Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Using SmartCard Authentication with certain users in an Active Directory Group fails.You receive a message: 'You are not entitled to use this system' Connection Server Debug Log files contains entries similar to: [ws_admin] GetColumn failed, error 80005010 {SESSION:aec1_***_5f7f} The Active Directory LDAP tokenGroups search on entry CN=USERNAME,OU=GROUP,OU=ORGANISATIONALUNIT,OU=ORGANISATIONALUNIT,DC=DOMAIN,DC=local failed to return any values. This occurs when access to tokenGroups is denied in Active Directory {SESSION:aec1_***_5f7f} [ws_admin] The user's tokenGroups attribute needs to be obtained so that their group membership based entitlements can be determined {SESSION:aec1_***_5f7f} Please ensure in Active Directory that the computer account for this Connection Server has access to this user's tokenGroups attribute {SESSION:aec1_***_5f7f} Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. Notes: You have verified that the same user can access the connection server using their Active Directory Credentials (Username and Password).The user affected is part of a group that is entitled to the desktop pool that you wish to access.If you entitle this user and the group to the desktop pool manually, the user is now able to authenticate to the desktop pool using Smart Card Authentication. Other users in the same Active Directory group can also access the pool without any issue. For more information on connection server log locations, see Location of VMware View log files (1027744).
This issue occurs because of a lack of permissions on the Active Directory User Account.
To resolve this issue, provide the required permission to the user on the Active Directory. To provide the required permission to the user on the Active Directory: Compare the Active Directory user permissions of a user who can access the system using SmartCard Authentication and the users who are denied access.In the user properties dialog box, in the security tab, select the Read permission in the Authenticated Users group. Notes: The connection server must have access to this user tokenGroups attribute.Some users in the group may already have this permission, which allows them to have access to the pools through SmartCard Authentication while others are denied access due to this permission not being set.
Location of VMware View log filesToken Group Access Articles:Logs contain "Failed to obtain UPN for user" error when the Cloud Pod Architecture feature is enabled (2111547)Logging in to a Horizon View Connection Server using Smartcard Authentication fails (2103964)A CPA desktop launch on remote pod fails when global entitlements are assigned using user groups with WinAuthException: Error while obtaining token groups: Failed to get login token for domain (52849)