t4w6qmz9a7tvSFtyY5QDAZwRDrSNzQNtmzxxEJjNzpuTFf/qruYg5f
ZfJv4owzEHX5jJ2dxgltMsktJvuDEkkiyDZLeHcseW73hxyaXOzBssb22iwrr7t5isZZMys4H8T7u5ZHSbVyPhybrm+rwx36W30rgjYO45ynYfpvVMMCSgvRlsLNlJV/0qZsh6XJ+khxKZfF18mYHmKs8H9722XKI+SzAre4P1HofVok
NXv8WHh8KLnhKQFjFIsBOBHyoXVdeA+AZoK3oas7FGReC2V/YOymebq6HL49Hw==
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.auth.ntlm.WindowsAuthServiceImpl - Authenticated username:9793
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authentication SUCCESS: 9793
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 2: null
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: null
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - acsUrl is missing; using acsUrl from state: https://FQDN/SAAS/API/1.0/POST/federate?identityProvider=HorizonConnector__1
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - BEGIN
2013-06-04 15:02:28,654 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - SUCCESS
2013-06-04 15:02:28,654 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlAttributeNames for 9793: [userPrincipalName, lastName, phone, email, user
Name, firstName, disabled, ExternalId]
And here is what happens when surfing to the Workspace FQDN
2013-06-04 14:59:41,382 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666
2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA
S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]
2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au
thenticate:NEGOTIATE
2013-06-04 14:59:41,402 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA
S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - NTLM tokens cannot be used for authentication. Redirecting to login page.
2013-06-04 14:59:41,457 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/login/, used/total/max(MB):55,487,2666
In that case NTLM authentication is used, which is not working.
Is that by Design ?
Regards
Carsten
Do you have only one connector in your system? If this is the default connector, its IDP URL is set to the Horizon Workspace FQDN. Hence, if you go from Horizon Workspace FQDN, Kerberos Auth will not work.
Can you try the following?
In the connector admin UI, click on Identity Provider on left side navigation, change the URL to Connector's FQDN.
If you want to support two forms of auth - kerberos for internal users, Username/password for external users etc, you will then need to install an additional connector. Please see the installation guide for more information on adding a new connector.
Do you have only one connector in your system? If this is the default connector, its IDP URL is set to the Horizon Workspace FQDN. Hence, if you go from Horizon Workspace FQDN, Kerberos Auth will not work.
Can you try the following?
In the connector admin UI, click on Identity Provider on left side navigation, change the URL to Connector's FQDN.
If you want to support two forms of auth - kerberos for internal users, Username/password for external users etc, you will then need to install an additional connector. Please see the installation guide for more information on adding a new connector.
Yes, that was the cause. After changing the URL to the Connectors FQDN it was working. I added a second connector for 2 forms auf authentication as described in the guide. It is working now, although there were some problems activating the new conenctor. We are using Certificates from our Enterprise Ca, and the a newly deployed connector does not have it in his keystore. I guess that is because the snapshot is from BEFORE we added the CA certs ;-). I manually activated the connector va and it works.
I am seeing the following error in the connector log of out Kerberos enabled connector
2013-06-05 08:43:08,950 ERROR: com.vmware.horizon.connector.mvc.C2ExceptionResolver - Exception caught in C2ExceptionResolver. (org.apache.catalina.connector.ClientAbortException )
ClientAbortException: java.net.SocketException: Connection reset
at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:330)
at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:296)
at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:98)
at org.springframework.util.FileCopyUtils.copy(FileCopyUtils.java:116)
at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.writeContent(ResourceHttpRequestHandler.java:210)
at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:135)
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:49)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.vmware.horizon.connector.mvc.FlashScopeFilter.doFilterInternal(FlashScopeFilter.java:40)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:163)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:409)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketOutputStream.socketWrite(Unknown Source)
at java.net.SocketOutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(Unknown Source)
at com.sun.net.ssl.internal.ssl.OutputRecord.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:756)
at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:448)
at org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuffer.java:318)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:985)
at org.apache.coyote.Response.action(Response.java:183)
at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:325)
... 39 more
Do you have any clues ?
Would you be able to tail -f the log while operating the system, to figure out when exactly this error kicks in?
Sehr geehrte Dame, sehr geehrter Herr,
ich befinde mich am 12.06.2013 nicht im Hause. Ich empfange Ihre eMail zwar, kann Sie aber nicht bearbeiten. Bitte wenden Sie sich in dringenden Fällen an unsere Technikhotline, die unter der Rufnummer 0611 26244303 zu erreichen ist.
Mit freundlichen Grüßen
Carsten Buchberger