Cannot reconnect to Linux VDI with 2-factor auth enabled on Horizon 7

We are currently running into a vexing problem:

We have a Horizon 7 environment, brand new. Two Windows security servers paired with their respective Connection servers. These handle external VDI logins/proxying/HTML access/whatever.

We also have a pair of internal Connection Servers purely to handle internal access, no 2-factor auth set up on those. Those are working just fine.

When we turn off 2-factor auth on the outside world (simple AD authentication) everyone can log in and select their desktops, connect through just fine.

As soon as we turn on RADIUS 2-factor auth, outside users can log in via AD, are presented with their token challenge, and authenticate fine - they're presented with their desktop to launch.

They cannot launch those desktops, getting the "All available desktop sources for this desktop are currently busy" message.

• We specifically do NOT have SSO enabled globally - users need to log in via AD then log into their Linux desktops separately on a different LDAP domain. This is very much by design.

From the VCS logs as I try to log in with my Active Directory credentials, try to find my Linux desktop which is probably still logged in with my LDAP credentials

2016-04-14T09:26:20.622-06:00 DEBUG (093C-10F4) <ajp-nio-8009-exec-7> [DesktopsHandler] (SESSION:4022_***_de50) SSO has expired for USER:ENT\mm003908;USERSID:S-1-5-21-1037617167-3997139302-1244395442-25058;USERDN:CN=S-1-5-21-1037617167-3997139302-1244395442-25058,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int; for DESKTOP launch.

.

.

2016-04-14T09:26:20.630-06:00 DEBUG (093C-10F4) <ajp-nio-8009-exec-7> [FarmImp] (SESSION:4022_***_de50) User's domain not matched for SSO: ENT

2016-04-14T09:26:20.631-06:00 TRACE (093C-10F4) <ajp-nio-8009-exec-7> [FarmImp] (SESSION:4022_***_de50) fallbackSSPItoUnencrypted: true

2016-04-14T09:26:20.631-06:00 DEBUG (093C-10F4) <ajp-nio-8009-exec-7> [FarmImp] (SESSION:4022_***_de50) Not using SSO, user's domain: ENT, session's domain: null

2016-04-14T09:26:20.632-06:00 DEBUG (093C-10F4) <ajp-nio-8009-exec-7> [EventLogger] (SESSION:4022_***_de50) Info_Event:[BROKER_MACHINE_ALLOCATED] "User ENT\mm003908 requested Pool ubuntu14, allocated machine null": ProtocolId=[BLAST], MachineId=12124395-0192-4c1d-b3c7-fd37a5113613, SessionType=DESKTOP, PoolId=ubuntu14, Node=pw00vdimgt001.ent.ad.dg.local, DesktopId=ubuntu14, Severity=INFO, Time=Thu Apr 14 09:26:20 MDT 2016, Source=com.vmware.vdi.sessionclientapi.FarmImp, UserSID=S-1-5-21-1037617167-3997139302-1244395442-25058, Module=Broker, UserDisplayName=ENT\mm003908, Acknowledged=true

Later on, it looks like it polls that desktop and tries to match up my AD credentials with my LDAP username for some reason?

2016-04-14T09:26:34.803-06:00 TRACE (093C-10F0) <ajp-nio-8009-exec-5> [DesktopTracker] (SESSION:4022_***_de50) Checking session: {LOCATIONID=891b3b621e36cec614caf6c0a523b8ceef9e90b7afffd52d728d43fb587b3cd5, CLIENTADDRESS=127.0.1.1, SESSIONID=21, USERSID=s-1-5-21-1037617167-3997139302-1244395442-25058, CONNECTIONID=60C6_***_123D, LBPREFERENCE=MED, STATE=Disconnected, DYNAMICIPADDRESS=10.92.80.207, LASTCONNECTTICK=1460646335000, REMOTABLECONTENT=true, SERVERDN=cn=12124395-0192-4c1d-b3c7-fd37a5113613,ou=servers,dc=vdi,dc=vmware,dc=int, BROKERUSERSID=s-1-5-21-1037617167-3997139302-1244395442-25058, USERNAME=mbantz, SERVERPOOLDN=cn=ubuntu14,ou=server groups,dc=vdi,dc=vmware,dc=int, DOMAINS=[ent.ad.dg.local, pu00infwks015], DOMAINNAME=ENT, STARTTICK=1460067544000, PROTOCOLS=[{STATUS=negotiate, PORT=22443, NAME=BLAST}], SERVERDNSNAME=pu00infwks015, PROTOCOL=BLAST, USERDN=CN=S-1-5-21-1037617167-3997139302-1244395442-25058,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, LISTENERS=[], FIRSTCONNECTTICK=1460067546000, BROKERINGENDPOINTID=, LASTDISCONNECTTICK=1460646824000, STARTTIME=1460067544, LEGACYMESSAGING=false, SESSIONGUID=3978-***-9788, SESSIONTYPE=DESKTOP, MESSAGETIMESTAMPLONG=1460647592502, CLIENTNAME=pu00infwks015, APPIDHISTORY=, SECURITYGATEWAYID=}

2016-04-14T09:26:34.803-06:00 TRACE (093C-10F0) <ajp-nio-8009-exec-5> [DesktopTracker] (SESSION:4022_***_de50) For user: S-1-5-21-1037617167-3997139302-1244395442-25058 matched the session: {LOCATIONID=891b3b621e36cec614caf6c0a523b8ceef9e90b7afffd52d728d43fb587b3cd5, CLIENTADDRESS=127.0.1.1, SESSIONID=21, USERSID=s-1-5-21-1037617167-3997139302-1244395442-25058, CONNECTIONID=60C6_***_123D, LBPREFERENCE=MED, STATE=Disconnected, DYNAMICIPADDRESS=10.92.80.207, LASTCONNECTTICK=1460646335000, REMOTABLECONTENT=true, SERVERDN=cn=12124395-0192-4c1d-b3c7-fd37a5113613,ou=servers,dc=vdi,dc=vmware,dc=int, BROKERUSERSID=s-1-5-21-1037617167-3997139302-1244395442-25058, USERNAME=mbantz, SERVERPOOLDN=cn=ubuntu14,ou=server groups,dc=vdi,dc=vmware,dc=int, DOMAINS=[ent.ad.dg.local, pu00infwks015], DOMAINNAME=ENT, STARTTICK=1460067544000, PROTOCOLS=[{STATUS=negotiate, PORT=22443, NAME=BLAST}], SERVERDNSNAME=pu00infwks015, PROTOCOL=BLAST, USERDN=CN=S-1-5-21-1037617167-3997139302-1244395442-25058,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, LISTENERS=[], FIRSTCONNECTTICK=1460067546000, BROKERINGENDPOINTID=, LASTDISCONNECTTICK=1460646824000, STARTTIME=1460067544, LEGACYMESSAGING=false, SESSIONGUID=3978-***-9788, SESSIONTYPE=DESKTOP, MESSAGETIMESTAMPLONG=1460647592502, CLIENTNAME=pu00infwks015, APPIDHISTORY=, SECURITYGATEWAYID=}

2016-04-14T09:26:34.803-06:00 DEBUG (093C-10F0) <ajp-nio-8009-exec-5> [DesktopTracker] (SESSION:4022_***_de50) {getMachineStatesForPoolAndUser}  Found no non-matching sessions.

2016-04-14T09:26:34.804-06:00 TRACE (093C-10F0) <ajp-nio-8009-exec-5> [FarmImp] (SESSION:4022_***_de50) Using port: 22443 for BLAST

2016-04-14T09:26:34.804-06:00 DEBUG (093C-10F0) <ajp-nio-8009-exec-5> [SessionUtil] (SESSION:4022_***_de50) Not disconnecting session: ENT\mbantz(CN=S-1-5-21-1037617167-3997139302-1244395442-25058,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int)/21@cn=12124395-0192-4c1d-b3c7-fd37a5113613,ou=servers,dc=vdi,dc=vmware,dc=int.cn=ubuntu14,ou=server groups,dc=vdi,dc=vmware,dc=int:BLAST:22443:DESKTOP with CAP ID: 60C6_***_123D

It looks like Horizon is mismatching my AD credentials (ENT\mbantz is definitely not my AD account/username) and won't disconnect the logged-in user or allow me to even just see the damn desktop to log into my Linux machine.

TL;DR - I specifically don't want to use SSO (I have to have AD auth for Horizon access, but the desktops are on an LDAP domain). When using 2-factor auth in Horizon 7 I cannot reconnect to a logged-in Linux desktop. If I reboot the desktop or log out of it when done, I can reconnect just fine. Dammit.