Hello,
we are currently evaluating Horizon Workspace. We are trying to get SSO working for our AD-Users. What we did so far
* Joined connector VA to the Domain
* Enabled Windows Authentication on the connector VA
* Added Connector VA URL FQDN to Local Intranet Sites, checked securty settings in IE
When we browse to https://fqdn-of-connector-va the user is authenticated without problems, but when browsing to https://workspace-fqdn the login screen appears.
Analyzing the Connector VA logs shows the following for the working scenario
2013-06-04 15:02:23,317 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,321 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au
thenticate:NEGOTIATE
2013-06-04 15:02:23,628 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666
2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null
2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:YIIIFgYGKwYBBQUCoIIICjCCCAagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYK
KwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB9AEggfMYIIHyAYJKoZIhvcSAQICAQBugge3MIIHs6ADAgEFoQMCAQ6iBwMFACAAAACjggZBYYIGPTCCBjmgAwIBBaEMGwpXSVRDT00uTkVUoikwJ6ADAgECoSAwHhsESFRUUBsWaC1jb25u
LXZhMDEud2l0Y29tLm5ldKOCBfcwggXzoAMCARehAwIBAqKCBeUEggXh5ThMi+tcL78Rpd9ANLdVQs6VqffxDfsJM0JKUhsoEQC6ErttZxafWBmmy1znDE/CpY/rwwu/AlOObeJ+Ii9gWQVUk8ezAgdThCfcyqwFquqCXZ77/HhZogCR
CtIbaT1ZRonQ+mnPuq4leaXYi+HeHVYrY0gLTVR0nW57JySrDjbaRrqidgoB65sKsvZ2E4Qfqeor+NXFz8RVhG32ABNnVrorpNYtO+0cOm+ZXQ+wImIdFhcf7FcgSK/J8YKcQTIkydfS4s8u9JDIqn7huM+YPhdDHtChBUUaVTe9Blz/
1sNFSN4IA2OOoQ9nqqGXeNVzMaAYnmYuJD2Bao8QbhtBvdJNiTd7Tlnjg4HoYC1D3pdDGMSwiTRJFhGfu+4El+rZe+Yha6n7A4UiycAnar28NVb2y7O3lQmwUFfs3WvsK7i19axEJv+KhhFcZt3MJZV3QNlikWYRZJ7wwzfRDRc+BVzv
Ov5xQc9ujs7YEjbwNVVwgjZRRlOAd0i9RFabfBaao88wkOveHG365pFH1IAHOVzmXPedO/+cF/pRDC4ccoMudx6nGlAY4ua9xaqx9P5ijzWMxwx62wCoEkdfiMzTlfmdvlJT3hT9x5SeQu9ljt4bEWUbDnQo06IUxTiiRgMBkNYBL6VH
o829U13KzpV/Z0202vimKvYboU2tNohBx6IFzWDert3PhktvUBT5i21vKR81fvVNc55FmmZWTceyL8wGv6p7lI0ajd0TH712UWz7J20C6D6CcT2UODQAKNgSM9EAx9AbqmrNyhRfZPa/dOBBUNWTg7bHCQ/GPL5h3UQH5lo47v25qD+y
DwI0sMikL7da7+Sx+mg04wSM595OLMkt7dGdVusOr/yjkZG14Ta19DJ4VuWn2pR+JM+3fpxSzMFVva9XHgmZwt2CuYuMqq+fSc8MBI/uT6Y7maoqPvWAN3seZxe2Tp0+jny6NoC/7K/91jyHORJ6dDSO15QNZd4WNdvl/GHc70XZNPPR
VUsUsaVeJ7e80hgCeKQxyT10vhcad1tfcSvbieDbKEcRcoCreq30vNFWkDqHt8cKrC2pv62igkJuAvpsFwROfIo483dbfob3qR0c20i+ICLC0xQw5BGJ3YO8/18GARn/ucsUtb3rBgzOZzFISlfJqZgegtR4FAyjnT77PZvRqQju1T4P
EbaCW1nU0WsguCLldrpbAI69hXN2dzP+Nb+ln9d15BVqLBk70HQSmPc6SjcJSCr00D86MGgldI5pgZczEJSPrGwwagkiZQGbJBUBkjB81SfrY5HmllaU6D7MF37WlCBMTPufy1h1qy4X4f3phJi9ooofHtiu3QGmqz9Hd093XyDThvd6
5s6mag+4vD+tpF0t4kcJ0ZRsinZNWdc/jO0am9ttmMj7pkMcQVAHJ33Fl8A+vZKQHA5i+tImdUhFOFZTX+JYN8yMPIUA5HqkHLCDTxcytwO7v6kRm/QNSHhWV9Z++96DZCz7xOWKdEuD15/rCFGEZEUnl+caTbFQcRGo3Xdr6evGia3d
+iFiJAbTuCIres2ylFXCe/Yfis1IDfaswUDEsbOeeROInGmRCj5ZfcE+11k1LUfNa9xPh9HFd5Abjt8fiButeDV2Xk6HM7/xjuNuhEBSo04GAJ4MHaY4Id8D00XSS+UgQeteJDOQnvu3LNYc80V2SysmXWu8zerYr6mgEuabiieBU+RW
ShryTcCxnw9jps+ZyoP2eV8dhrPWVGTOvN8Llq+O4AWp+eO0e+Yk+zjjBSJ3ZW+sFmuJ+xNmStFWdZ97cAOKFPvvwN6HOdP+2iMrWdVzhJLQaonPtJM2vt780y80VcQWRlXl9ij0tLNkyFYKfapg/LQKRvm4/lVESWi/o4H7IyWCZMUh
iPM9svYgvwNb2Xbcv6ihmgH9OM7/stSOf16OGEsbB1XzXkLgVLOQofg+vkC+3r+lHG64cqxCmgeVcDkyQtMGS0KDGpOpocpcVyFykqr27tisUCNNSYW+johjBRGkgZSkggFXMIIBU6ADAgEXooIBSgSCAUYWvQcbeNFTNyc0czVIDoFr
90AJyIrsbEAlckWB7h33tl2R9OEXauESBVChMsXNcixxCOenYCcnQK0mQ31CodyUdnvrKHp6XUUrwpD47ljGorTXz7oKc+9f0I36bMQxGuDTzmRMPUiugwgDP1t4w6qmz9a7tvSFtyY5QDAZwRDrSNzQNtmzxxEJjNzpuTFf/qruYg5f
ZfJv4owzEHX5jJ2dxgltMsktJvuDEkkiyDZLeHcseW73hxyaXOzBssb22iwrr7t5isZZMys4H8T7u5ZHSbVyPhybrm+rwx36W30rgjYO45ynYfpvVMMCSgvRlsLNlJV/0qZsh6XJ+khxKZfF18mYHmKs8H9722XKI+SzAre4P1HofVok
NXv8WHh8KLnhKQFjFIsBOBHyoXVdeA+AZoK3oas7FGReC2V/YOymebq6HL49Hw==
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.auth.ntlm.WindowsAuthServiceImpl - Authenticated username:9793
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authentication SUCCESS: 9793
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 2: null
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: null
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - acsUrl is missing; using acsUrl from state: https://FQDN/SAAS/API/1.0/POST/federate?identityProvider=HorizonConnector__1
2013-06-04 15:02:23,641 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - BEGIN
2013-06-04 15:02:28,654 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - SUCCESS
2013-06-04 15:02:28,654 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlAttributeNames for 9793: [userPrincipalName, lastName, phone, email, user
Name, firstName, disabled, ExternalId]
And here is what happens when surfing to the Workspace FQDN
2013-06-04 14:59:41,382 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666
2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA
S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]
2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au
thenticate:NEGOTIATE
2013-06-04 14:59:41,402 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA
S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - NTLM tokens cannot be used for authentication. Redirecting to login page.
2013-06-04 14:59:41,457 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/login/, used/total/max(MB):55,487,2666
In that case NTLM authentication is used, which is not working.
Is that by Design ?
Regards
Carsten
