4 Replies Latest reply on Jun 12, 2013 1:59 AM by iceman76

    Question regarding Kerberos/SSO

    iceman76 Enthusiast

      Hello,

      we are currently evaluating Horizon Workspace. We are trying to get SSO working for our AD-Users. What we did so far

       

      * Joined connector VA to the Domain

      * Enabled Windows Authentication on the connector VA

      * Added Connector VA URL FQDN to Local Intranet Sites, checked securty settings in IE

       

      When we browse to https://fqdn-of-connector-va the user is authenticated without problems, but when browsing to https://workspace-fqdn the login screen appears.

       

      Analyzing the Connector VA logs shows the following for the working scenario

       

      2013-06-04 15:02:23,317 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/, used/total/max(MB):56,487,2666

      2013-06-04 15:02:23,321 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666

      2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null

      2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au

      thenticate:NEGOTIATE

      2013-06-04 15:02:23,628 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666

      2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null

      2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:YIIIFgYGKwYBBQUCoIIICjCCCAagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYK

      KwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB9AEggfMYIIHyAYJKoZIhvcSAQICAQBugge3MIIHs6ADAgEFoQMCAQ6iBwMFACAAAACjggZBYYIGPTCCBjmgAwIBBaEMGwpXSVRDT00uTkVUoikwJ6ADAgECoSAwHhsESFRUUBsWaC1jb25u

      LXZhMDEud2l0Y29tLm5ldKOCBfcwggXzoAMCARehAwIBAqKCBeUEggXh5ThMi+tcL78Rpd9ANLdVQs6VqffxDfsJM0JKUhsoEQC6ErttZxafWBmmy1znDE/CpY/rwwu/AlOObeJ+Ii9gWQVUk8ezAgdThCfcyqwFquqCXZ77/HhZogCR

      CtIbaT1ZRonQ+mnPuq4leaXYi+HeHVYrY0gLTVR0nW57JySrDjbaRrqidgoB65sKsvZ2E4Qfqeor+NXFz8RVhG32ABNnVrorpNYtO+0cOm+ZXQ+wImIdFhcf7FcgSK/J8YKcQTIkydfS4s8u9JDIqn7huM+YPhdDHtChBUUaVTe9Blz/

      1sNFSN4IA2OOoQ9nqqGXeNVzMaAYnmYuJD2Bao8QbhtBvdJNiTd7Tlnjg4HoYC1D3pdDGMSwiTRJFhGfu+4El+rZe+Yha6n7A4UiycAnar28NVb2y7O3lQmwUFfs3WvsK7i19axEJv+KhhFcZt3MJZV3QNlikWYRZJ7wwzfRDRc+BVzv

      Ov5xQc9ujs7YEjbwNVVwgjZRRlOAd0i9RFabfBaao88wkOveHG365pFH1IAHOVzmXPedO/+cF/pRDC4ccoMudx6nGlAY4ua9xaqx9P5ijzWMxwx62wCoEkdfiMzTlfmdvlJT3hT9x5SeQu9ljt4bEWUbDnQo06IUxTiiRgMBkNYBL6VH

      o829U13KzpV/Z0202vimKvYboU2tNohBx6IFzWDert3PhktvUBT5i21vKR81fvVNc55FmmZWTceyL8wGv6p7lI0ajd0TH712UWz7J20C6D6CcT2UODQAKNgSM9EAx9AbqmrNyhRfZPa/dOBBUNWTg7bHCQ/GPL5h3UQH5lo47v25qD+y

      DwI0sMikL7da7+Sx+mg04wSM595OLMkt7dGdVusOr/yjkZG14Ta19DJ4VuWn2pR+JM+3fpxSzMFVva9XHgmZwt2CuYuMqq+fSc8MBI/uT6Y7maoqPvWAN3seZxe2Tp0+jny6NoC/7K/91jyHORJ6dDSO15QNZd4WNdvl/GHc70XZNPPR

      VUsUsaVeJ7e80hgCeKQxyT10vhcad1tfcSvbieDbKEcRcoCreq30vNFWkDqHt8cKrC2pv62igkJuAvpsFwROfIo483dbfob3qR0c20i+ICLC0xQw5BGJ3YO8/18GARn/ucsUtb3rBgzOZzFISlfJqZgegtR4FAyjnT77PZvRqQju1T4P

      EbaCW1nU0WsguCLldrpbAI69hXN2dzP+Nb+ln9d15BVqLBk70HQSmPc6SjcJSCr00D86MGgldI5pgZczEJSPrGwwagkiZQGbJBUBkjB81SfrY5HmllaU6D7MF37WlCBMTPufy1h1qy4X4f3phJi9ooofHtiu3QGmqz9Hd093XyDThvd6

      5s6mag+4vD+tpF0t4kcJ0ZRsinZNWdc/jO0am9ttmMj7pkMcQVAHJ33Fl8A+vZKQHA5i+tImdUhFOFZTX+JYN8yMPIUA5HqkHLCDTxcytwO7v6kRm/QNSHhWV9Z++96DZCz7xOWKdEuD15/rCFGEZEUnl+caTbFQcRGo3Xdr6evGia3d

      +iFiJAbTuCIres2ylFXCe/Yfis1IDfaswUDEsbOeeROInGmRCj5ZfcE+11k1LUfNa9xPh9HFd5Abjt8fiButeDV2Xk6HM7/xjuNuhEBSo04GAJ4MHaY4Id8D00XSS+UgQeteJDOQnvu3LNYc80V2SysmXWu8zerYr6mgEuabiieBU+RW

      ShryTcCxnw9jps+ZyoP2eV8dhrPWVGTOvN8Llq+O4AWp+eO0e+Yk+zjjBSJ3ZW+sFmuJ+xNmStFWdZ97cAOKFPvvwN6HOdP+2iMrWdVzhJLQaonPtJM2vt780y80VcQWRlXl9ij0tLNkyFYKfapg/LQKRvm4/lVESWi/o4H7IyWCZMUh

      iPM9svYgvwNb2Xbcv6ihmgH9OM7/stSOf16OGEsbB1XzXkLgVLOQofg+vkC+3r+lHG64cqxCmgeVcDkyQtMGS0KDGpOpocpcVyFykqr27tisUCNNSYW+johjBRGkgZSkggFXMIIBU6ADAgEXooIBSgSCAUYWvQcbeNFTNyc0czVIDoFr

      90AJyIrsbEAlckWB7h33tl2R9OEXauESBVChMsXNcixxCOenYCcnQK0mQ31CodyUdnvrKHp6XUUrwpD47ljGorTXz7oKc+9f0I36bMQxGuDTzmRMPUiugwgDP1t4w6qmz9a7tvSFtyY5QDAZwRDrSNzQNtmzxxEJjNzpuTFf/qruYg5f

      ZfJv4owzEHX5jJ2dxgltMsktJvuDEkkiyDZLeHcseW73hxyaXOzBssb22iwrr7t5isZZMys4H8T7u5ZHSbVyPhybrm+rwx36W30rgjYO45ynYfpvVMMCSgvRlsLNlJV/0qZsh6XJ+khxKZfF18mYHmKs8H9722XKI+SzAre4P1HofVok

      NXv8WHh8KLnhKQFjFIsBOBHyoXVdeA+AZoK3oas7FGReC2V/YOymebq6HL49Hw==

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.auth.ntlm.WindowsAuthServiceImpl - Authenticated username:9793

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authentication SUCCESS: 9793

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 2: null

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: null

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - acsUrl is missing; using acsUrl from state: https://FQDN/SAAS/API/1.0/POST/federate?identityProvider=HorizonConnector__1

      2013-06-04 15:02:23,641 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - BEGIN

      2013-06-04 15:02:28,654 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - SUCCESS

      2013-06-04 15:02:28,654 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlAttributeNames for 9793: [userPrincipalName, lastName, phone, email, user

      Name, firstName, disabled, ExternalId]

       

      And here is what happens when surfing to the Workspace FQDN

       

      2013-06-04 14:59:41,382 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666

      2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA

      S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]

      2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au

      thenticate:NEGOTIATE

      2013-06-04 14:59:41,402 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666

      2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA

      S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]

      2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==

      2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - NTLM tokens cannot be used for authentication. Redirecting to login page.

      2013-06-04 14:59:41,457 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/login/, used/total/max(MB):55,487,2666

       

      In that case NTLM authentication is used, which is not working.

       

      Is that by Design ?

       

      Regards

       

      Carsten

        • 1. Re: Question regarding Kerberos/SSO
          sravuri Expert
          VMware Employees

          Do you have only one connector in your system? If this is the default connector, its IDP URL is set to the Horizon Workspace FQDN. Hence, if you go from Horizon Workspace FQDN, Kerberos Auth will not work.

          Can you try the following?

          In the connector admin UI, click on Identity Provider on left side navigation, change the URL to Connector's FQDN.

           

          If you want to support two forms of auth - kerberos for internal users, Username/password for external users etc, you will then need to install an additional connector. Please see the installation guide for more information on adding a new connector.

          • 2. Re: Question regarding Kerberos/SSO
            iceman76 Enthusiast

            Yes, that was the cause. After changing the URL to the Connectors FQDN it was working. I added a second connector for 2 forms auf authentication as described in the guide. It is working now, although there were some problems activating the new conenctor. We are using Certificates from our Enterprise Ca, and the a newly deployed connector does not have it in his keystore. I guess that is because the snapshot is from BEFORE we added the CA certs ;-). I manually activated the connector va and it works.

             

            I am seeing the following error in the connector log of out Kerberos enabled connector

             

            2013-06-05 08:43:08,950 ERROR: com.vmware.horizon.connector.mvc.C2ExceptionResolver - Exception caught in C2ExceptionResolver. (org.apache.catalina.connector.ClientAbortException )

            ClientAbortException:  java.net.SocketException: Connection reset

                    at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:330)

                    at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:296)

                    at org.apache.catalina.connector.CoyoteOutputStream.flush(CoyoteOutputStream.java:98)

                    at org.springframework.util.FileCopyUtils.copy(FileCopyUtils.java:116)

                    at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.writeContent(ResourceHttpRequestHandler.java:210)

                    at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:135)

                    at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:49)

                    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)

                    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)

                    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)

                    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)

                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)

                    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                    at com.vmware.horizon.connector.mvc.FlashScopeFilter.doFilterInternal(FlashScopeFilter.java:40)

                    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:163)

                    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

                    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)

                    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

                    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

                    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

                    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

                    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

                    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)

                    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)

                    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)

                    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:409)

                    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

                    at java.lang.Thread.run(Unknown Source)

            Caused by: java.net.SocketException: Connection reset

                    at java.net.SocketOutputStream.socketWrite(Unknown Source)

                    at java.net.SocketOutputStream.write(Unknown Source)

                    at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(Unknown Source)

                    at com.sun.net.ssl.internal.ssl.OutputRecord.write(Unknown Source)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(Unknown Source)

                    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)

                    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)

                    at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:756)

                    at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:448)

                    at org.apache.coyote.http11.InternalOutputBuffer.flush(InternalOutputBuffer.java:318)

                    at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:985)

                    at org.apache.coyote.Response.action(Response.java:183)

                    at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:325)

                    ... 39 more

             

            Do you have any clues ?

            • 3. Re: Question regarding Kerberos/SSO
              Hot Shot

              Would you be able to tail -f the log while operating the system, to figure out when exactly this error kicks in?

              • 4. Re: Question regarding Kerberos/SSO
                iceman76 Enthusiast

                Sehr geehrte Dame, sehr geehrter Herr,

                 

                ich befinde mich am 12.06.2013 nicht im Hause. Ich empfange Ihre eMail zwar, kann Sie aber nicht bearbeiten. Bitte wenden Sie sich in dringenden Fällen an unsere Technikhotline, die unter der Rufnummer 0611 26244303 zu erreichen ist.

                 

                Mit freundlichen Grüßen

                 

                Carsten Buchberger