VMware Workspace ONE Community
phildone
Contributor
Contributor

Workspace one Access Horizon integration Group entitled apps are not launched from Unified App Catalog

Issue: Workspace one Access Horizon integration Group entitled apps are not launched from unified app catalog

Description: Post integration, we noticed the app launch error only if the applications are entitled against the AD groups in the horizon console. If we assign the horizon app/desktop against the individual user account, we were able to launch the application successfully from unified catalog without any issues.

Connection server log snippet attached:

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ServletRequestHandler] (SESSION:b102_***_d6d4) Processing request HorizonConnectionServer/Request27357

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Attempting to authenticate against saml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Not authenticated, requesting login page for saml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) paeCtx == null, forwarding to login page: /broker/xml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) HTTP session ID old value: FF83-***-818D, new value: CB62-***-83D8 for b102_***_d6d4

2020-07-31T10:24:08.446+02:00 DEBUG (1F00-23FC) <AJP-96> [SimpleAJPService] (ajp:broker:Request27357) Response 403 Forbidden

2020-07-31T10:24:12.164+02:00 DEBUG (1F00-21DC) <HTTPS Connection Processor> [Processor] Accepted connection on port 443 from /10.127.176.10, port:42212

2020-07-31T10:24:12.166+02:00 DEBUG (1F00-1D24) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0

2020-07-31T10:24:12.166+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain

2020-07-31T10:24:12.168+02:00 DEBUG (1F00-0F74) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=0

2020-07-31T10:24:12.169+02:00 DEBUG (1F00-2648) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0

2020-07-31T10:24:12.170+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain

2020-07-31T10:24:12.171+02:00 DEBUG (1F00-1FF4) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=16

2020-07-31T10:24:12.196+02:00 DEBUG (1F00-1ED0) <HandshakeCompletedNotify-Thread> [PooledProcessor] Using secure protocol TLSv1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

2020-07-31T10:24:12.213+02:00 DEBUG (1F00-08D8) <SimpleDeamonThread> [SimpleAJPService] (ajp:broker:Request27358) Request from /10.127.176.10: GET /broker/xml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ServletRequestHandler] (SESSION:9509_***_a3d8) Processing request HorizonConnectionServe/Request27358

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Attempting to authenticate against saml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Not authenticated, requesting login page for saml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) paeCtx == null, forwarding to login page: /broker/xml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) HTTP session ID old value: F091-***-5152, new value: 8C98-***-159B for 9509_***_a3d8

2020-07-31T10:24:12.214+02:00 DEBUG (1F00-0434) <AJP-66> [SimpleAJPService] (ajp:broker:Request27358) Response 403 Forbidden

Captured SAML tracer – it reports HTTP 200 ok and all SAML parameters are same in working (user entitlement) and non-working (Group entitlement) scenarios

VMware Horizon - 7.12 (15770369)

VMware UAG - 3.8
Workspace One Access - 20.01.0.0 (15509389

Thanks

Labels (1)
Reply
0 Kudos
6 Replies
pbjork
VMware Employee
VMware Employee

Have you tried synchronise the groups used for Horizon entitlement into your Access environment? If not, it would be interesting to see if having the same groups in Access would solve your problem.

Reply
0 Kudos
phildone
Contributor
Contributor

Hi pbjork,

Yes, we have synchronized the groups and the user's are showing up correctly.  The current issue right now is when we add entitlements on the Horizon side to an AD group, when the user trys to access their resource they receive the following error message:

Error:

'cn=rdsh-002-test-sitexxx-pod1,ou=applications,dc=vdi,dc=vmware,dc=int' is not in the entitled list.

We are still looking at a potential attribute issue.

Thanks.

Reply
0 Kudos
pbjork
VMware Employee
VMware Employee

Just to make sure.. Before you try to launch a new entitlement Access have synced both with AD and Horizon right?

Reply
0 Kudos
phildone
Contributor
Contributor

Yes, we have.

Reply
0 Kudos
phildone
Contributor
Contributor

This issue turned out to be related to the test accounts having restricted permissions.

Reply
0 Kudos
vishuchandol
VMware Employee
VMware Employee

Hey  Phildone, Could you please tell what changes you have made to group/account regarding permission issues ?

Reply
0 Kudos