Workspace one Access Horizon integration Group entitled apps are not launched from Unified App Catalog

This post was originally published on this site

Issue: Workspace one Access Horizon integration Group entitled apps are not launched from unified app catalog

 

Description: Post integration, we noticed the app launch error only if the applications are entitled against the AD groups in the horizon console. If we assign the horizon app/desktop against the individual user account, we were able to launch the application successfully from unified catalog without any issues.

 

Connection server log snippet attached:

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ServletRequestHandler] (SESSION:b102_***_d6d4) Processing request HorizonConnectionServer/Request27357

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Attempting to authenticate against saml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [ProperoAuthFilter] (SESSION:b102_***_d6d4) Not authenticated, requesting login page for saml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) paeCtx == null, forwarding to login page: /broker/xml

2020-07-31T10:24:08.446+02:00 DEBUG (1D5C-1234) <ajp-nio-0.0.0.0-8009-exec-7> [AuthorizationFilter] (SESSION:b102_***_d6d4) HTTP session ID old value: FF83-***-818D, new value: CB62-***-83D8 for b102_***_d6d4

2020-07-31T10:24:08.446+02:00 DEBUG (1F00-23FC) <AJP-96> [SimpleAJPService] (ajp:broker:Request27357) Response 403 Forbidden

2020-07-31T10:24:12.164+02:00 DEBUG (1F00-21DC) <HTTPS Connection Processor> [Processor] Accepted connection on port 443 from /10.127.176.10, port:42212

2020-07-31T10:24:12.166+02:00 DEBUG (1F00-1D24) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0

2020-07-31T10:24:12.166+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain

2020-07-31T10:24:12.168+02:00 DEBUG (1F00-0F74) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=0

2020-07-31T10:24:12.169+02:00 DEBUG (1F00-2648) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateChain, ok=1, msecs=0

2020-07-31T10:24:12.170+02:00 DEBUG (1F00-0E78) <pool-3-thread-2> [KeyVaultBinaryUtils] (NetHandler) Removing root certificate from chain

2020-07-31T10:24:12.171+02:00 DEBUG (1F00-1FF4) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault service got operation=getCertificateKey, ok=1, msecs=16

2020-07-31T10:24:12.196+02:00 DEBUG (1F00-1ED0) <HandshakeCompletedNotify-Thread> [PooledProcessor] Using secure protocol TLSv1.2 and cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

2020-07-31T10:24:12.213+02:00 DEBUG (1F00-08D8) <SimpleDeamonThread> [SimpleAJPService] (ajp:broker:Request27358) Request from /10.127.176.10: GET /broker/xml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ServletRequestHandler] (SESSION:9509_***_a3d8) Processing request HorizonConnectionServe/Request27358

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Attempting to authenticate against saml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [ProperoAuthFilter] (SESSION:9509_***_a3d8) Not authenticated, requesting login page for saml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) paeCtx == null, forwarding to login page: /broker/xml

2020-07-31T10:24:12.213+02:00 DEBUG (1D5C-2408) <ajp-nio-0.0.0.0-8009-exec-6> [AuthorizationFilter] (SESSION:9509_***_a3d8) HTTP session ID old value: F091-***-5152, new value: 8C98-***-159B for 9509_***_a3d8

2020-07-31T10:24:12.214+02:00 DEBUG (1F00-0434) <AJP-66> [SimpleAJPService] (ajp:broker:Request27358) Response 403 Forbidden

 

Captured SAML tracer – it reports HTTP 200 ok and all SAML parameters are same in working (user entitlement) and non-working (Group entitlement) scenarios

 

VMware Horizon – 7.12 (15770369)

VMware UAG – 3.8
Workspace One Access – 20.01.0.0 (15509389

 

Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.