Omnissa Horizon and the case of the mistaken identity

Hello? Is this thing on?

I can’t believe it’s been two years since I last published something on my site. A lot has happened in the meantime, but that’s not the reason for dusting off my keyboard, something I won’t bother you with today.

Let’s go troubleshooting!

Recently, I was asked to troubleshoot an issue where a user get’s an error message stating: Authentication Failed – You are not entitled to use the system.

The message seems straightforward; under any other circumstances, it wouldn’t have been an error requiring escalation.

If only it was that simple

However, in this case, the user launched a virtual app (hosted on Horizon) via Workspace ONE Access. So, the user was definitely entitled to the application because otherwise, it wouldn’t have been visible in the first place.

Checking the events in the Horizon Console showed that the user was trying to authenticate an old account in an old domain, which was unexpected as the user authenticated to Workspace ONE Access with their new account.

Further digging in the logs and cross-checking with Active Directory, I found several users with the same issue and had two accounts, one in the old domain and one in the new domain.

Now, the Horizon setup is part of an Active Directory domain that has several trusts. Our customer was working on a domain migration and thus migrated the user accounts from Domain A to Domain B. Part of this process was to retain the User Principle Name or UPN.

To the logs!

Checking the Horizon logs on the Connection Server showed that even though the correct UPN was provided via the SAML artifact, the LDAP query returned the wrong account due to the duplicate UPN.

Changing the domain trust configuration wasn’t an option now, so the other option was ensuring no duplicate UPNs. Once this was no longer the case, the issue was resolved.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *