ec_bryant
Contributor
Contributor

Azure and Horizon (UAG)

Hi, we have just setup a brand new Horizon Environment with the latest version. We have A 10 LB that goes to 2 UAGs that point to 2 Connection servers. We are trying to setup Microsoft Azure and have gone though the guides to get it setup. We open the VMware client. Double click on the server and it goes to a MS login page. We login and get the 2FA prompt and then it just sits at a URL ending in https://lb-vip-fqdn/portal/samlsso and spins and spins but nothing. Anyone have any suggestion to what I might have missed or how to fix this issue?

Reply
0 Kudos
fabio1975
Commander
Commander

Ciao 

The link that does not respond to you is the one that is configured in the Enterprise Application on Azure.

fabio1975_0-1625405109599.png

 

Can you confirm that you have imported the XML metadata of the enterprise applications azure on the UAG?

(If you have not done so, check this link where I explain the whole procedure:

https://vmvirtual.blog/2021/02/28/azure-mfa-uag-horizon-and-true-sso-step-4/)

Otherwise, there may be something in the configurations of the LB.

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

Hi thank you for this. I am pretty sure this is all setup and I have uploaded the metadata file into the UAGs. Couple questions. In your guide you have this - https://<public-FQDN-UAG>/portal/samlsso for the URL. If our UAGs are Loadbalanced can I get away with putting the LB VIP so its just https://lb-vip-fqdn.test.com/portal/samlsso? Or in Azure would I need two entries for each UAG we have?

Also what needs to be done or what can I look for on the LB that might show the issue is there? Thanks.

Reply
0 Kudos
fabio1975
Commander
Commander

If you use an LB appliance (as in your case) you must use the public FQDN assigned to the VIP IP of the LB configured for UAGs.

If, on the other hand, you use the integrated solution present in the LB UAGs, you must also publish the individual IPs of the UAGs (in addition to the VIP) on the internet but it does not seem your situation to me.

Do you have any errors in the UAG logs?

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

Not sure where to check the UAG logs. But after letting this go for awhile the page finally responds with the attached message.

Reply
0 Kudos
fabio1975
Commander
Commander

Ciao 

Can you post the Basic SAML Configurations applyed on Azure Enterprise Application used?

Your LB does not replace or inspect the SSL certificate of UAG?

The SSL certificate used in the UAG is released from a public CA?

 

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

We are using a wildcard cert on the lb/uag. Everything works fine without adding this Azure Authentication piece. Here is my config:

Basic SAML Configuration
 
Identifier (Entity ID) - https://horizon.test.com/portal
Reply URL (Assertion Consumer Service URL) - https://horizon.test.com/portal/samlsso
Relay State - Optional
Logout Url - Optional
Reply
0 Kudos
fabio1975
Commander
Commander

Ciao,

But do you have a public doman test.com? Or is It a example?

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

That is just an example.

Reply
0 Kudos
ec_bryant
Contributor
Contributor

I am actually troubleshooting now with Microsoft and when doing a test via Azure portal to - https://horizon.test.com/portal/samlsso the page comes up with an HTTP 500 error.

Tags (1)
Reply
0 Kudos
ec_bryant
Contributor
Contributor

It is very strange. We deleted all Browsing history closed all Chrome Windows. Open it back up and it works. But after the first time it works it doesnt work again.

Reply
0 Kudos
fabio1975
Commander
Commander

Ciao 

you always have the same problem if you use Chrome in incognito mode? 

Otherwise it could be a configuration problem of one of the two connection servers or of one of the two UAGs. Try testing with only one UAG and one Connection server active (alternating between one another).

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

Tried testing with just one uag and one connection server and still have the same behavior. It almost seems like after you connect the first time it leaves something in Chrome so that when you try and connect the second time it gets hung up. I have a ticket open with both VMware and Microsoft but if no one else is experiencing this then I have to think it is something with my setup? Very frustrating as we want to deploy this by end of the month.

Reply
0 Kudos
fabio1975
Commander
Commander

I have deployed MFA, UAG and Horizon infrastructures with F5 or Kemp as balancers and have never had this kind of problem. Could it be something related to your LB, is session persistence configured?

I found the following guide but I don't know if it relates to your LB model.

Deploying VMware Horizon View 7 with A10 Thunder ADC (Application Delivery Controller) (a10networks....

Do you have the same problem with EDGE or Firefox too?

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

Reply
0 Kudos
ec_bryant
Contributor
Contributor

We have the same problem with Firefox but not Edge. MS just let us know that it is the way the SAML2 AuthRequest is being processed in Chrome. It is not being written in a way that Chrome can read it. Which doesnt make much sense as it works once with Chrome then stops working.

We used that guide you sent to setup our LB. I don't really think its the LB as it works all the time on MS Edge. But I dont get why our instance is different then anyone else using this configuration and Chrome browser? Very frustrating.

Reply
0 Kudos
ec_bryant
Contributor
Contributor

Ok, latest update - It is the Load Balancer. I just created a new Enterprise Application and went direct to one of the UAGs. Uploaded the new metadata file and then add a new server in the Horizon Client that pointed directly to that UAG. It works every time in Chrome. So the Load Balancer must be doing something??? Ugh..... 

Reply
0 Kudos