Issue: Workspace one Access Horizon integration Group entitled apps are not launched from unified app catalog
Description: Post integration, we noticed the app launch error only if the applications are entitled against the AD groups in the horizon console. If we assign the horizon app/desktop against the individual user account, we were able to launch the application successfully from unified catalog without any issues.
Connection server log snippet attached:
2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ServletRequestHandler] (SESSION:b102_***_d6d4) Processing request HorizonConnectionServer/Request27357
2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Attempting to authenticate against saml
2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Not authenticated, requesting login page for saml
2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) paeCtx == null, forwarding to login page: /broker/xml
2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) HTTP session ID old value: FF83-***-818D, new value: CB62-***-83D8 for b102_***_d6d4
2020-07-31T10:24:08.446+02:00 DEBUG (1F00-23FC) <AJP-96> [SimpleAJPService] (ajp:broker:Request27357) Response 403 Forbidden
2020-07-31T10:24:12.164+02:00 DEBUG (1F00-21DC) <HTTPS Connection Processor> [Processor] Accepted connection on port 443 from /10.127.176.10, port:42212
2020-07-31T10:24:12.166+02:00 DEBUG (1F00-1D24) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0
2020-07-31T10:24:12.166+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain
2020-07-31T10:24:12.168+02:00 DEBUG (1F00-0F74) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=0
2020-07-31T10:24:12.169+02:00 DEBUG (1F00-2648) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0
2020-07-31T10:24:12.170+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain
2020-07-31T10:24:12.171+02:00 DEBUG (1F00-1FF4) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=16
2020-07-31T10:24:12.196+02:00 DEBUG (1F00-1ED0) <HandshakeCompletedNotify-Thread> [PooledProcessor] Using secure protocol TLSv1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
2020-07-31T10:24:12.213+02:00 DEBUG (1F00-08D8) <SimpleDeamonThread> [SimpleAJPService] (ajp:broker:Request27358) Request from /10.127.176.10: GET /broker/xml
2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ServletRequestHandler] (SESSION:9509_***_a3d8) Processing request HorizonConnectionServe/Request27358
2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Attempting to authenticate against saml
2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Not authenticated, requesting login page for saml
2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) paeCtx == null, forwarding to login page: /broker/xml
2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) HTTP session ID old value: F091-***-5152, new value: 8C98-***-159B for 9509_***_a3d8
2020-07-31T10:24:12.214+02:00 DEBUG (1F00-0434) <AJP-66> [SimpleAJPService] (ajp:broker:Request27358) Response 403 Forbidden
Captured SAML tracer – it reports HTTP 200 ok and all SAML parameters are same in working (user entitlement) and non-working (Group entitlement) scenarios
VMware Horizon - 7.12 (15770369)
VMware UAG - 3.8
Workspace One Access - 20.01.0.0 (15509389
Thanks
Have you tried synchronise the groups used for Horizon entitlement into your Access environment? If not, it would be interesting to see if having the same groups in Access would solve your problem.
Hi pbjork,
Yes, we have synchronized the groups and the user's are showing up correctly. The current issue right now is when we add entitlements on the Horizon side to an AD group, when the user trys to access their resource they receive the following error message:
Error:
'cn=rdsh-002-test-sitexxx-pod1,ou=applications,dc=vdi,dc=vmware,dc=int' is not in the entitled list.
We are still looking at a potential attribute issue.
Thanks.
Just to make sure.. Before you try to launch a new entitlement Access have synced both with AD and Horizon right?
Yes, we have.
This issue turned out to be related to the test accounts having restricted permissions.
Hey Phildone, Could you please tell what changes you have made to group/account regarding permission issues ?