I actually can see the cert getting there from the client and the browser (it is the same cert - and the correct one at that). The iApp will set this value on your client ssl profile to 60 seconds but I mention it in case you selected a pre-configured ssl client profile or for some reason are taking longer than 60 seconds to send certificate.īoneyard, I was able to access the logs on the connection server today.
This means you have to enter smartcard pin and sent client certificate within 10 seconds of making your initial connection. You could also be hitting a time out issue regarding client side ssl handshake timeout, as the default is set to 10 seconds. Of course you will need to select a valid certificate (one that has been issued by a CA selected in question "Which CA certificate bundle do you want to use for your trusted certificate authorities?", and is valid). Doing so will make it so the client is able to view all client certificates rather then just certificates issued by the CA root certificate selected. Modify the question "Which CA certificate bundle do you want to use for your advertised certificate authorities?" to none.
This could mean you are not sending a certificate at all, or perhaps are not sending one that matches your allowed CA issued certs. With that said, do you see the Access policy completing successfully for both clients or only HTML? There is an option in the iApp that might help a little during certificate selection, I point this out as I noted you are not passing certificate authentication when using the horizon client. I would open a support case, as they will be able to review log files to determine at which point authentication is failing and more quickly get your environment working.
I could really use some guidance on this. SAML authentication is seen for the browser connection the cert inspection from the same smartcard passes where it fails on connections from the Horizon client. The main thing is the APM log looks great. If I attempt the same exact connection through a regular web browser via HTML 5, I can authenticate to the webtop where the authentication fails to the back end (the documentation says that's what should happen and that manual login has to occur from the webtop). The horizon client will prompt for a pin and then after a second or two display "Authentication Failure." APM logs consistently show the access policy failing at the cert inspection step. Both the View server and F5 have been configured according to the companion guide for the iapp. The feature we really want to implement is using smartcard authentication with SAML 2.0 through the horizon client. Currently attempting setup with the f5.vmware_view.v1.5.1 iapp template. I am running Big IP version 12.1.0 with APM and Horizon View 7.0.1.
0 kommentar(er)
