Symptoms
This issue can occur when the following features are implemented
Horizon 2006 or later is deployedUsers connect externally via the Unified Access GatewayMulti-Factor Authentication is enabled, for example, RSA or other MFA types that use SAMLThe Horizon Connection Servers are configured with the "pre-login message" feature
End users observe the following behaviour (although it may vary)
The first login attempt fails but succeeds on the second attempt.Users are presented with "Failed to connect to Connection Server" after accepting the presented disclaimer (pre-login message configured on the Connection Server)The following log entry may be observed on the Connection Server:
2021-05-01T01:45:32.965Z ERROR (01B4-14E0) <ajp-nio-0.0.0.0-8009-exec-4> [XmlAuthFilter] (SESSION:d5bb_***_b964) CSRF attempt from IP address 10.1.10.100 failed - missing token
Cause
This issue occurs because when the pre-login message is presented and accepted it causes the HTTP session ID to change, which is then rejected due to the Cross Site Request Forgery implementation in the latest releases in Horizon.
Resolution
This combination is not supported: 2303 Release Notes 2686004, 2672069: The CSRF feature for Horizon HTML Access introduced in Horizon 2006 does not support the combination of a pre-login message configured on the Connection Server with SAML authentication through Unified Access Gateway.
Workaround: If you use this combination of features and the Horizon version, disable this pre-login message on Connection Server. A pre-login message should instead be configured on the SAML IdP so that it is presented to the user before the user enters their credentials.
Workaround
As noted in the release notes, configure a display banner on the Unified Access Gateway instead and remove the pre-login message on the Connection Server.
