Symptoms
The below error is seen:"This Horizon server expects to get your logon credentials from another application or server, not directly through the client login screen. If you usually access Horizon from another application, please launch that application."General troubleshooting:Check Horizon connection server debug logs for more error details.Sometimes it may fail at workspace connector end during SAML resolution.Check on below:Timestamp of WorkspaceONE appliance and Horizon are in syncCheck for horizon.log in WorkspaceONE appliance for the string SAMLArtifactResolverController.If found, check the failure message and it can be one of the following:Note down the issuer. Check Horizon configuration. Ensure that you have configured the Horizon connection server in VMware Identity Manager with the same name as issuer printed in log. If different, please change it and save the Horizon config and re-try.If you see "Invalid artifact resolver signature" error,Please restart all Connection Server and Identity Manager nodes, and perform a Save and Sync of the Horizon Virtual Apps Collection configuration in VMware Identity Manager.If you see "SAMLArtifactResolverController - Invalid SAML artifact provided in the SAML artifact request parameter or artifact may be expired if received resolution request after long time. SAML Artifact received in request":It is possible that the SAML resolution request is received to IDM after 200 seconds. Please check for the delay. Notice the time taken by end user between click of the launch and getting the error msg. If it is ~3 minutes, failure is expected and check the reason for the delay.Check IDM Load balancer configuration. All the requests should come to the primary cluster and LB should not flip requests to primary and secondary cluster. Check the persistence on the LB.
Resolution
If following exception is seen in connection server logs:Caused by: org.apache.http.conn.HttpHostConnectException: Connect to workspace.mydomain.org:443 [workspace.mydomain.org/10.10.10.2] failed: Connection timed out: connect workspace.mydomain.org --> is an example. It changes based on WorkspaceONE config used in your environment.Check if WorkspaceONE appliance is responsive and Increase memory and vCPU based on load recommendations.
