Horizon Client authentication failure

Boneyard, I was able to access the logs on the connection server today. I actually can see the cert getting there from the client and the browser (it is the same cert - and the correct one at that). The UPN is extracted correctly as well. If I'm going there from the client, the next thing I see in the log is "Unverified CHANGEKEY message discarded, machine 'cn=ca70f223-b584-4cc4-a489-230b73bf92b6,ou=servers,dc=vdi,dc=vmware,dc=int' does not exist. All I see in the APM log at that point is "notice apmd[8946]: 01490005:5: /Common/horizon.app/horizon:Common:5f616461: Following rule 'fallback' from item 'View Client Cert Inspection' to ending 'Deny.'" The client's explanation is even more vague with "Authentication Failure."

I understand that all the failures are reactionary to the Connection server not being able to find a machine that it wants to send me to. The part I don't understand is why the same connection from a web browser goes on to the SAML part of the connection (which I can see in APM but not sure where to find it on the Horizon side.