I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Both the View server and F5 have been configured according to the companion guide for the iapp. The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. No SAML traffic appears to take place. If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The main thing is the APM log looks great. SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. I could really use some guidance on this.

Hi Bluzdoggy, I would open a support case, as they will be able to review log files to determine at which point authentication is failing and more quickly get your environment working. With that said, do you see the Access policy completing successfully for both clients or only HTML? There is an option in the iApp that might help a little during certificate selection, I point this out as I noted you are not passing certificate authentication when using the horizon client. This could mean you are not sending a certificate at all, or perhaps are not sending one that matches your allowed CA issued certs. Modify the question "Which CA certificate bundle do you want to use for your advertised certificate authorities?" to none. Doing so will make it so the client is able to view all client certificates rather then just certificates issued by the CA root certificate selected. Of course you will need to select a valid certificate (one that has been issued by a CA selected in question "Which CA certificate bundle do you want to use for your trusted certificate authorities?", and is valid). You could also be hitting a time out issue regarding client side ssl handshake timeout, as the default is set to 10 seconds. This means you have to enter smartcard pin and sent client certificate within 10 seconds of making your initial connection. The iApp will set this value on your client ssl profile to 60 seconds but I mention it in case you selected a pre-configured ssl client profile or for some reason are taking longer than 60 seconds to send certificate.

Want to thank you your insight into nixing the advertised certs. I now get the initial cert prompt and enter my pin, however, the failure happens at the same place. This is the same with altering the timeouts - I just set them all to indefinite for now. I will be opening a ticket, but first I am going try one other method that does not employ the iApp. It can be found here: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-third-party-integration-12-1-0/8.htmlconceptid and quite different as it comes at the problem with a true sso approach.

try to see if the correct certificate is send and if it matches the CA. if you go HTML 5 do you then the certificate part work fine?

Boneyard, I was able to access the logs on the connection server today. I actually can see the cert getting there from the client and the browser (it is the same cert - and the correct one at that). The UPN is extracted correctly as well. If I'm going there from the client, the next thing I see in the log is "Unverified CHANGEKEY message discarded, machine 'cn=ca70f223-b584-4cc4-a489-230b73bf92b6,ou=servers,dc=vdi,dc=vmware,dc=int' does not exist. All I see in the APM log at that point is "notice apmd[8946]: 01490005:5: /Common/horizon.app/horizon:Common:5f616461: Following rule 'fallback' from item 'View Client Cert Inspection' to ending 'Deny.'" The client's explanation is even more vague with "Authentication Failure." I understand that all the failures are reactionary to the Connection server not being able to find a machine that it wants to send me to. The part I don't understand is why the same connection from a web browser goes on to the SAML part of the connection (which I can see in APM but not sure where to find it on the Horizon side.

Following rule 'fallback' from item 'View Client Cert Inspection' to ending 'Deny.'" means Client cert inspection failed (there was not a valid client certificate received by the big-ip). I would verify the client certificate has not expired and was issued by the certificate authority you have selected (root ca certificate for CA should be attached to your client ssl profile as "Trusted Certificate Authorities"). I would set your logging level to debugging (check out the apm log profile you set in the iapp) and tail your apm (/var/log/apm) log while attempting to connect. Also set your ssl logging level to debug (modify /sys db log.ssl.level value Debug) and tail your ltm logs at the same time. Openssl s_client is a good way to test client certificates. Check out this solution article for a few additional client certificate trouble shooting tips: 14819

Horizon Client authentication failure

12 Replies

bluzdoggy_17129
Nimbostratus
Oct 24, 2016
Got it working last week! Just want to post this to help anyone else that may be having issues with the iApp or the configuration in general for smart card, SAML, etc. My ticket with F5 helped to point out one issue in the client ssl profile that I documented above. They believe this to be a limitation of the Horizon client. I agree since I have never had to set profiles like that for any other VIP in any other environment. The thing that F5 folks can't explain is why the cert still fails initially in the APM logs only to be accepted as valid later in the access policy.

The next part is the SAML piece. The iApp doesn't name the SAML IdP correctly (at least not in a way that the Connection servers will accept it). I had to set the IdP Entity ID to the full URL that it requires on the Connection server side in the SAML setup (). I also found that the auto-generated irule that sends assertions to the external SAML SP was inconsistent at times in posting the entire x509 cert. Sometimes the cert was truncated under the "encryption" heading while it was correct under the "signing" heading. I use the same cert for both.

At this point, after these changes, the client would show no errors. APM logs showed sessions starting and holding. But the client would never connect to the resource VM. Just constant spinning with no resource connection but no timeout either. Finally, on the connection servers, I had to uncheck all three tunnel boxes for the connection to the resource to happen even though the deployment guide specifies leaving the External URL box checked for version 12.1.x implementations. I already had the other two boxes unchecked per the guide. I would also like to point out that I am not having to use the iRule in sol84958121 for connections to succeed. Wireshark captures confirm the client connecting directly to the F5 VIPs over 443/tcp and 4172/udp (same IP address). The proxy is working as it should and load balancing is performing nicely between the two connection servers.

For the record, This is all running with F5 APM, LTM version 12.1.1, VMWare Horizon version 7.0.2 and Horizon client 4.2. Hope this helps someone out there.
Matt_A_184631
Nimbostratus
May 10, 2017
I appear to have the correct certificate bundler under "which CA certificate bundle do you want to use for your trusted certificate authoritie? but I still don't even get prompted for a 2pin auth. Any way someone could help?

Forum Discussion

Horizon Client authentication failure

12 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Mitigating OWASP Web Application Risk: Identification and Authentication Failures using F5 XC

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Monitoring Failure OAuth request

Distributed caching of authentication requests with NGINX Ingress Controller