Weslleyy Posted August 8 Posted August 8 Hello everyone, We are trying to set up Treusso with Azure. The SAML configuration appears to be correct, but when we start the desktop, it asks for a username and password. I noticed that some people have logs similar to the one below, but I am unsure where to find these logs. I have searched both the enrollment server and the connection server without success. Could someone please guide me on where to locate these logs? Kind regards, I followed the guide and put in the example, as this looked like it would use sAMAccountName, which in my case is the same 'frank' , however, this didn't make any difference. Here is a sanitized bit of the log: [samlAuthFilter] (SESSION:e694_***_2097) Processing Saml Type-A Assertion [samlAuthFilter] (SESSION:e694_***_2097) SAML auth received a valid UPN: frank@mydomain.com [WinAuthUtils] (SESSION:e694_***_2097) Sending UPN to winauth service: frank@mydomain.com [ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1 [ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44) com.vmware.vdi.broker.filters.FatalAuthException: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1
Carl Stalhood Posted August 8 Posted August 8 Is there an account in your local Active Directory that has a UPN that matches the UPN provided by SAML?
Weslleyy Posted August 8 Author Posted August 8 2 minutes ago, Carl Stalhood said: Is there an account in your local Active Directory that has a UPN that matches the UPN provided by SAML? Hello Carl, I even used your guide 🙂. The log I mentioned is an example from this forum because I am unable to find these logs. Do you know where I can locate them? Thank you!
Carl Stalhood Posted August 8 Posted August 8 On Connection Servers, under C:\Programdata\VMware\VDM\logs
Rico Posted August 8 Posted August 8 (edited) Have you completed all the steps like setting up a certificate authority if you don’t have it already and installed the enrollment servers (on separate servers) and linked the these to the connection servers? I believe the SAML authentication is working fine, it’s just a matter of adding an Enterprise Application in Entra or any other identity provider and setting some settings on the connection servers. But this does not cover TrueSSO. Both are completely independent of each other, but both are needed for the best Single Sign On experience. I have done this a few months ago without any issue. We are using UPN. Edited August 8 by Rico
Employee Jack McMichael Posted August 8 Employee Posted August 8 To be clear, are you expecting TrueSSO to leverage SAML to login to Windows? If so, you may need to read up on how TrueSSO works and how it's exactly used. 1
Weslleyy Posted August 13 Author Posted August 13 On 8/8/2024 at 6:09 PM, Jack McMichael said: To be clear, are you expecting TrueSSO to leverage SAML to login to Windows? If so, you may need to read up on how TrueSSO works and how it's exactly used. What I expect is that when I log into the View client and complete my SAML login through Azure, my virtual machine will start automatically without requiring an additional login. Is this what true SSO is, or am I mistaken? because now the machine opens and i have to login again so first in the horizon client and again in the virtual machine
Weslleyy Posted August 13 Author Posted August 13 On 8/8/2024 at 4:30 PM, Carl Stalhood said: On Connection Servers, under C:\Programdata\VMware\VDM\logs Unable to perform CertSso, CertSso enabled by Saml_And_CertssoOn, user: , domainName: , domainFqdn: , error details: Domain has no CertSso connector configured. This is what I see in the logs: the Enrollment Server/Connection Server are in one domain, while the users are in another. Could that be the issue?
Solution Weslleyy Posted August 13 Author Solution Posted August 13 Added the second domain and now its working!
Employee Jack McMichael Posted August 13 Employee Posted August 13 7 hours ago, Weslleyy said: What I expect is that when I log into the View client and complete my SAML login through Azure, my virtual machine will start automatically without requiring an additional login. Is this what true SSO is, or am I mistaken? because now the machine opens and i have to login again so first in the horizon client and again in the virtual machine TrueSSO leverages certificate authentication to login to Windows on the backend, authenticating the user via SAML but passing a certificate to Windows to perform the actual login. 5 hours ago, Weslleyy said: Added the second domain and now its working! Yes, you’ll need the certificate Enrollment server to understand the domain that the user is part of. Glad you got it working! 1
Weslleyy Posted August 14 Author Posted August 14 Yes, it's working great. I'm testing some things now. What I've noticed is that when the enrollment server is down, users are prompted to log in as an administrator. I was hoping it would just let the user typ there login, but instead, they first have to click on 'Change User.' This seems to be why we need two enrollment servers, I guess. Also, I'm checking the CA for the certificates for the logged in user, but I can't find them anywhere?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now