True SSO enables a single sign-on feature in Horizon using SAML (Security Assertion Markup Language) authentication via Workspace ONE Access or 3rd party IdPs (Identity Provider).
True SSO provides a seamless login experience by converting SAML Insertions to certificate-based authentication supported in traditional Active Directory. The Enrollment Server requests client certificates on behalf of the user and uses this certificate during login, where the Horizon Agent is installed.
In this blog I will use Workspace One Access as portal and Identity Provider. User will login to Workspace One Access only one time and Single Sign On to Horizon without second authentication.
First of all, you need to integrate the Horizon with Workspace One Access. You may refer the blog below on how to do so.
After the integration, you could continue the setup with following procedures. The setup procedure includes following different components.
Horizon Connection Server
Horizon Enrolment Server
Microsoft CA Server
To configure the TrueSSO, you may refer the following steps..
1. Setup Horizon Enrolment Server
Prepare a new Windows Server for the purpose
Login the Windows Server.
Run the Horizon Connection Server installation file as administrator.
Click "Next".
Select "I accept the terms in the license agreement".
Click "Next".
Click "Next".
Select "Horizon Enrollment Server".
Click "Next".
Select "Configure Windows Firewall automatically".
Click "Next".
Click "Install".
Click "Finish".
2. Setup CA
The first step will be setup a Microsoft CA server. You may utilize the existing CA server if you have. Or you may setup a new one with following procedures.
Prepare a Windows server for the purpose.
Login the Windows server and launch the Server Manager.
Click "Manage" and select "Add Roles and Features".
Click "Next".
Select "Role-based or feature-based installation".
Click "Next".
Select "Select a server from the server pool".
Select this windows Server.
Click "Next".
Check "Active Directory Certificate Services".
Click "Next".
Leave default and click"Add Features".
Leave default and click "Next".
Leave default and click "Next".
Click "Next".
Select "Certification Authority".
Click "Next".
Check "Restart the destination server automatically if required".
Click "Install".
Click the Flag icon on the top right corner of Server Manager.
Click "Configure Active Directory Certificate Services on th...".
Input user account with sufficient credential.
Click "Next".
Check "Certification Authority".
Click "Next".
Select "Enterprise CA".
Click "Next".
Select "Root CA".
Click "Next".
Select "Create a new private key".
Click "Next".
Select "RSA#Microsoft Software Key Storage Provider".
Select "4096" for Key Length.
Select "SHA256".
Click "Next".
Provide a name for the CA.
Click "Next".
Define the validity period and click "Next".
Click "Next".
Click "Configure".
Click "Close".
3. Create Certificate Template
In this step I will create a certificate template on Microsoft CA server for future use.
Launch the AD User and Computer management tool on Domain Controller.
Create a group for the TrueSSO purpose.
In AD User and Computer management tool, search the computer object of the Horizon Enrolment Server.
Right click the "Properties".
Click "Member Of" tab.
Add the newly created TrueSSO group.
Click "OK".
Login to the CA server.
Launch the "Certification Authority" tool.
Select the CA server.
Select "Certificate Templates" folder.
Right click and select "Manage".
From the template list, look for "Smartcard Logon".
Right click and select "Duplicate Template".
Click "Compatibility" tab.
Select "Windows Server 2016" and "Windows 10/ Windows Server 2016" correspondently as follow.
Click "General" tab.
Select and key in different settings as following.
Click "Request Handling" tab.
Select and key in different settings as following.
Click "Cryptography" tab.
Select and key in different settings as following.
Click "Subject Name" tab.
Select and key in different settings as following.
Click "Server" tab.
Select and key in different settings as following.
Click "Issuance Requirements" tab.
Select and key in different settings as following.
Click "Security" tab.
Add the TrueSSO group.
Grant "Read" and "Enroll" right.
Click "OK".
Back to the Certification Authority tool.
Select "Certificate Template".
Right click and select "New".
Select "Certificate Template to Issue".
Select the newly create TrueSSO template.
Click "OK".
Back to the Certification Authority tool.
Select "Certificate Template".
Right click and select "Manage".
Look for "Enrollment Agent (Computer).
Right click and select "Properties".
In "Security" tab.
Add the newly created TrueSSO group.
Grant the "Read" and "Enroll" right.
Back to the Certification Authority tool.
Select "Certificate Template".
Right click and select "New".
Select "Certificate Template to Issue".
Select the "Enrollment Agent (Computer)" template.
Click "OK".
Open the command prompt on the CA server.
Run command "certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS".
Run command "certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE".
Run command "net stop certsvc".
Run command "net start certsvc".
4. Request Certificate on Enrolment Server
Login to the Horizon Enrollment Server, open the MMC.
Click "File" and "Add/Remove snap-in".
Select "Certificates" and click "Add".
Select "Computer account".
Click "Next".
Click "Finish".
Click "OK".
In the MMC tool, select "Personal" folder.
Right click and select "All Tasks" and "Request New Certificate".
Click "Next".
Select "Active Directory Enrollment Policy".
Click "Next".
Check "Enrollment Agent (Computer)".
Click "Enroll".
Click "Finish".
5. Export Certificate from Connection Server
Login to the Horizon Connection Server, open the MMC.
Click "File" and "Add/Remove snap-in".
Select "Certificates" and click "Add".
Select "Computer account".
Click "Next".
Click "Finish".
Click "OK".
Select folder "VMware Horizon View Certificates" -> "Certificates".
Look for certificate with the Friendly Name "vmd.ec".
Right click the certificate and select "All Tasks" -> "Export".
Click "Next".
Select "No, do not export the private key".
Click "Next".
Select "DER encoded binary X.509 (.CER)".
Click "Next".
Find a location to store the export file.
Click "Next".
Click "Finish".
6. Import Certificate to Enrolment Server
Login to the Horizon Enrolment Server, open the MMC.
Go to the Certificate MMC snap-in.
Select folder "VMware Horizon View Enrollment Server Trusted Roots".
Right click and select "All Tasks" -> "Import".
Click "Next".
Select the certificate file exported from pervious step.
Click "Next".
Click "Next".
Click "Finish".
7. Enable SAML on Connection Server
Login to the Horizon Connection Server admin interface.
Click "Servers" on the left pane.
Click "Connection Servers" tab.
Select the Connection Server and click "Edit".
Select the "Authentication" tab.
Select "Allowed"
Click "Manage SAML Authentications".
Click "Add".
Select "Dynamic".
Give a name to the configuration.
Input the URL of the WSO Access Server.
Click "OK".
Click "OK".
Click "OK".
8. Enable TrueSSO on WSO Access
Login to the WSO Access admin interface.
Click "Rescuers" -> "Virtual Apps Collections".
Select the Horizon integration setting.
Click "Edit".
Select the "Pod and Federation".
Click the name of the Horizon Connection Server.
Enable the setting of "TrueSSO".
Click "Save".
Click "Next".
Click "Next".
Click "Save".
9. Enable TrueSSO on Connection Server
Login to the Horizon Connection Server admin interface.
Select "Servers" from left pane.
Select "Connection Servers" tab.
Select the Connection Server name and click "Edit".
Select "Authentication" tab.
Scroll down the page to show "Current User Authentication" setting.
Select "Enabled" for TrueSSO integration.
Click "OK".
Login to the Horizon Connection Server.
Open the command prompt.
Run following command to change to directory of vdmUtil.
cd %PROGRAMFILES%\VMware\VMware View\Server\tools\bin
Run following command to add enrolment server to the environment.
vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-environment –-add –-enrollmentServer <FQDN of Enrollment Server Machine>
Run following command to list the enrolment server setting.
vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-environment –-list –-enrollmentServer <FQDN of Enrollment Server Machine> –-domain <FQDN of Domain>
Output will similar to following.
Enrollment server: enrollServer.testinglab.local
Domain: testinglab.local
Forest:
Name: testinglab.local
Enrollment CertState: VALID
Template(s):
Name: TrueSsoTemplate
Minimum key length: 2048
Hash algorithm: SHA256
Certificate Authority(s):
Name: testdom-rootca
Run following command to create a connector for TrueSSO.
vdmUtil –-authAs <username> –-authDomain <netbios domain name> –-authPassword <password> –-truesso –-create –-connector –-domain <FQDN of domain> –-template <name> –-primaryEnrollmentServer <FQDN of Enrollment Server> –-certificateServer <Common name of CA> –-mode enabled
Run following command to list SAML authentication available.
vdmUtil –-authAs <username> –-authDomain <FQDN of domain> –-authPassword <password> –-truesso –-list –-authenticator
Output will similar to following.
Authenticator(s) found: 1
Name: vidm.testinglab.local
TrueSSO Mode: DISABLED
Run following command to enable TrueSSO for the SAML authentication.
vdmUtil –-authAs <username> –-authDomain <netbios domain name> -–authPassword <password> –-truesso –-authenticator –-edit –-name <authenticator name> –-truessoMode ENABLED
Run the following command again to list SAML authentication available. The result should be changed to "Enable_if_no_password".
vdmUtil –-authAs <username> –-authDomain <FQDN of domain> –-authPassword <password> –-truesso –-list –-authenticator
Authenticator(s) found: 1
Name: vidm.testinglab.local
TrueSSO Mode: ENABLE_IF_NO_PASSWORD
----- END -----
Comments