top of page
Writer's pictureBarry Ling

Horizon SSO with Workspace One Access (TrueSSO)

Updated: Sep 16


True SSO enables a single sign-on feature in Horizon using SAML (Security Assertion Markup Language) authentication via Workspace ONE Access or 3rd party IdPs (Identity Provider).


True SSO provides a seamless login experience by converting SAML Insertions to certificate-based authentication supported in traditional Active Directory. The Enrollment Server requests client certificates on behalf of the user and uses this certificate during login, where the Horizon Agent is installed.


In this blog I will use Workspace One Access as portal and Identity Provider. User will login to Workspace One Access only one time and Single Sign On to Horizon without second authentication.


First of all, you need to integrate the Horizon with Workspace One Access. You may refer the blog below on how to do so.




After the integration, you could continue the setup with following procedures. The setup procedure includes following different components.

  • Horizon Connection Server

  • Horizon Enrolment Server

  • Microsoft CA Server


To configure the TrueSSO, you may refer the following steps..





1. Setup Horizon Enrolment Server


  • Prepare a new Windows Server for the purpose

  • Login the Windows Server.

  • Run the Horizon Connection Server installation file as administrator.


  • Click "Next".


  • Select "I accept the terms in the license agreement".

  • Click "Next".


  • Click "Next".


  • Select "Horizon Enrollment Server".

  • Click "Next".


  • Select "Configure Windows Firewall automatically".

  • Click "Next".


  • Click "Install".


  • Click "Finish".




2. Setup CA


The first step will be setup a Microsoft CA server. You may utilize the existing CA server if you have. Or you may setup a new one with following procedures.


  • Prepare a Windows server for the purpose.

  • Login the Windows server and launch the Server Manager.

  • Click "Manage" and select "Add Roles and Features".


  • Click "Next".


  • Select "Role-based or feature-based installation".

  • Click "Next".


  • Select "Select a server from the server pool".

  • Select this windows Server.

  • Click "Next".


  • Check "Active Directory Certificate Services".

  • Click "Next".


  • Leave default and click"Add Features".


  • Leave default and click "Next".


  • Leave default and click "Next".


  • Click "Next".


  • Select "Certification Authority".

  • Click "Next".


  • Check "Restart the destination server automatically if required".

  • Click "Install".


  • Click the Flag icon on the top right corner of Server Manager.

  • Click "Configure Active Directory Certificate Services on th...".


  • Input user account with sufficient credential.

  • Click "Next".


  • Check "Certification Authority".

  • Click "Next".


  • Select "Enterprise CA".

  • Click "Next".


  • Select "Root CA".

  • Click "Next".


  • Select "Create a new private key".

  • Click "Next".


  • Select "RSA#Microsoft Software Key Storage Provider".

  • Select "4096" for Key Length.

  • Select "SHA256".

  • Click "Next".


  • Provide a name for the CA.

  • Click "Next".


  • Define the validity period and click "Next".


  • Click "Next".


  • Click "Configure".


  • Click "Close".





3. Create Certificate Template


In this step I will create a certificate template on Microsoft CA server for future use.


  • Launch the AD User and Computer management tool on Domain Controller.

  • Create a group for the TrueSSO purpose.


  • In AD User and Computer management tool, search the computer object of the Horizon Enrolment Server.

  • Right click the "Properties".

  • Click "Member Of" tab.

  • Add the newly created TrueSSO group.

  • Click "OK".


  • Login to the CA server.

  • Launch the "Certification Authority" tool.


  • Select the CA server.

  • Select "Certificate Templates" folder.

  • Right click and select "Manage".


  • From the template list, look for "Smartcard Logon".

  • Right click and select "Duplicate Template".


  • Click "Compatibility" tab.

  • Select "Windows Server 2016" and "Windows 10/ Windows Server 2016" correspondently as follow.


  • Click "General" tab.

  • Select and key in different settings as following.


  • Click "Request Handling" tab.

  • Select and key in different settings as following.


  • Click "Cryptography" tab.

  • Select and key in different settings as following.


  • Click "Subject Name" tab.

  • Select and key in different settings as following.


  • Click "Server" tab.

  • Select and key in different settings as following.


  • Click "Issuance Requirements" tab.

  • Select and key in different settings as following.


  • Click "Security" tab.

  • Add the TrueSSO group.

  • Grant "Read" and "Enroll" right.

  • Click "OK".


  • Back to the Certification Authority tool.

  • Select "Certificate Template".

  • Right click and select "New".

  • Select "Certificate Template to Issue".


  • Select the newly create TrueSSO template.

  • Click "OK".


  • Back to the Certification Authority tool.

  • Select "Certificate Template".

  • Right click and select "Manage".


  • Look for "Enrollment Agent (Computer).

  • Right click and select "Properties".


  • In "Security" tab.

  • Add the newly created TrueSSO group.

  • Grant the "Read" and "Enroll" right.


  • Back to the Certification Authority tool.

  • Select "Certificate Template".

  • Right click and select "New".

  • Select "Certificate Template to Issue".


  • Select the "Enrollment Agent (Computer)" template.

  • Click "OK".


  • Open the command prompt on the CA server.

  • Run command "certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS".


  • Run command "certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE".


  • Run command "net stop certsvc".

  • Run command "net start certsvc".





4. Request Certificate on Enrolment Server


  • Login to the Horizon Enrollment Server, open the MMC.

  • Click "File" and "Add/Remove snap-in".

  • Select "Certificates" and click "Add".


  • Select "Computer account".

  • Click "Next".


  • Click "Finish".


  • Click "OK".


  • In the MMC tool, select "Personal" folder.

  • Right click and select "All Tasks" and "Request New Certificate".


  • Click "Next".


  • Select "Active Directory Enrollment Policy".

  • Click "Next".


  • Check "Enrollment Agent (Computer)".

  • Click "Enroll".


  • Click "Finish".



5. Export Certificate from Connection Server


  • Login to the Horizon Connection Server, open the MMC.

  • Click "File" and "Add/Remove snap-in".

  • Select "Certificates" and click "Add".


  • Select "Computer account".

  • Click "Next".


  • Click "Finish".


  • Click "OK".


  • Select folder "VMware Horizon View Certificates" -> "Certificates".

  • Look for certificate with the Friendly Name "vmd.ec".


  • Right click the certificate and select "All Tasks" -> "Export".


  • Click "Next".


  • Select "No, do not export the private key".

  • Click "Next".


  • Select "DER encoded binary X.509 (.CER)".

  • Click "Next".


  • Find a location to store the export file.

  • Click "Next".


  • Click "Finish".




6. Import Certificate to Enrolment Server


  • Login to the Horizon Enrolment Server, open the MMC.

  • Go to the Certificate MMC snap-in.

  • Select folder "VMware Horizon View Enrollment Server Trusted Roots".

  • Right click and select "All Tasks" -> "Import".


  • Click "Next".


  • Select the certificate file exported from pervious step.

  • Click "Next".


  • Click "Next".


  • Click "Finish".



7. Enable SAML on Connection Server


  • Login to the Horizon Connection Server admin interface.

  • Click "Servers" on the left pane.

  • Click "Connection Servers" tab.

  • Select the Connection Server and click "Edit".


  • Select the "Authentication" tab.

  • Select "Allowed"

  • Click "Manage SAML Authentications".


  • Click "Add".


  • Select "Dynamic".

  • Give a name to the configuration.

  • Input the URL of the WSO Access Server.

  • Click "OK".


  • Click "OK".


  • Click "OK".




8. Enable TrueSSO on WSO Access


  • Login to the WSO Access admin interface.

  • Click "Rescuers" -> "Virtual Apps Collections".

  • Select the Horizon integration setting.

  • Click "Edit".


  • Select the "Pod and Federation".

  • Click the name of the Horizon Connection Server.


  • Enable the setting of "TrueSSO".

  • Click "Save".


  • Click "Next".


Click "Next".


  • Click "Save".



9. Enable TrueSSO on Connection Server


  • Login to the Horizon Connection Server admin interface.

  • Select "Servers" from left pane.

  • Select "Connection Servers" tab.

  • Select the Connection Server name and click "Edit".


  • Select "Authentication" tab.


  • Scroll down the page to show "Current User Authentication" setting.

  • Select "Enabled" for TrueSSO integration.

  • Click "OK".


  • Login to the Horizon Connection Server.

  • Open the command prompt.

  • Run following command to change to directory of vdmUtil.

cd %PROGRAMFILES%\VMware\VMware View\Server\tools\bin



  • Run following command to add enrolment server to the environment.


vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-environment –-add –-enrollmentServer <FQDN of Enrollment Server Machine>



  • Run following command to list the enrolment server setting.


vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-environment –-list –-enrollmentServer <FQDN of Enrollment Server Machine> –-domain <FQDN of Domain>



  • Output will similar to following.


Enrollment server: enrollServer.testinglab.local

Domain: testinglab.local

Forest:

Name: testinglab.local

Enrollment CertState: VALID

Template(s):

Name: TrueSsoTemplate

Minimum key length: 2048

Hash algorithm: SHA256

Certificate Authority(s):

Name: testdom-rootca


  • Run following command to create a connector for TrueSSO.


vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-create –-connector –-domain <FQDN of domain> –-template <name> –-primaryEnrollmentServer <FQDN of Enrollment Server> –-certificateServer <Common name of CA> –-mode enabled



  • Run following command to list SAML authentication available.


vdmUtil –-authAs <username> –-authDomain <FQDN of domain> –-authPassword <password> –-truesso –-list –-authenticator



  • Output will similar to following.


Authenticator(s) found: 1

Name: vidm.testinglab.local

TrueSSO Mode: DISABLED



  • Run following command to enable TrueSSO for the SAML authentication.


vdmUtil –-authAs <username> –-authDomain <netbios domain name> -–authPassword <password> –-truesso –-authenticator –-edit –-name <authenticator name> –-truessoMode ENABLED



  • Run the following command again to list SAML authentication available. The result should be changed to "Enable_if_no_password".


vdmUtil –-authAs <username> –-authDomain <FQDN of domain> –-authPassword <password> –-truesso –-list –-authenticator


Authenticator(s) found: 1

Name: vidm.testinglab.local

TrueSSO Mode: ENABLE_IF_NO_PASSWORD





----- END -----


42 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page