Workspace ONE Access Integration with Horizon Blast (optional)

In this section we are going to enhance the integration experience between VMware Identity Manager, our Horizon Infrastructure and the Horizon Blast Protocol.

The steps in this lab are outlined in VMware KB 2088354

  1. On your ControlCenter server open your Chrome browser and navigate to your WorkspaceOne Access custom url.
  2. Log in as User4 to domain
  3. Navigate to Apps / All apps and click on Open next to W10-PD1


  • Notice the browser gets stuck on an IP address redirection.  This affects the single sign-on user experience. The objective of this session is to enhance this.
  • Cancel the session by closing your Browser
  1. On your ControlCenter server, select and open the Remote Desktops folder and login to W10Parent01a as euc-livefire\administrator with the password VMware1!
  2. Select and right click the Start button and select Run
  3. In the Run box, in the Open: section type mmc and select OK
  • In the MMC Console window select File > Add / Remove Snap-in, select Certificates and select Add> . On the Certificates snap-in window, select the Computer account radio button select `Next accept the default on the select Computer window
  • Select Finish, select OK to close the Add or Remove Snap-ins page
  1. On the Certificates Snap-in, expand Certificates (Local Computer) > Personal > Certificates
  2. Notice there is a default Blast certificate on the local Computer. This as a result of the Horizon Agent being installed on this system. We will replace this default certificate with a CA signed certificate.
  3. Select the Blast certificate right click and select Delete . When prompted select Yes
  1. In the mmc under Personal, select the Certificates folder and  right-click and select  All Tasks > select Import
  2. On the Welcome to the Certificate Import Wizard select Next
  3. On the File to Import window Paste the following path in under File Name \\\software\certificates and select Browse
  4. In the file extension section above Open, select the drop down arrow , select Personal Information Exchange
  5. In the Name field select the wildcard.pfx certificate and select Open
  6. On the File to Import window select Next
  7. On the Private Key protection window under Password: type VMware1! Under Import options: select the Mark the key as exportable. This will allow you to back up or transport your keys at a later time check box and select Next
  8. On the Certificate Store window, accept the default and select Next
  9. On the Completing the Certificate Import Wizard page select Finish.
  10. When the import was succesful window appears select OK

Notice the entire certificate chain has been imported. We are now going to register this certificates' thumbprint in the registry

  1. Select and double click the * certificate.
  2. Select the Details tab, scroll down until you find Thumbprint. Select Thumbprint and then select the code behind the Thumbprint and copy by typing Ctrl + A and then Ctlr + C on your keyboard
  1. Right click the start menu and select Run. Type notepad.exe
  2. After Notepad has launched, using your keyboard, type Ctrl + V. You will notice the Thumbprint has no spaces
  3. For every 2 Characters of the Thumbprint, create a space except on the last 2 characters. Using the keyboard, copy the Thumbprint selecting typing Ctrl + A and Ctrl + C
  1. Select the Start button, right-click select Run and type regedit.exe and select Ok.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.
  1. Select the SslHash value
  2. Right click and select Modify
  3. In the Edit String window, under the Value data: field, paste the spaced Thumbprint
5a 78 89 3c 8a 2a e5 73 bd a3 d2 20 9a 51 79 fc f1 4f fd 36

4. Select OK, Close the registry editor

  1. On the W10Parent-01a virtual machine select the start menu and shut down the system.
  2. On the  ControlCenter Server desktop, open the Chrome browser to launch the vSphere client by using the vSphere bookmark
  3. to allow flash click on the "not secure" portion of your address bar (or padlock icon) and select Allow from the flash dropdown menu.
  4. Login with the username section type [email protected] in the password section type VMware1!
  5. In the vCenter inventory, select the w10Parent01a virtual machine, right click > Select Snapshots > Take Snapshot
  • In the Take VM Snapshot for w10Parent01a window. In the Name box type Blast Certificate and select OK
  1. On the ControlCenter Desktop, open the Chrome browser and on the favorites bar select the Horizon Shortcut
  2. In the User Name section type Administrator, In the password section type VMware1! and select Log in
  3. Under the Inventory, expand Catalog and select Desktop Pools, to the right select the W10-InstantClone Desktop Pool
  1. Double click the W10-InstantClone desktop pool, to the right of Status, select the drop down arrow next to Push Image and select Schedule.
  2. On the Schedule Push Image window, select the Blast Certificate snapshot and select Next
  1. On the Scheduling window select the Force users to log off radio button and select Next
  2. On the Ready to Complete window, select Finish

The update of the instant clones will take about 25 minutes.

VERY IMPORTANT! Do not move on to the Broker configuration using ADSIEDIT until this process updating the Instant Clone Machines is complete.

In the meantime : We will now repeat this process of replacing the Blast certificate for the RDS based Host so that we also have a seamless user experience when launching RDS based Applications that are Published, then synced and launched through VMware Identity Manager.


Replacing  the RDS Host Certificate

1. On your ControlCenter server open your Remote Desktops Folder and launch the RDSH01a.RDP client. Login as [email protected] with the password VMware1!

2.  Right-click the Start Button and select Run

3. In the Run Console type MMC

4. In the MMC window, select File > Add/ Remove Snap-in

5. In the Available Snap-ins window select Certificates and select Add

6. In the Certificates Snap-in windows select the Computer account radio button and select Next

7. On the Select Computer window, select Finish

8. Select Ok to close the Add / Remove Snap-ins Window


9. Expand Certificates (Local Computer) > Personal > Certificates

10. Select and right-click the Blast certificate and select Delete

11. When prompted in the Certificates window select Yes

12. In the Inventory pane select Certificates and right-click, select All Tasks, select Import

13 On the Certificate Import Wizard window select Next

14. In the Certificate to Import window select Browse

15. In the  Open window browse to \\\software\certificates

16. In the Open window ensure that Personal information exchange file type is selected and select the Wildcard.pfx certificate and select Open

17. In the File to Import window select Next

18. In the Private key Protection window, type the password vmware and select the Private key exportable... check box,

19. Ensure the Include All extended properties check box is selected

20. Select Next

21. On the Certificate Store window select Next

22. On the Completing the Certificate Import Wizard window select Finish

23. On the Import was succesful window select OK



Notice you have a Wildcard Certificate imported along with the Key Chain. This is a requirement for this to work.

24. Select the * certificate and double-click the certificate to open the Certificate window

25. Select the Details tab and scroll down to Thumbprint

26. Select Thumbprint and then select the code behind the Thumbprint and copy by typing Ctrl + A and then Ctlr + C on your keyboard

30. On your RDSH-01A Server. Select the Start button, right-click select Run and type regedit.exe and select Ok.

31. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key.

32. Select the SslHash value

33. Right click and select Modify

34. In the Edit String window, under the Value data: field, paste the spaced Thumbprint 

‎5a 78 89 3c 8a 2a e5 73 bd a3 d2 20 9a 51 79 fc f1 4f fd 36

35. Select OKClose the registry editor

36. Close all Consoles and disconnect your RDP session on the RDSH-01a server

Broker Configuration Using ADSIEDIT

In the first stage we replaced the Blast self-signed Certificate with a CA signed Certificate. We will now proceed to the second Phase of this process, which requires us to make an edit in the LDS database on the Broker. A reboot is required.

NB! Do not perform the reboot until you are sure that your Instant Clone provisioning has been successful. On does this by check the summary tab on the Desktop Pool itself.

  1. On the ControlCenter server, select the Remote Desktops folder, select the cs1-pd1 RDP client and log in as\administrator with the password VMware1!
  2. On the cs1-pd1 desktop select the Start menu, right click and select Run. In the Run window, type adsiedit.msc, select OK
  1. Select and expand the object OU=Properties, expand and select OU=Global select CN = Common
  2. Select and right click CN = Common and select Properties
  3. Scroll down and select pae-PreferDNS and select Edit
  4. In the Integer Attribute Editor set the value to 1. Select OK. Select OK to close the CN = Common Properties window. Close the Adsiedit window.
  5. Shut down and restart CS-PD1
  1. On the ControlCenter server, open the Chrome browser in incognito mode, navigate to your custom workspace one access url ,  on the Select your Domain window. make sure is selected and click Next
  2. In the Username section Log in as user4 with the password VMware1! select Sign In
  3. In the CATALOG area, select Open to launch the W10-PD1 desktop pool
  4. Notice we now have a single sign-on experience that is seamless without hiccup



Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.