Forum Discussion
Horizon Client authentication failure
Got it working last week! Just want to post this to help anyone else that may be having issues with the iApp or the configuration in general for smart card, SAML, etc. My ticket with F5 helped to point out one issue in the client ssl profile that I documented above. They believe this to be a limitation of the Horizon client. I agree since I have never had to set profiles like that for any other VIP in any other environment. The thing that F5 folks can't explain is why the cert still fails initially in the APM logs only to be accepted as valid later in the access policy.
The next part is the SAML piece. The iApp doesn't name the SAML IdP correctly (at least not in a way that the Connection servers will accept it). I had to set the IdP Entity ID to the full URL that it requires on the Connection server side in the SAML setup (). I also found that the auto-generated irule that sends assertions to the external SAML SP was inconsistent at times in posting the entire x509 cert. Sometimes the cert was truncated under the "encryption" heading while it was correct under the "signing" heading. I use the same cert for both.
At this point, after these changes, the client would show no errors. APM logs showed sessions starting and holding. But the client would never connect to the resource VM. Just constant spinning with no resource connection but no timeout either. Finally, on the connection servers, I had to uncheck all three tunnel boxes for the connection to the resource to happen even though the deployment guide specifies leaving the External URL box checked for version 12.1.x implementations. I already had the other two boxes unchecked per the guide. I would also like to point out that I am not having to use the iRule in sol84958121 for connections to succeed. Wireshark captures confirm the client connecting directly to the F5 VIPs over 443/tcp and 4172/udp (same IP address). The proxy is working as it should and load balancing is performing nicely between the two connection servers.
For the record, This is all running with F5 APM, LTM version 12.1.1, VMWare Horizon version 7.0.2 and Horizon client 4.2. Hope this helps someone out there.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com