Bad True SSO Template Causes Horizon Launches to Fail

Recently I ran into an issue where a misconfigured True SSO template caused Horizon launches to fail when launching through Workspace ONE Access. The error looked similar to this:

The desktop agent logs were not reporting any errors whatsoever, and SAML was succeeding just fine because we were able to authenticate into the Connection Server. The Connection Server logs, however, showed this:

 (SESSION:d409_***_b949) [DOMAIN\username, Desktop=<desktopPoolName>] (13ms): Application launch failed, exception was: The agent returned an error response [ERROR-CODE=AGENT_ERR_SSO_REQUIRED]

Launching directly from the Horizon Client/HTML worked just fine. The interesting part was that True SSO was showing all green in the Horizon Console – no template misconfigurations reported. Once we disabled True SSO via vdmUtil and in Workspace ONE Access, launches began succeeding. This pointed us toward the certificate template, despite what the Horizon Console was telling us.

Sure enough, under the Cryptography tab in the template, Legacy Cryptographic Service Provider was set in the Provider Category. Per the True SSO instructions, this MUST be set to Key Storage Provider. Note: do NOT click Apply at any point when configuring a certificate template. This locks down many fields, including this one, and you will not be able to change it. Delete it and start fresh if this happens.

Good template shown on left – Bad template shown on right

Once the certificate was correctly configured and True SSO was re-enabled, launches from WSO Access immediately began working. It was interesting that the Horizon Console was not detecting that this particular field on the template was misconfigured, as it will detect it on certain fields and show up as a warning in the console.

Hopefully someone running into this issue can benefit from this post, as I was not able to find any relevant KBs out there. Enjoy!