Forum Discussion

bluzdoggy_17129's avatar
Icon for Nimbostratus rankNimbostratus
Sep 09, 2016

Horizon Client authentication failure

I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Both the View server and F5 have been configured according to the companion guide for the iapp. The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. No SAML traffic appears to take place.


If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The main thing is the APM log looks great. SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. I could really use some guidance on this.


12 Replies

  • Got it working last week! Just want to post this to help anyone else that may be having issues with the iApp or the configuration in general for smart card, SAML, etc. My ticket with F5 helped to point out one issue in the client ssl profile that I documented above. They believe this to be a limitation of the Horizon client. I agree since I have never had to set profiles like that for any other VIP in any other environment. The thing that F5 folks can't explain is why the cert still fails initially in the APM logs only to be accepted as valid later in the access policy.


    The next part is the SAML piece. The iApp doesn't name the SAML IdP correctly (at least not in a way that the Connection servers will accept it). I had to set the IdP Entity ID to the full URL that it requires on the Connection server side in the SAML setup (). I also found that the auto-generated irule that sends assertions to the external SAML SP was inconsistent at times in posting the entire x509 cert. Sometimes the cert was truncated under the "encryption" heading while it was correct under the "signing" heading. I use the same cert for both.


    At this point, after these changes, the client would show no errors. APM logs showed sessions starting and holding. But the client would never connect to the resource VM. Just constant spinning with no resource connection but no timeout either. Finally, on the connection servers, I had to uncheck all three tunnel boxes for the connection to the resource to happen even though the deployment guide specifies leaving the External URL box checked for version 12.1.x implementations. I already had the other two boxes unchecked per the guide. I would also like to point out that I am not having to use the iRule in sol84958121 for connections to succeed. Wireshark captures confirm the client connecting directly to the F5 VIPs over 443/tcp and 4172/udp (same IP address). The proxy is working as it should and load balancing is performing nicely between the two connection servers.


    For the record, This is all running with F5 APM, LTM version 12.1.1, VMWare Horizon version 7.0.2 and Horizon client 4.2. Hope this helps someone out there.


  • I appear to have the correct certificate bundler under "which CA certificate bundle do you want to use for your trusted certificate authoritie? but I still don't even get prompted for a 2pin auth. Any way someone could help?