VMware Horizon Community
sweater
Enthusiast
Enthusiast

UAG v3.0 RADIUS auth working, but re-prompting for AD creds

Trying again to set up RADIUS auth on UAG 3.0 appliances (previously trying on 2.9 UAGs). We have working basic UAG ini files where we can enable RADIUS on the underlying Windows servers and everything works the way we'd like.

When we use the Windows servers to do RADIUS auth, we check this box and it's great - users enter their AD creds, are prompted for their token, and get right in to their desktop(s).

pastedImage_0.png

In deploying UAGs anew today and trying (again) to leverage the UAGs for RADIUS, I have the following settings in my .ini files:

[Horizon]

<snip the tunnel and blast stuff here>

authMethods=radius-auth && sp-auth
matchWindowsUserName=true
windowsSSOEnabled=true

[RADIUSAuth]

hostName=10.xx.xx.xx

authType=PAP

authPort=1812

radiusDisplayHint=ENT

Users are prompted for their AD creds, enter their token info, and then are re-prompted for their AD creds.

Should the UAG's pass the user's creds through to the Windows servers and not re-prompt for those creds before letting people in?

Reply
0 Kudos
3 Replies
gglynn
Contributor
Contributor

I ran into the same issue, and I have a ticket open with VMware support for it right now.  However, I strongly suspect the answer to the question "can the UAG be configured to transparently pass the RADIUS credentials to the VCS for AD authentication?" is actually "no" and it will require a development enhancement to change it to "yes."  After a bunch of testing, as far as I can tell, the "windowsSSOEnabled" configuration setting in the UAG deployment INI file means "pass the user-entered AD credentials through to the virtual desktop on the PCoIP/RDP/Blast connection" and not "pass the RADIUS credentials to the VCS so we don't have to explicitly login to AD," even though the latter is what the UAG documentation seems to suggest at first glance.

Reply
0 Kudos
gglynn
Contributor
Contributor

So, after some more testing, I've determined the following:

  • If you specify authMethod=radius-auth && sp-auth in the UAG configuration, the user will always be explicitly prompted for AD credentials after performing the RADIUS authentication. In retrospect, this makes perfect sense, given that "&&" is the logical AND operator.
  • If you just specify authMethod=radius-auth in the UAG configuration, the user will only be explicitly prompted for RADIUS credentials, and UAG will attempt to transparently pass the username and password through to the VCS for AD authentication which is what we want. However, in my case, it's failing because we have multiple domains in our forest, and the VCS server always assumes the username it's being passed is for a user in the forest root domain, and that's not the case (the user is in a child domain).  Unfortunately, there doesn't appear to be any way to specify the AD domain name in the RADIUS prompt--if I specify CHILDDOMAIN\username, the VCS server attempts to authenticate a user named "CHILDDOMAIN\username" in the root domain, i.e. ROOTMAIN\childdomain\username--or to specify a default domain in the UAG configuration (so it prepends the right domain name).

If you don't have multiple domains in your forest, just changing your authMethod to just radius-auth (rather than radius-auth && sp-auth) might do the trick for you.

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

There are some options for this in the reply to the other thread on this topic here - Specifying a default AD domain without filtering

Reply
0 Kudos