Top 5 ways to mess up your Workspace ONE (Identity Manager) with Horizon Implementation

I ve lost count on how many times I messed up but turns out i am not alone. Just last couple of weeks, 3 other folks reached out to me for help on their vIDM and Horizon integration. Troubleshooting various elements was laborious and time-consuming but I did notice patterns.

Number#1 – Time synchronization

This is the number one cause of concern by a country mile. When vIDM SaaS, Horizon Connection Server, vIDM Connector and ESX hosts are out of time sync, bad things usually happen. The most common error is what the redirection from vIDM to Horizon errors out giving you this message.

idm-different sources

If you are using Horizon 7, Horizon debug logs mention few things like these.

2019-04-10T01:23:19.084+08:00 DEBUG (0B10-1318) <ajp-nio-8009-exec-3> [EventLogger] (SESSION:fa3c_***_de25) Error_Event:[BROKER_USER_AUTHFAILED_SAML_ACCESS_DENIED] “SAML access denied because of invalid assertion/artifact”: Node=hcs01.arunpc.co, Severity=AUDIT_FAIL, Time=Wed Apr 10 01:23:19 SGT 2019, Module=Broker, Source=com.vmware.vdi.broker.filters.SamlAuthFilter, Acknowledged=true

2019-04-10T01:23:19.084+08:00 ERROR (0B10-1318) <ajp-nio-8009-exec-3> [ProperoAuthFilter] (SESSION:fa3c_***_de25) Error performing authentication: Enabled SAML Authenticator’s Issuer/entityId not matched with SAML Artifact

2019-04-10T01:23:19.085+08:00 DEBUG (0B10-1318) <ajp-nio-8009-exec-3> [ProperoAuthFilter] (SESSION:fa3c_***_de25) Error performing authentication com.vmware.vdi.logger.Logger.debug(Logger.java:44)

com.vmware.vdi.broker.filters.FatalAuthException: Enabled SAML Authenticator’s Issuer/entityId not matched with SAML Artifact

The right way to do is:

  • Point our vSphere host to a public NTP provider.

time-sync-step1.jpg

Configure a public NTP hostname and an IP address(in case your host dns is faulty).

time-sync-step2.jpg

  • Configure your virtual machine to pick NTP from the vSphere host.

time-sync-step3.jpg

Number#2 – Custom ID Mapping

The following is the official documentation to integrate vIDM with Horizon Cloud on Azure. https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-95645C43-8C84-45C9-87BE-755E9FA1F277.html

Notice the default value is ${user.userPrincipalName}

While it works in most cases, in some cases you may hit error message which says “Unable to complete login, single sign-on token is missing or invalid.”

However, if you using Azure AD Domain Services or configured with an Office 365 tenant, it could possibly be ${user.userName}@${user.domain}

https://kb.vmware.com/s/article/59265?lang=en_US

In the vIDM -> Catalog –> Virtual App Collection -> Select the Collection and you can find this option.

horizon tenant

Number#3 – Misconfigured Access Policy

This is 101, but I ve missed this a few times. Below is where you can find the access policy. If you don’t configure this correctly, you will get Logon Errors “Incorrect username/password”.

Access Policy.jpg

Once you select the Access Policy, configure the Network Range correctly with Authentication Method.

network range.jpg

Number#4 – Horizon Application Sync

There are many places to sync in vIDM. Firstly, you will need to sync user groups and users from Active Directory Connector into vIDM. The users will be required to have First name, Last name and Email address to be imported into vIDM.

vapps-sync-step1.jpgNext will be importing Horizon Applications into vIDM. If it says there is nothing to be synced, it may be worthwhile to change something and initiate a sync.

Number#5 – Permission for the Active Directory Service Account

During the setup of Horizon Cloud on Azure, there is a requirement to provide an AD account to bind to the domain. If the exact permissions for this account is not specified, you will end up getting the following error.

domain-bind-error

The right permissions for the account are:

Error: Unable to Perform Domain Join

List Contents [Under Applies to : This object and all descendant objects]

Read All Properties [Under Applies to : This object and all descendant objects]

Write All Properties [Under Applies to : This object and all descendant objects]

Read Permissions [Under Applies to : This object and all descendant objects]

Reset Password [Under Applies to : descendant Computer Object]

Create Computer Objects [Under Applies to : This object and all descendant objects]

Delete Computer Objects [Under Applies to : This object and all descendant objects]

 Hope it helps!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s