True SSO logging

[Weslleyy]

Hello everyone,

We are trying to set up Treusso with Azure. The SAML configuration appears to be correct, but when we start the desktop, it asks for a username and password. I noticed that some people have logs similar to the one below, but I am unsure where to find these logs. I have searched both the enrollment server and the connection server without success.

Could someone please guide me on where to locate these logs?

Kind regards,

I followed the guide and put in the example, as this looked like it would use sAMAccountName, which in my case is the same 'frank' , however, this didn't make any difference.

Here is a sanitized bit of the log:

[samlAuthFilter] (SESSION:e694_***_2097) Processing Saml Type-A Assertion

[samlAuthFilter] (SESSION:e694_***_2097) SAML auth received a valid UPN: frank@mydomain.com

[WinAuthUtils] (SESSION:e694_***_2097) Sending UPN to winauth service: frank@mydomain.com

[ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1

[ProperoAuthFilter] (SESSION:e694_***_2097) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44)

com.vmware.vdi.broker.filters.FatalAuthException: Error instantiating PAEContext for frank@mydomain.com: com.vmware.vdi.common.winauth.WinAuthException: Failed to retrieve user information for the users with given upns: Failed to obtain sid for user - sid not available - ErrorCode = 1

[Carl Stalhood]

Is there an account in your local Active Directory that has a UPN that matches the UPN provided by SAML?

[Weslleyy]

2 minutes ago, Carl Stalhood said:

Is there an account in your local Active Directory that has a UPN that matches the UPN provided by SAML?

Hello Carl,

I even used your guide 🙂. The log I mentioned is an example from this forum because I am unable to find these logs. Do you know where I can locate them?

Thank you!

[Carl Stalhood]

On Connection Servers, under C:\Programdata\VMware\VDM\logs

[Rico]

Have you completed all the steps like setting up a certificate authority if you don’t have it already and installed the enrollment servers (on separate servers) and linked the these to the connection servers?

I believe the SAML authentication is working fine, it’s just a matter of adding an Enterprise Application in Entra or any other identity provider and setting some settings on the connection servers. But this does not cover TrueSSO.

Both are completely independent of each other, but both are needed for the best Single Sign On experience.

I have done this a few months ago without any issue. We are using UPN.

Edited August 8 by Rico

[Jack McMichael]

To be clear, are you expecting TrueSSO to leverage SAML to login to Windows? If so, you may need to read up on how TrueSSO works and how it's exactly used.

[Weslleyy]

On 8/8/2024 at 6:09 PM, Jack McMichael said:

To be clear, are you expecting TrueSSO to leverage SAML to login to Windows? If so, you may need to read up on how TrueSSO works and how it's exactly used.

What I expect is that when I log into the View client and complete my SAML login through Azure, my virtual machine will start automatically without requiring an additional login. Is this what true SSO is, or am I mistaken? because now the machine opens and i have to login again so first in the horizon client and again in the virtual machine

 

[Weslleyy]

On 8/8/2024 at 4:30 PM, Carl Stalhood said:

On Connection Servers, under C:\Programdata\VMware\VDM\logs

Unable to perform CertSso, CertSso enabled by Saml_And_CertssoOn, user: , domainName: , domainFqdn: , error details: Domain  has no CertSso connector configured.

This is what I see in the logs: the Enrollment Server/Connection Server are in one domain, while the users are in another. Could that be the issue?

[Weslleyy]

Added the second domain and now its working!

 

[Jack McMichael]

7 hours ago, Weslleyy said:

What I expect is that when I log into the View client and complete my SAML login through Azure, my virtual machine will start automatically without requiring an additional login. Is this what true SSO is, or am I mistaken? because now the machine opens and i have to login again so first in the horizon client and again in the virtual machine

 

TrueSSO leverages certificate authentication to login to Windows on the backend, authenticating the user via SAML but passing a certificate to Windows to perform the actual login. 

 

5 hours ago, Weslleyy said:

Added the second domain and now its working!

 

Yes, you’ll need the certificate Enrollment server to understand the domain that the user is part of. Glad you got it working!

[Weslleyy]

Yes, it's working great. I'm testing some things now. What I've noticed is that when the enrollment server is down, users are prompted to log in as an administrator. I was hoping it would just let the user typ there login, but instead, they first have to click on 'Change User.' This seems to be why we need two enrollment servers, I guess. Also, I'm checking the CA for the certificates for the logged in user, but I can't find them anywhere?