Quantcast
Channel: VMware Communities : All Content - All Communities
Viewing all articles
Browse latest Browse all 179681

Question regarding Kerberos/SSO

$
0
0

Hello,

we are currently evaluating Horizon Workspace. We are trying to get SSO working for our AD-Users. What we did so far

 

* Joined connector VA to the Domain

* Enabled Windows Authentication on the connector VA

* Added Connector VA URL FQDN to Local Intranet Sites, checked securty settings in IE

 

When we browse to https://fqdn-of-connector-va the user is authenticated without problems, but when browsing to https://workspace-fqdn the login screen appears.

 

Analyzing the Connector VA logs shows the following for the working scenario

 

2013-06-04 15:02:23,317 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/, used/total/max(MB):56,487,2666

2013-06-04 15:02:23,321 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666

2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null

2013-06-04 15:02:23,324 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au

thenticate:NEGOTIATE

2013-06-04 15:02:23,628 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):56,487,2666

2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: null

2013-06-04 15:02:23,631 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:YIIIFgYGKwYBBQUCoIIICjCCCAagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYK

KwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB9AEggfMYIIHyAYJKoZIhvcSAQICAQBugge3MIIHs6ADAgEFoQMCAQ6iBwMFACAAAACjggZBYYIGPTCCBjmgAwIBBaEMGwpXSVRDT00uTkVUoikwJ6ADAgECoSAwHhsESFRUUBsWaC1jb25u

LXZhMDEud2l0Y29tLm5ldKOCBfcwggXzoAMCARehAwIBAqKCBeUEggXh5ThMi+tcL78Rpd9ANLdVQs6VqffxDfsJM0JKUhsoEQC6ErttZxafWBmmy1znDE/CpY/rwwu/AlOObeJ+Ii9gWQVUk8ezAgdThCfcyqwFquqCXZ77/HhZogCR

CtIbaT1ZRonQ+mnPuq4leaXYi+HeHVYrY0gLTVR0nW57JySrDjbaRrqidgoB65sKsvZ2E4Qfqeor+NXFz8RVhG32ABNnVrorpNYtO+0cOm+ZXQ+wImIdFhcf7FcgSK/J8YKcQTIkydfS4s8u9JDIqn7huM+YPhdDHtChBUUaVTe9Blz/

1sNFSN4IA2OOoQ9nqqGXeNVzMaAYnmYuJD2Bao8QbhtBvdJNiTd7Tlnjg4HoYC1D3pdDGMSwiTRJFhGfu+4El+rZe+Yha6n7A4UiycAnar28NVb2y7O3lQmwUFfs3WvsK7i19axEJv+KhhFcZt3MJZV3QNlikWYRZJ7wwzfRDRc+BVzv

Ov5xQc9ujs7YEjbwNVVwgjZRRlOAd0i9RFabfBaao88wkOveHG365pFH1IAHOVzmXPedO/+cF/pRDC4ccoMudx6nGlAY4ua9xaqx9P5ijzWMxwx62wCoEkdfiMzTlfmdvlJT3hT9x5SeQu9ljt4bEWUbDnQo06IUxTiiRgMBkNYBL6VH

o829U13KzpV/Z0202vimKvYboU2tNohBx6IFzWDert3PhktvUBT5i21vKR81fvVNc55FmmZWTceyL8wGv6p7lI0ajd0TH712UWz7J20C6D6CcT2UODQAKNgSM9EAx9AbqmrNyhRfZPa/dOBBUNWTg7bHCQ/GPL5h3UQH5lo47v25qD+y

DwI0sMikL7da7+Sx+mg04wSM595OLMkt7dGdVusOr/yjkZG14Ta19DJ4VuWn2pR+JM+3fpxSzMFVva9XHgmZwt2CuYuMqq+fSc8MBI/uT6Y7maoqPvWAN3seZxe2Tp0+jny6NoC/7K/91jyHORJ6dDSO15QNZd4WNdvl/GHc70XZNPPR

VUsUsaVeJ7e80hgCeKQxyT10vhcad1tfcSvbieDbKEcRcoCreq30vNFWkDqHt8cKrC2pv62igkJuAvpsFwROfIo483dbfob3qR0c20i+ICLC0xQw5BGJ3YO8/18GARn/ucsUtb3rBgzOZzFISlfJqZgegtR4FAyjnT77PZvRqQju1T4P

EbaCW1nU0WsguCLldrpbAI69hXN2dzP+Nb+ln9d15BVqLBk70HQSmPc6SjcJSCr00D86MGgldI5pgZczEJSPrGwwagkiZQGbJBUBkjB81SfrY5HmllaU6D7MF37WlCBMTPufy1h1qy4X4f3phJi9ooofHtiu3QGmqz9Hd093XyDThvd6

5s6mag+4vD+tpF0t4kcJ0ZRsinZNWdc/jO0am9ttmMj7pkMcQVAHJ33Fl8A+vZKQHA5i+tImdUhFOFZTX+JYN8yMPIUA5HqkHLCDTxcytwO7v6kRm/QNSHhWV9Z++96DZCz7xOWKdEuD15/rCFGEZEUnl+caTbFQcRGo3Xdr6evGia3d

+iFiJAbTuCIres2ylFXCe/Yfis1IDfaswUDEsbOeeROInGmRCj5ZfcE+11k1LUfNa9xPh9HFd5Abjt8fiButeDV2Xk6HM7/xjuNuhEBSo04GAJ4MHaY4Id8D00XSS+UgQeteJDOQnvu3LNYc80V2SysmXWu8zerYr6mgEuabiieBU+RW

ShryTcCxnw9jps+ZyoP2eV8dhrPWVGTOvN8Llq+O4AWp+eO0e+Yk+zjjBSJ3ZW+sFmuJ+xNmStFWdZ97cAOKFPvvwN6HOdP+2iMrWdVzhJLQaonPtJM2vt780y80VcQWRlXl9ij0tLNkyFYKfapg/LQKRvm4/lVESWi/o4H7IyWCZMUh

iPM9svYgvwNb2Xbcv6ihmgH9OM7/stSOf16OGEsbB1XzXkLgVLOQofg+vkC+3r+lHG64cqxCmgeVcDkyQtMGS0KDGpOpocpcVyFykqr27tisUCNNSYW+johjBRGkgZSkggFXMIIBU6ADAgEXooIBSgSCAUYWvQcbeNFTNyc0czVIDoFr

90AJyIrsbEAlckWB7h33tl2R9OEXauESBVChMsXNcixxCOenYCcnQK0mQ31CodyUdnvrKHp6XUUrwpD47ljGorTXz7oKc+9f0I36bMQxGuDTzmRMPUiugwgDP1t4w6qmz9a7tvSFtyY5QDAZwRDrSNzQNtmzxxEJjNzpuTFf/qruYg5f

ZfJv4owzEHX5jJ2dxgltMsktJvuDEkkiyDZLeHcseW73hxyaXOzBssb22iwrr7t5isZZMys4H8T7u5ZHSbVyPhybrm+rwx36W30rgjYO45ynYfpvVMMCSgvRlsLNlJV/0qZsh6XJ+khxKZfF18mYHmKs8H9722XKI+SzAre4P1HofVok

NXv8WHh8KLnhKQFjFIsBOBHyoXVdeA+AZoK3oas7FGReC2V/YOymebq6HL49Hw==

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.auth.ntlm.WindowsAuthServiceImpl - Authenticated username:9793

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authentication SUCCESS: 9793

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 2: null

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlRequestInfo: null

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - acsUrl is missing; using acsUrl from state: https://FQDN/SAAS/API/1.0/POST/federate?identityProvider=HorizonConnector__1

2013-06-04 15:02:23,641 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - BEGIN

2013-06-04 15:02:28,654 INFO : com.vmware.horizon.directory.ldap.LdapDirectoryService - Attribute lookup: 9793 - SUCCESS

2013-06-04 15:02:28,654 INFO : com.vmware.horizon.connector.controller.IdPInitiatedSSOController - samlAttributeNames for 9793: [userPrincipalName, lastName, phone, email, user

Name, firstName, disabled, ExternalId]

 

And here is what happens when surfing to the Workspace FQDN

 

2013-06-04 14:59:41,382 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666

2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA

S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]

2013-06-04 14:59:41,391 INFO : com.vmware.horizon.connector.controller.AuthenticateController - Authorization header null. Initiating SPNEGO by responding 401 w/ header: WWW-Au

thenticate:NEGOTIATE

2013-06-04 14:59:41,402 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/authenticate/, used/total/max(MB):54,487,2666

2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - samlRequestInfo 1: SamlRequestInfo[acsUrl=https://FQDN/SAA

S/auth/saml/response,relayState={"idpId":1,"dest":"https://FQDN:443/web"},nameId=<null>]

2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - AuthWithoutNego:TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==

2013-06-04 14:59:41,410 INFO : com.vmware.horizon.connector.controller.AuthenticateController - NTLM tokens cannot be used for authentication. Redirecting to login page.

2013-06-04 14:59:41,457 INFO : com.vmware.horizon.connector.mvc.ControllerInterceptor - /hc/login/, used/total/max(MB):55,487,2666

 

In that case NTLM authentication is used, which is not working.

 

Is that by Design ?

 

Regards

 

Carsten


Viewing all articles
Browse latest Browse all 179681

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>