1. On the ControlCenter2 server Desktop,  Switch back to your the W10EXT01a.RDP session

2. Open a browser on your windows 10 desktop
   • Enter Access.euc-livefire.com
   • On the Select a certificate window note the account of the certificate and select OK

3. On the Workspace ONE console , select Apps,

4. In the Virtual area, select the Calculator icon
   
   • Notice we are getting a Password request.
     • We used a 3rd party Auth method to login to Workspace ONE Access. (In our session a Certificate based Auth method was used) Workspace ONE Access did not have the UPN it would have received from a password Auth method, to pass on to the Horizon Agent.
     • Up to version 1903, Workspace ONE Access would CACHE the credential when a password method of Authentication was used to login to the Console. Prior to version 20.01 or up to version 1903, when a user logged into Workspace ONE Access with a password method of authentication, the user would enjoy a Single-Sign on experience. It was therefore only necessary to Deploy TRUESSO if the users were authenticating with an Auth method that was NOT password based.
     • From version 20.01 onwards, the automatic CACHING of credentials is no longer a feature in Workspace ONE Access. This is an enhancement of Workspace ONE Access security. From version 20.01 onwards,  to be able to offer a user a Single-Sign on experience we have to use TRUESSO irrespective of what authentication method we use.
     • In June 2020 we re-introduced the option to Authenticate and offer Single Sign-On with Password. This is an optional feature and is Disabled by default.
   • Click Cancel to close the Password Request window
   • In the top right-hand corner, select and right-click UP, select Sign Out
   • Close your Browser
   • Minimize your W10EXT01a.RDP session

5. On your ControlCenter2 server
   • Select the existing  New incognito window session or open a new session with your Chrome Browser
   • Select to the Go back to login Page
     • Or, In the address bar, type access.euc-livefire.com
     • In the Select Your Domain, window, ensure  euc-livefire.com  is selected from the drop-down, select Next
     • Login as username User1 with the password VMware1!
     • Select Sign in

6. In the Workspace ONE Access Console
   • Next to Favorites, select Apps
   • Under All Apps, select Calculator
     • Notice we used a Password method of Auth and the user had a Single Sign-On user experience
       • The reason for this is we are using the on-premise 20.01 version of Workspace ONE Access.
       • Our Saas version of Access does not cache user passwords by default. One would go to Identity & Access Management > Setup > Preferences > scroll right to the bottom of the Saas version of Access, and you will notice a setting Password Caching.
       • In the Saas by default password Caching is disabled by default and would not provide a Single Sign-On experience until we enable Password Caching.
     • On the Horizon session tab, select Logout and Log Off, select OK
     • On Workspace ONE Intelligent Hub tab, in the top right-hand corner, select UP and right-click, select, Sign out
     • Close all Browser sessions

We will now go and Configure Horizon Enrollment Services, to be able to facilitate a Single Sign-On experience for 3rd Party Authentication methods

1. On your ControlCenter2 server
   • Open the Remote Desktop Folder
   • Launch the TrueSSO.RDP shortcut,
     • login as [email protected].
     • Use the password VMware1!
     • Server Manager should launch automatically on the TRUESSO Server, desktop interface
     • On the Server Manager Interface select Manage > Add Roles and Features

2. On the Before you begin window select Next

3. On the Select installation type window, ensure the radio button in front of Role-based or feature-based installation is selected select Next

4. On Select destination server window (accept the defaults) select Next

5. On the Select server roles window, select the check box in front of Active Directory Certificate Services, when prompted for the Add Features window, select Add Features box, then select Next

6. On the Select features window select Next

7. On the Active Directory Certificate Services window select Next

8. On the Select role services window select Next

9. On the Confirm Installation selections window,
   • Select the checkbox next to Restart the destination server automatically if required,
   • On the Add Roles and Features Wizard window select Yes
   • Select Install

• You will have to wait a short while before moving on to step 10

10. On the Installation progress page,
    • Select the Configure Active Directory Certificate Services on the destination server hyper-link

11. On the Credentials window
    • Select Next

12. On the Role Services page,
    • Select the Certificate Authority checkbox

13. On the Specify the setup type of the CA window ,
    • Select the radio button next to Enterprise CA
    • Select Next

14. On the CA type window
    • Ensure the Subordinate CA radio button is selected,
    • Select Next

15. On the Private Key window,
    • Ensure the radio button next to Create a new private key is selected
    • Select Next

16. On the Cryptography for CA window select the following
    • Under Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
    • Next to Key Length: 2048
    • Hash Algorithm: SHA256

• Select Next

17. On the CA Name window
    • Observe the CA naming convention
    • Select Next

18. On the Request a certificate from parent CA ,
    • Select the radio button next to Send a certificate request to a parent CA:
    • In the Select box, select the radio button, next to CA name
    • To the right of the Parent CA box click the Select button
      • In Search box, enter Controlcenter2 and select Check Names
    • Select OK accept the Defaults
    • Select Next

19. On the CA Database window,
    • Select Next

20. On the Confirmation window
    • Select Configure

21. On the Results window
    • Select Close on the Installation progress window,
    • Select Close, again

1. In this section we will create a certificate template for Horizon TRUE SSO
   • On  your TRUESSO server select Start > Run > type mmc
   • Select File > Add/Remove Snap-in...
   • Select the Certificate Authority services snap-in,  select Add
   • Ensure the Local computer radio button is selected. Select Finish
   • Select OK to close the Snap-ins window

2. Expand the euc-livefire-TRUESSO-CA inventory
   • Select Certificate Templates, right-click and select Manage

3. In the Certificate Template Console
   • Select the Smartcard Logon template

4. Right-click the Smartcard Logon template
   • Select Duplicate Template

5. In the Properties of New Template window in the Compatibility tab under Certificate Authority
   • Change from Windows 2003 to Windows 2012 R2
     • When prompted for the Resulting changes window select OK.
   • Under Certificate recipient change Windows XP / Server 2003 to Windows 8.1 / Server 2012 R2
     • When prompted for the Resulting changes window select OK.

6. Select the General tab,
   • Under Template display name: type TrueSSO Template, you will notice Template name gets filled in automatically.
   • Under Validity period change the period from 1 years to 1 hours
     • When prompted by the Certificate Templates Box select OK
   • The Renewal period will automatically change from 6 weeks to 0 hours

7. Select the Request Handling tab change the following next to :-
   • Purpose: change: Signature and encryption to Signature and smartcard logon.
   • Select the checkbox in front of Allow private key to be exported
   • Select the checkbox in front of For automatic renewal of smartcard certificates, use the existing key if a new key cannot be created
   • Select the radio button in front of Prompt the user during enrollment

8. Select the Cryptography tab change the following next to :-
   • Provider Category: Key Storage Provider
   • Minimum key size: 2048
   • Request hash: SHA256

9. Select the Server tab,
   • Select the checkbox in front of Do not store certificates  and requests in the CA database  
     • You will notice that Do not include revocation information in issued certificates is selected automatically.
   • Uncheck the check box next to  Do not include revocation information in issued certificates

10. Select the Issuance Requirements tab, configure the following:
    • Select the checkbox : This number of authorized signatures and change the value to 1 in the box
    • Under Policy type required in signature
      • Ensure the Application policy is selected (default config)
    • Under Application Policy
      • Select Certificate Request Agent from the dropdown
    • Under the Require the following for reenrollment
      • Select the Valid existing certificate radio button

11. On the Security tab in the Group or user names: area select Add
    • To the right of the Select this object type: box select the Object types button
      • Select the checkbox next to Computers, select OK

12. In the Enter the object names to select type Truesso and to the right select Check Names select OK

13. For the Permissions for TRUESSO
    • Select the Security tab
    • Select  the Read and Enroll checkboxes  
    • Select OK to close the TrueSSO Template Properties,

14. Switch to the Certificate Authority Console
    • Select and right-click the Certificate Templates container,
    • Select New > Certificate Template to Issue

15. In the Enable Certificate Templates window,
    • Select your TrueSSO Template
    • Select OK

16. Switch back to the Certificate Templates Console
    • Select and right-click the Enrollment Agent (computer) template
    • Select Properties

17. In the Enrollment Agent Properties window
    • Select the Security tab

18. Select Add and add the TRUESSO Computer account with Read and Enroll permissions . Select OK to close the Enrollment agent properties

19. Switch back to the Certificate Authority Console select and right-click the Certificate Templates container, select New > Certificate Template to Issue

20. In the Enable Certificate Templates window
    • Select the Enrollment Agent (Computer) template
    • Select OK

21. We will now configure the CA  for non-persistent certificate processing
    • On your existing TrueSSO server
      • Select and right-click the Start button
      • Select Command Prompt (Admin)

22. In the Administrator: Command Prompt enter the following commands
    

• certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

23. Configure CA to ignore offline CRL errors
    
    • certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

24. Restart the CA service. From the command prompt run:
    
    • net stop certsvc
    • net start certsvc

25. On the TrueSSO server desktop
    • Launch the software shortcut and open the Horizon\2006  folder.
    • Select and launch the VMware-Horizon-Connection-Server-x86_64-8.0.0-16592062.exe

26. On the Open File - Security Warning window select Run

27. On the Welcome window select Next

28. On the License agreement window select the radio button next I accept the terms in the license agreement, select Next

29. On Destination Folder window select Next

30. On the Installation Options window
    • Select Horizon 7 Enrollment Server
    • Select Next

31. On Firewall configuration window select Next

32. Select Install

33. On the Installer Completed Window select Finish

34. On the TrueSSO server
    • Select and right-click the Start Button,
    • Select Run, type MMC,
    • Select OK

35. In the Console window,
    • Select File > Add/Remove Snap-in..

36. In the Add or Remove Snap-ins window, select Certificates and select Add

37. Select Computer account radio button select Next and select Finish select OK

38. Expand the Certificates console inventory
    • Select and right-click the Personal container.
    • Select All Tasks > Request New Certificate

39. On the Certificate Enrollment > Before you Begin window select Next

40. On the Select Certificate Enrollment Policy window select Next

41. On the Request Certificates windows
    • Select the checkbox in front of Enrollment Agent (Computer)
    • Select Enroll

42. On the Certificate Installation Results window, ensure the enrollment was successful and select Finish.

43. On your ControlCenter2 server,
    • From the taskbar, switch to your, CS1-PD1.RDP session

44. On the CS1-PD1 desktop
    • Select and open your Cert Console.mmc

45. In the Certificates Console
    • Expand the inventory and browse down to VMware Horizon View Certificates > Certificates

46. Expand the console or scroll across the console and notice the guid based certificate has a friendly name of vdm.ec

47. Select your GUID certificate with the friendly name of vdm.ec.
    • Select and Right-Click the GUID certificate, select All Tasks and select Export

48. On the Welcome window select Next

49. On the Export Private Key page select the radio button next to No, do not export the private key select Next

50. On the Export File Format window
    • Select the radio button next to Base-64 encoded X.509 select Next

51. In the File to Export window
    • In the File name area type the following C:\software\Horizon\enroll.cer
    • Select Next

(Software is a shared folder which we will use to copy from on the TrueSSO server)

52. On the Completing the Certificate Export Wizard window select Finish.
    • When prompted that The export was successful, select OK

53. On your ControlCenter2 server desktop
    • Switch from your CS1-pd1 RDP session to  your TrueSSO RDP session

54. On your TRUESSO server
    • Open your Certificate services Snap-in,
    • Select and right-click the last container in the inventory VMware Horizon View Enrollment Server Trusted Roots,
    • Select All Tasks > Import

55. On the Welcome window select Next

56. In the File to import window
    • Type the following \\cs1-pd1.euc-livefire.com\software\Horizon7\enroll.cer
    • Select Next

57. In the Certificate Store window accept the defaults and select Next.
    • On the Summary page select Finish.
    • When Prompted that The Import was succesful select OK

58. Right-click the imported certificate and select Properties.
    • In the Friendly name: section type vdm.ec
    • Select OK

59. On your ControlCenter2 server,
    • Switch to your Chrome browser,
    • Open a new tab, select the WSONE Access shortcut from the Favourites bar,
      • Due to cached credentials, you might be logged in Automatically,
        • If not, ensure you log in as SysAdmin , with the password VMware1!
    • Select the Catalog tab > Virtual Apps Collection

60. Select the radio button next Horizon and select EDIT next to NEW

61. In the Edit Horizon Collection window,
    • Select 2 Pod and Federation, under Horizon Connection Server
    • Select cs1-pd1.euc-livefire.com

62. In the Edit Pod window
    • Under True SSO, change the toggle from Disabled to Enabled
    • Select SAVE , select NEXT, select NEXT, select SAVE

63. From the ControlCenter2 server, switch back to your TrueSSO.RDP session
    1. Select the Start button > RUN and type regedit.exe
    2. In the regedit inventory, browse to the following location, browse to
       • HKLM\SOFTWARE\VMware, Inc.\VMware VDM\
       • What we should see is an Enrollment Service Key
         • HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
         • You will notice there is no Enrollment Service key,  we need to create one. In our case we have to
    3. Create the Enrollment Service key
       • Right-click VMware VDM > New > Key and type Enrollment Service as a name

64. Configure the enrollment service to give preference to the local certificate authority when they are co-located:
    • Add a new String Value
      • Right-click the Enrollment Service key > New > String Value and  type the name PreferLocalCaValue
      • Right-click the PreferLocalCaValue String value and select Modify and in the Value data: field enter 1
      • Select OK to close the window.
      • Click to close RegEdit

65. On your ControlCenter2 server switch to your   CS1-PD1.RDP session
    • NOTE. At this point, to get the maximum benefit with the following steps, it would be advisable to go Full Screen with your RDP session.

66. Select and right-click the Start button and select Command Prompt (Admin)
    • Maximise your Command Prompt window

67. In the Administrator: Command Prompt type the following:-

• cd\
• cd Program Files\VMware\VMware View\Server\tools\bin

68. In the Administrator: Command Prompt type the following:-

The enrollment server is added to the global list.

vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --environment --add --enrollmentServer TrueSSO.euc-livefire.com

69. Wait 1 min before doing the next command
    1. If one executes too quick, you will get the following error message
       • In the Administrator: Command Prompt type the following:-
    2. The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.

vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --environment --list --enrollmentServer TrueSSO.euc-livefire.com --domain euc-livefire.com

70. Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.

vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --create --connector --domain euc-livefire.com --template TrueSSOTemplate --primaryEnrollmentServer truesso.euc-livefire.com --certificateServer euc-livefire-TRUESSO-CA --mode enabled

71. Enter the command to discover which SAML authenticators are available

Authenticators are created when you configure SAML authentication between Workspace ONE Access and a connection server, using Horizon Administrator.

The output shows the name of the authenticator and shows whether True SSO is enabled

vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --list --authenticator

72. You will notice True SSO mode is Disabled. Enter the command to enable the authenticator to use True SSO mode

vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --authenticator --edit --name "Workspace ONE Access" --truessoMode ENABLED

 For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to  Workspace ONE Access. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to Workspace ONE Access

73. On your ControlCenter2 server
    • Minimise your CS1-PD1.RDP Session

1. On your ControlCenter2 server,
   • Switch your Remote Desktops session to  W10EXT01a.RDP.

2. On your W10EXT01a desktop,  
   • Open your browser and type access.euc-livefire.com

3. On the Select a certificate window, select OK

4. Select Apps tab in the Console

5. In the All Apps area, select W10INST

6. This will most likely be the result. Move on to Part 5
   • As we mentioned early, for VMware Horizon Enrolment services to work, it is critical we have a Healthy Certificate Services environment.
   • For VMware Horizon Enrollment services to work, our entire environment, need to be aware of our updated CA hierarchy

• When authoring this content, it became very clear how dependant Enrollment services is on Active Directory Certificate Services.
• A well maintained Active Directory Services is critical to a functional Enrollment Services and a good User experience.
• As we have just deployed a new Enrollment server and a new Subordinate CA. We need to make sure our entire environment is updated with the updated CA hierarchy
• To summarize :- All stakeholders need to have the updated information, that being
  • Our Domain Controller: - Controlcenter2.euc-livefire.com
  • Our Connection Server - CS1-PD1.EUC-Livefire.com
  • Our Enrollment Server - TrueSSO.EUC-Livefire.com
  • Our RDS Host Server - RDSH-01a
  • Our Virtual desktops - Master Parent-01a.euc-livefire.com

1. On any of the above mentioned stakeholders you might observe the following:
   • If you open the mmc > Certificate Services Snap-in > Local Computer
   • Under Intermediate Certificate Authorities > Certificates
     • Notice, there is only the Root CA. There is no TRUESSO server.
     • This could be the situation on one or more of the above mentioned servers in our environment.
     • To remediate this problem, move on to step 2

2. Perform the following steps on the following stakeholder platforms:-
   • Open the Command Prompt (Admin) type gpupdate /force, if prompted logoff and log back in
     • This will force an update of all certificate information

3. Revert back to your Certificates (Local Computer) snap-in
   • Select Certificates, select Refresh  
   • Note, that now you both a ControlCenter2 CA and a TRUESSO CA certificate

4. Revert back to the W10EXT01a.RDP session
   • Open your browser and type https://access.euc-livefire.com and select enter
   • In the Select a certificate window, select OK
   • In the Intelligent Hub console, select Apps

5. On the W10EXT01a desktop, in your Browser.
   • Revert back to the Intelligent Hub tab
   • Select Calculator
   • Continue to test the functionality of the rest of the entitlements

This concludes our Installing and configuring of TRUESSO session