Hi 

I’m stuck with an issue regarding smart card integration. I have read all the threads about smart card integration and UAG, but I cannot still get it to work with newer versions than 7.13 of Horizon.

I have an old environment where it works flawless. Laptop > UAG > CS > VDI. The goal is to authenticate the user in the UAG step. Currently I have two Horizon instances in the same domain for testing purposes with different versions. I have setup SAML between UAG and CS successfully in my opinion. Passthrough works prefect in both setups, but when switching to X.509 Certificate it won’t work in the newer version.

Setup with old versions:

• Horizon Client 2312 > UAG 7.13 > CS 7.13 > Horizon Agent 8.12.0

Setup with new versions:

• Horizon Client 2312 > UAG 23.12 > CS 8.12.0 > Horizon Agent 8.12.0

I have tried multiple versions between 7.13 and 8.12.0 but I still get the same error message in the horizon client:

This Horizon server expects to get your logon credentials from another application or server, not directly through the client login screen. If you usually access Horizon from another application, please launch that application.

Looking into the logs I can see the successfully authentication with smart card in certauth-service.log:

2024-02-21 18:25:53,736 GMT INFO certauth (ForkJoinPool-1-worker-4237) [-;127.0.0.1;13f9532b-a8b0-4a26-afbe-2f0564e7f68c;c2ad-***-83bb] com.vmware.vidm.auth.certificate.adapter.CertificateAuthAdapterBase – CertificateService authentication successful for user@domain.com retrieved from: upn

Looking into the esmanager.log i always see the same messages.

02/21 18:25:53,759+0000[jersey-client-async-executor-0]INFO request.BaseAuthentication[logMessage: 274][10.129.0.10][][Horizon][c2ad-***-83bb-***-d3f2-***-1ff2]: Authentication successful for user user@domain.com. Auth type: CERTIFICATE-AUTH

02/21 18:25:53,942+0000[nioEventLoopGroup-73-1]INFO response.SubmitAuthenticationResponseProcessor[processDocument: 133][10.129.0.10][][Horizon][c2ad-***-83bb-***-a107-***-bb55]: Authentication attempt response – error, user-sid:

02/21 18:25:53,942+0000[nioEventLoopGroup-73-1]WARN processor.XmlApiMessageProcessorUtil[persistFailedLoginAttempt: 546][10.129.0.10][][Horizon][c2ad-***-83bb-***-a107-***-bb55]: UAGW00108: Authentication attempt – FAILED, error code – AUTHENTICATION_FAILED, error message – Authentication failure, user message – This Horizon server expects to get your logon credentials from another application or server, not directly through the client login screen. If you usually access Horizon from another application, please launch that application.

02/21 18:25:53,942+0000[nioEventLoopGroup-73-1]INFO response.SubmitAuthenticationResponseProcessor[processDocument: 312][10.129.0.10][][Horizon][c2ad-***-83bb-***-a107-***-bb55]: Got error response for auth. Invalidating UAG session.

I have tried googling the error UAGW00108 with little to no success only this thread on reddit: UAG to Horizon Connection server SAML Smartcard failure : r/vmware (reddit.com). The PKI itself is fine, I can use it for domain login in the same windows domain. The PKI works with the old versions of Horizon. When I try to use anything newer then 7.13 I cannot manage to get it working. 

I was hoping to check with you if you have come across a similar situation.

Best Regards,
Rickard