edennyvm Posted July 8 Posted July 8 Overnight, and without making changes, TFA for Horizon stopped working. It goes through the authentication process (Duo) but when the browser tries to redirect to https://<oururl>/portal/samlsso it says page cannot be reached. This is happening with the Horizon client, web client as well as with our folks using thin clients. Horizon client logs indicate a SAML error (Your client was not launched with valid SAML2 credentials. Please contact your Administrator). If I disable SAML auth on the UAG everything works. Anyone seen this issue before?
vRickE Posted July 8 Posted July 8 Export a log bundle from the UAG and look at the log called esmanager.log look for entries related to samlsso. It might give you the UAG side of the story. I am too dealing with some issues with Dell Thin OS, but mine started after upgrading to UAG 2312 and using the ThinOS 2405 with client 2312 SDK version which is what they say to use now. If I roll back to the client non-SDK version, it works fine. But checking the thin OS logs I see the same event you are seeing, and the users get an error You are not Entitled to use the system!
Sean Massey-1 Posted July 9 Posted July 9 Have you opened a ticket with support? Sean Massey Independent Consultant/Analyst/Blogger | VCDX-EUC 247 Vice Chairman of the Board - World of EUC Blog: thevirtualhorizon.com Mastodon: @seanpmassey@vmst.io Instagram/Thread: @seanpmassey LI: https://www.linkedin.com/in/seanpmassey/
edennyvm Posted July 10 Author Posted July 10 A support ticket has been opened. Did find something interesting.... The IP assigned to the UAG and the IP showing in the admin console are different. I can access the console with the assigned IP. When I try and change the IP it says saving and does nothing.
edennyvm Posted July 10 Author Posted July 10 Got it working. It was a combo of setting the correct time zone on the UAG and I had to re-import the TLS cert and Identity Provider metadata . We did not make any changes on our end so Duo must had did something to mess with our UAG.
edennyvm Posted July 15 Author Posted July 15 (edited) Well the issue came back. VMware support is saying that it is a clock skew issue between the UAG and Duo. 07/07 15:52:39,585+0000[nioEventLoopGroup-10-2]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 255][107.77.208.216][][][f87b-***-67fe-***-7920-***-47ea]: UAGE00265: Error on performing SAML validation: SAML Assertion is valid between NotBefore: 2024-07-07T15:53:37Z[UTC] and NotOnOrAfter: 2024-07-07T15:59:07Z[UTC]. Please check following 1. UAG and Identity Provider time is in sync 2. SAML assertion validity set in Identity Provider is enough to account for clock skew. I changed the time zone on the UAG and everything worked for a few days then started acting up again. I have a ticket open with Duo. And now 2 hours later it is randomly working again. What a weird issue. Edited July 15 by edennyvm
Daniel Keer Posted July 16 Posted July 16 (edited) For the SAML what IdP are you using? I have a UAG setup with Entra ID SAML and Entra is setup to use Duo and I've had no issues. Edited July 16 by Daniel Keer vExpert ⭐⭐ | Omnissa Tech Insider Blog theDXT.ca
hermanc@imsweb.com Posted July 16 Posted July 16 I ran into the exact same clock skew issue when integrating with ADFS; even though the UAGs, Horizon, ADFS are all synced with our NTP servers. I ended up changing the 'NotBeforeSkew' value to '1' on the relying party in ADFS and I never had the issue since.
edennyvm Posted July 17 Author Posted July 17 (edited) I ended up building a new UAG from scratch. The UAG that was having issues magically started working again, on its own, but I didn't trust it. Built a new UAG, needed to upgrade anyways, without importing the settings from the old one. So far everything seems to be working as it should. Chad Herman - Thanks for the info. If this issues creeps up again, I will have to look at those values you mentioned. Edited July 17 by edennyvm
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now