EUC

8. Workspace ONE Integration with Horizon

Enabling Single Sign-ON for users Authenticating with an Identity Provider

Traditionally when authenticating to Workspace ONE Access using a 3rd party authentication method, the user we will by default, not have a Single-Sign On experience when trying to launch any VMware Horizon based resource through Workspace ONE Access.

Traditionally when using a password based authentication method Workspace ONE Access would cache the original authentication against Access and then pass this on when required to the Broker.

Traditionally Single-Sign On would only be an issue when using a 3rd Party authentication method. To solve this problem we would deploy what is known as the Horizon Enrollment services to facilitate a single-sign on experience. We integrate with Microsoft Certificate Services to provide a solution to this challenge and we refer to the solution as Horizon TRUE SSO

Since December 2019

When connecting to Horizon Resources via Workspace ONE Access. Caching of Passwords for Horizon has been disabled by default for SAAS, and a user will have to re-authenticate when they select their entitlement. Whilst the session is open we can choose to Cache the users credentials provided the Authentication method is password based.

https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/rn/VMware-Workspace-ONE-Access-Cloud-Release-Notes.html

To continue offering users a seamless single-sign On experience, Enrollment services has now become a critical service with the integration with Workspace ONE Access

In this lab scenario the 3rd party authentication method we use to login into Workspace ONE Access will be a certificate based method of authentication.

We will start off by doing the following:

Configure Certificate Based Authentication using Workspace ONE UEM and Access
Configure Workspace ONE Access for Certificate based Authentication
Log into a Windows 11 Desktop and demonstrate the limitation
Deploy and configure TRUE SSO
- Deploy and configure Horizon Enrollment services
- Integrate and configure Active Directory Certificate services with Horizon Enrollment services
Log into a Windows 11 Desktop and demonstrate the solution

Part 1: Workspace ONE UEM - Certificate Profile

In the Workspace ONE Cloud console
- below the Services area
  - below the UEM block
    - select LAUNCH

In Workspace ONE UEM Admin Console
- select GROUPS & SETTINGS
- In the Groups & Settings area
  - select All Settings

In the Workspace ONE UEM Admin Console
- navigate to
  - System > Enterprise Integration > Workspace ONE Access > Configuration

In the Workspace ONE Access > Configuration area
- scroll down and find the Certificate area
  - next to Certificate Provisioning
    - select ENABLE

In the Certificate area
- next to Issuer Certificate
  - select EXPORT
    - note this will download a .cer file called:
      - VidmAirWatchRootCertificate.cer
- to close the Settings window
  - in the top right corner
    - scroll up and select X

From the Workspace ONE UEM console
- navigate to RESOURCES > Profiles
  - select > ADD > Add Profile

In the Add Profile window
- select Windows > Windows Desktop > User Profile
  - next to Name*
    - enter: W11 - SCEP - SSO .

In the Add Profile window
- General tab, area
  - scroll down to Smart Groups
    - select All Devices(YOUR SAAS Tenant)

In the Add Profile window
- in the left menu
  - below the General tab,
    - select SCEP
- In the SCEP area
  - select CONFIGURE

In the SCEP area
- validate
  - Credential Source: AirWatch Certificate Authority (default)
  - Certificate Authority: AirWatch Certificate Authority (default
  - Certificate Template: Single Sign-On (default)
- configure
  - Key Location: Software
- to save the configuration
  - at the bottom right of the window
    - select SAVE AND PUBLISH

In the View Device Assignment page
- select PUBLISH

Part 2 : Configuring Workspace ONE Access for Certificate Authentication

Switch to your Workspace ONE Access tenant
- If necessary, go to your Workspace ONE, console
  - in the Access area
    - select LAUNCH

In the Access admin console
- navigate to the Integrations tab
  - Authentication Methods. is the default area
    - next to Certificate (Cloud Deployment)
      - select the radio button
        
        select CONFIGURE

In the Certificate (cloud deployment) page
- below Enable Certificate Adapter
  - move the Toggle from No to Yes
- below Root and Intermediate CA Certificates
  - click on SELECT FILE for the
    - In the Open window
      - in the Quick Access bar
        
        select Downloads
        
        select the VIDMAirWatchRootCertificate.cer certificate file
    - select Open
- in the Update Authentication Adapter window
  - select YES

In the Certificate (cloud deployment) page
- Keep the remaining settings as default
  - at the bottom of the page
    - select Save

In the Workspace ONE Access console
- under the Integrations tab
  - in the Menu pane
    - select Identity Providers
  - in the Identity Providers area
    - select Built-in

In the Identity Providers > Built-In window
- In the Users area
  - next to TechSEALS
    - select the checkbox
- scroll down
  - In the Network area
    - next to ALL RANGES
      - select the checkbox
    - at the bottom of the page.
      - select SAVE

In the Workspace ONE Access Admin console
- navigate to Resources
  - in the side menu
    - select Policies
- In the Policies area
  - next to default_access_policy_set
    - select the radio button

In the Policies area
- select EDIT

In the Edit Policy window,
- In side column
  - select Configuration
- next to Web Browser,
  - select All Ranges

In the Edit Policy Rule window
- next to then the user may authenticate using *
  - from the dropdown
    - select Certificate (Cloud Deployment)
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Cloud Deployment),
- select ADD FALLBACK METHOD
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Local Directory)
  - at the bottom of the window
    - select SAVE

In the Edit Policy Rule window
- select + ADD POLICY RULE

In the Edit Policy Rule window
- next to and user accessing content *
  - from the dropdown.
    - select Windows 10+
- next to then the user may authenticate using *
  - from the dropdown
    - select Certificate (Cloud Deployment) for the first authentication method
- select ADD FALLBACK METHOD twice
  - next to if preceding method fails or is not applicable, then
    - from the dropdown
      - select Password (cloud deployment)
  - next to if preceding method fails or is not applicable, then
    - from the dropdown
    - select Password (Local Directory)
- at the bottom right hand side of the page
  - select SAVE

In the Configuration window
- ensure the following Device Types
  - Windows 10+
    - and
  - Web Browser
    - are first and second in the authentication flow
- next to ALL RANGES for Windows 10 +
  - on the left select the 6 DOTS
    - drag to the top
- next to ALL RANGES for Web Browser
  - on the left select the 6 DOTS
    - drag below Windows 10+
- In the Configuration window
  - select NEXT

In the Edit Policy Page.
- Summary section
  - review the policy configurations
- select SAVE

Part 3: Configuring Workspace ONE Access as the Primary Auth solution for Enrollment

In the Workspace ONE UEM console
- select GROUPS & SETTINGS
- in the GROUPS & SETTINGS area
  - select All Settings

In the Enrollment window
- navigate to Devices & Users > General > Enrollment
  - in the Enrollment area
    - next to Override
      - select the radio button
  - scroll down

In the Enrollment window
- in line with Authentication Mode(s)
  - next to Directory
    - select the checkbox
- in line with Source of Authentication for Intelligent Hub
  - select WORKSPACE ONE ACCESS
    - scroll down
- at the bottom of the page.
  - select SAVE

NOTE: We are doing this as we want the user to authenticate during enrollment with Workspace ONE Access.

Part 4: User Provisioning to UEM

Organizations can leverage the provisioning adapter in WorkspaceONE Access to provision users into Workspace ONE UEM. This implementation does not require the AirWatch Cloud Connector and will leverage SAML JIT to create users in UEM during the enrollment process.

In the Workspace ONE Access admin console
- select the Resources tab
  - in the side menu
    - ensure Web Apps is selected (default)
    - in the Web Apps area
      - select NEW

In the New SaaS Application wizard
- select OR BROWSE FROM CATALOG

In the New SaaS Application wizard
- in the top right corner FILTER area
  - enter AirWatch
- in line with AirWatch Provisioning
  - select the the +
- In the New SaaS Application wizard
  - select NEXT

In the New SaaS Application wizard
- below Single Sign-On URL
  - replace www.airwatch.com
    - with your YOUR UEM Tenant URL
- below Recipient URL
  - replace www.airwatch.com
    - with your YOUR UEM Tenant URL
      - leave everything else default
  - select NEXT

In the New SaaS Application wizard
- Access Policies window
  - select NEXT

In the New SaaS Application wizard
- Summary window
  - select SAVE

In your Workspace ONE Access console
- Resources tab
  - Web Apps area
  - next to AirWatch Provisioning
    - select the Checkbox
      - select EDIT

In the Edit SaaS Application window
- In the side menu
  - select 4 Provisioning
- in the Provisioning Adapter Configuration area
  - below Enable Certificate Auth
    - move the Toggle from No to Yes
- under Workspace ONE UEM Group ID
  - enter YOUR UEM GroupID.
- select TEST CONNECTION
  - select NEXT

In the Edit SaaS Application window
- in the User Provisioning area
  - leave all values default
    - select NEXT

In the Edit SaaS Application window
- in the Group Provisioning area
- select ADD GROUP

In the Add Group to Provision window
- below Group Name*
  - enter developer
    - select [email protected]
- below Nickname*
  - type Developers.
- select SAVE.

In the Edit SaaS Application window
- in the Group Provisioning area
- select ADD GROUP

In the Add Group to Provision window
- below Group Name*
  - enter sales
    - select [email protected]
  - below Nickname*
    - type Sales.
  - select SAVE.

Repeat the process for Marketing and IT support

In the Edit SaaS Application window
- in the Group Provisioning area
  - select NEXT.

In the Edit SaaS Application window
- on the Summary area
  - select SAVE & ASSIGN

In the Assign window
- below Users / User Groups search area
  - enter All Users
    - select All Users
- next to Deployment Type
  - select Automatic
- In the bottom right-corner
  - select SAVE.

Part 1:Section 5: Workspace ONE UEM & Active Directory Integration

In the Workspace ONE UEM admin console
- Select Groups & Settings > All Settings > System > Enterprise Integration
- Under Enterprise Integration
  - Select Directory Services
- In the Directory Services window
  - Select the Overide radio button
- Select Skip wizard and configure manually

From the Directory Services Interface,
- Under the Server Tab , enable the following .
  - Directory Type*: LDAP-Active Directory
  - DNS SRV: Disabled (default)
  - Server : ControlCenter.euc-livefire.com
  - Bind User Name: administrator
  - Bind Password: Pa$$w0rd
  - Domain: euc-livefire.com

From the Directory Services Interface,
- Under the User Tab ,
  - Validate the following configuration is configured
    - Under Base DN,
      - ensure that DC=euc-livefire,DC=com has automatically populated.
      - If not, click on the + icon
        
        add DC=euc-livefire,DC=com
    - Next to User Object Class,
      - ensure person is the property
    - Next to User Search Filter,
      - ensure (&(objectCategory=person)(sAMAccountName={EnrollmentUser})) is the string

From the Directory Services Interface,
- Repeat these steps for the third tab Group
  - Under Base DN,
    - notice validate that DC=euc-livefire,DC=com, is entered.
  - Scroll to the bottom of the page
    - select Save
  - Scroll to the bottom of the page
    - Select TEST CONNECTION

You should have a Test Connection window launch saying Connection successful....
- Select CANCEL to close the window

Let's ensure users can enroll their devices using Active Directory credentials.
- Under Settings ,
  - select Devices & Users
    - Select > General
      - Select > Enrollment

Under the Enrollment area
- Select the Override radio button
- Scroll down.

Under the Enrollment area
- In line with Authentication Modes(s)
  - ensure the the Directory check box is selected
- In line with Source of Authentication for Intelligent Hub,
  - select Workspace ONE ACCESS
- Scroll down
  - Select SAVE
- Close the Settings window,
  - by selecting the X on the right of the window

Part 5: Workspace ONE Hub Services Integration with Workspace ONE Access

In the Workspace ONE Access admin console
- select the Integrations tab
  - from the left menu
    - select Hub Configuration
  - In the Hub Configuration area
    - select LAUNCH

In the Optimize the Intelligent Hub Experience window
- Select BEGIN

In the Welcome to Hub Services
- Review the associated options.

In Workspace ONE Hub Services
- Select the Branding section
  - Find Logos > Organization Logo , to the right select UPLOAD
  - In the left pane,
    - Under Quick access,
      - select Desktop
        
        select the Software shortcut
      - GO TO
        
        DesktopBackground > GEN-99 TechSEALs Wallpaper and Logo
        
        select TechSEALs Logo - Normal.png
        
        select Open
    - Scroll down
      - and select SAVE

In the Workspace ONE Hub Services page
- In the left pane, select People
- Under People area,
  - next to Enable People,
    - move the toggle to the right
- Select SAVE

In the Workspace ONE Hub Services page
- from the left menu,
  - select the Custom Tab.
    - next to Enable Custom Tab,
      - move the toggle right.
    - next to Web
      - move the toggle right.
    - next to Title
      - enter: EUC TZ
        
        Best practice is not use a label longer than 6 characters.
    - next to URL:
      - enter https://techzone.vmware.com
    - next to Position,
      - enable the First radio button.
    - select SAVE

To the top right of the Workspace ONE Hub Services page
- select LOG OUT OF HUB SERVICES

In the Workspace ONE Access Console
- under Integrations
  - select People Search

In the People Search area
- next to Directory,
  - from the dropdown
    - select the TechSEALs
  - select NEXT

In the People Search page
- Step 2 Select User attributes
  - note the attributes
- Scroll down
- In the bottom left
  - Select NEXT

In the People Search page `
- Step 3 Select users and sync to directory
  - review the User DNs
    - It should read
      - ou=corp,DC=techseals,dc=co
    - select SAVE & SYNC

Part 6: Enrolling Intelligent Hub on Microsoft Windows 11

Step 1 : Enrolling W11Client-01a on Site 1 with the Active Directory Domain User Mark

Steps 1 - 4 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step

On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
  - open the Site1 folder
- select the W11Client-01a RDP client and
  - sign-in with
    - username: [email protected]
    - password: Pa$$w0rd
- to the right of the Start button
  - in the search area,
    - start typing intel
- select the Workspace ONE Intelligent Hub
  - Please Note! If the Workspace ONE Intelligent Hub does not load,
    - From the RUN > Services.msc > Start the Airwatch service
    - Attempt to re-launch the hub

In the Workspace ONE Cloud Console
- under Services
  - below UEM
    - select LAUNCH

In the Workspace ONE UEM console
- in the address bar
  - copy YOUR UEM tenant address
    - eg. cn1784.awmdm.com
  - copy YOUR Group ID
    - eg. dwpg9677

On your W11Client-01a desktop
- on the native Intelligent Hub
  - under Email or Server Address,
    - enter https://YOUR.awmdm.com tenant address
      - select Next

On your W11Client-01a desktop
- on the native Intelligent Hub
  - under Group ID
    - enter your unique your Workspace ONE UEM tenant Group ID
- select NEXT

In the Workspace ONE Intelligent Hub under
- under Select Your Domain
  - select techseals.co
    - select Next
- under the Username area
  - enter craig
- under the Password area
  - enter Pa$$w0rd
- select Sign in

In the Workspace ONE Intelligent Hub
- Select I Agree

On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started

Step 2 : Enrolling W11Ext-01a on Site 1 with the Active Directory Domain User Jackie

On your ControlCenter server
- on the Desktop open the Remote Desktop folder.
  - open the Site1 folder
- select the W11Ext-01a.RDP client
  - sign-in with
    - username : W11Ext-01a\Jackie (default)
    - password: Pa$$w0rd
- to the right of the Start button in the search area, start typing intel
- select the Workspace ONE Intelligent Hub

In Workspace ONE Intelligent Hub
- under Email or Server Address,
  - enter https://YOURUEM.awmdm.com
    - select Next

In Workspace ONE Intelligent Hub
- under Group ID unique
  - enter YOUR unique your Workspace ONE UEM tenant Group ID
- select NEXT

In the Workspace ONE Intelligent Hub under
- under Select Your Domain
  - select techseals.co
    - select Next
- under the Username area
  - enter Jackie
- under the Password area
  - enter Pa$$w0rd
    - select Sign in

In the Workspace ONE Intelligent Hub
- select I Agree

On the Congratulations window,
- select Done
  - Re-open the Intelligent Hub
    - select Get Started

Step 3 : Enrolling W11Client-02a on Site 2 with the Active Directory Domain User Malcolm

On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
  - open the Site2 folder
- select the W10Client-02a RDP client and
  - sign-in with
    - username w11client-02a\malcolm
    - Password Pa$$w0rd
  - select OK
- to the right of the Start button in the search area,
  - start typing intel
  - select the Workspace ONE Intelligent Hub

In the Workspace ONE Intelligent Hub
- under Email or Server Address,
  - enter YOUR https://YOUR.awmdm.com tenant ID
    - select Next

In the Workspace ONE Intelligent Hub
- under Group ID
  - enter YOUR tenant Group ID
- select NEXT

In the Workspace ONE Intelligent Hub under
- under Select Your Domain
  - select techseals.co
    - select Next
- under the Username area
  - enter Malcolm
- under the Password area
  - enter Pa$$w0rd
- select Sign in

In the Workspace ONE Intelligent Hub
- select I Agree

On the Congratulations window,
- select Done
- select Get Started

Step 4: Enrolling W11Ext-02a on Site 2 with the Active Directory Domain User Nancy

On your ControlCenter server
- on the Desktop open the Remote Desktop folder.
  - Open the Site2 folder
- select the W11Ext-02a.RDP client
  - sign-in with
    - username w11Ext-02a\Nancy
    - Password Pa$$w0rd
- to the right of the Start button in the search area, start typing intel
- select the Workspace ONE Intelligent Hub

In the Workspace ONE Intelligent Hub
- under Email or Server Address,
  - enter YOUR https://YOUR.awmdm.com tenant ID
- select Next

In the Workspace ONE Intelligent Hub
- under Group ID
  - enter YOUR tenant Group ID
    - select NEXT

In the Workspace ONE Intelligent Hub under
- under Select Your Domain
  - select techseals.co
    - select Next
- under the Username area
  - enter Nancy
- under the Password area
  - enter Pa$$w0rd
- select Sign in

In the Workspace ONE Intelligent Hub
- Select I Agree

On the Congratulations window,
- select Done
- select Get Started

Part 7: Log into a Windows 11 Desktop and demonstrate the limitation

On the ControlCenter server Desktop,
- open the Remote Desktops folder,
  - select the W11Client-01a.RDP shortcut
- ensure the username is
  - w11client-01a\craig,
- enter the password
  - Pa$$w0rd
  - select OK

On W11Client-01a desktop
- select Start > Run,
  - next to Open,
    - type mmc,
      - select OK
- In the Console,
  - select Add/Remove Snap-in

In the Add or Remove Snap-ins window
- Select Certificates,
- Select Add

In the Certificates snap-in,
- accept the Defaults,
  - select Finish
  - select OK

Expand Certificates - Current User
- Expand Personal
- select Certificates

Note you have an enrolled certificate. If you dont have a certificate, reach out for support.

On your W11Client-01a Desktop
- on your windows 11 desktop
  - open the native Intelligent Hub
- in the native Intelligent Hub
  - select Apps
- under All Apps
  - select Enterprise Instant Clone Windows 11 Desktops
- on the Select a certificate window
  - select Craig
  - select OK

On your W11Client-01a Desktop
- in the Open VMware Horizon Client? window
  - select Open VMware Horizon Client

Select Calculator,
- Notice we are getting a Password request.
  - The 1st reason is, we used a 3rd party Auth method to login to Workspace ONE Access. (In our session a Certificate based Auth method was used) Workspace ONE Access did not have the UPN it would have received from a password Auth method, to pass on to the Horizon Agent.
  - Up to version 1903, Workspace ONE Access would CACHE the credential when a password method of Authentication was used to login to the Console. Prior to version 20.01 or up to version 1903, when a user logged into Workspace ONE Access with a password method of authentication, the user would enjoy a Single-Sign on experience. It was therefore only necessary to Deploy TRUESSO if the users were authenticating with an Auth method that was NOT password based.
  - From version 20.01 Saas onwards, the automatic CACHING of password credentials is no longer a feature in Workspace ONE Access. This is an enhancement of Workspace ONE Access security.
  - In June this year a feature was re-introduced to allow Automatic Caching of Passwords on the Saas Instance of Access
  - We however still need Enrollment services when authenticating with 3rd party auth methods
- In the next Part, we will proceed with the deployment of TRUESSO to solve this challenge.
- Select Cancel to close the Password Request window.
- Logout and close all windows on W11Client-01a

Part 8. Installing and Configuring the sub-ordinate CA and the Enrollment services

Section 1: Installing the Subordinate CA

On your ControlCenter server
- open the Remote Desktop Folder
  - open the Site1 folder
  - launch the TrueSSO-01a.RDP shortcut
    - login as techseals\administrator
    - enter the password Pa$$w0rd

On the TrueSSO-01a server
- select the Start button
  - from the menu
    - select Server Manager

On the Server Manager Interface
- select Manage > Add Roles and Features

On the Before you begin window
- select Next

On the Select installation type window,
- next to Role-based or feature-based installation
  - select the radio button
- select Next

On Select destination server window (accept the defaults)
- select Next

On the Select server roles window,
- in front of Active Directory Certificate Services,
  - select the check box
- when prompted for the Add Features window,
  - select the Add Features box,
- select Next

On the Select features window
- select Next

On the Active Directory Certificate Services window
- select Next

On the Select role services window
- select Next

On the Confirm Installation selections window,
- next to Restart the destination server automatically if required,
  - select the checkbox
- on the Add Roles and Features Wizard window
  - select Yes
- select Install

You will have to wait a short while before moving on to section 2

Section 2: Configuring Active Directory Certificate Services for a Sub-ordinate CA

On the Installation progress page,
- select the Configure Active Directory Certificate Services on the destination server hyper-link

On the Credentials window
- select Next

On the Role Services page,
- select the Certificate Authority checkbox
  - select Next

On the Specify the setup type of the CA window
- next to Enterprise CA
  - select the radio button
- select Next

On the CA type window
- next to Subordinate CA
  - select the radio button
- select Next

On the Private Key window,
- next to Create a new private key
  - ensure the radio button is selected
- select Next

On the Cryptography for CA window
- validate the following is selected
  - under Cryptographic Provider:
    - RSA#Microsoft Software Key Storage Provider
  - next to Key Length:
    - 2048
  - Hash Algorithm:
    - SHA256
  - select Next

On the Specify the Name of the CA window
- observe the CA naming convention
  - select Next

On the Request a certificate from parent CA ,
- next to Send a certificate request to a parent CA:
  - select the radio button
- to the right of the Parent CA box,
  - click the Select button
- In the Select Certificate Authority window
  - ensure that techseals-CONTROCENTER-CA is selected
    - select OK
- select Next

On the CA Database window,
- select Next

On the Confirmation window
- select Configure

On the Results window
- select Close
- on the Installation progress window,
  - select Close

Part 9: Certificate Template configuration for Horizon TRUE SSO

As a result of this being a multi-site setup. We have already deployed all the services for Site 2.

Both Site 1 and Site 2 share the same Active Directory Certificate Services. One of the requirements for TRUESSO is to setup a certificate Template. This has already been setup. In a future lab, which could be optional, that being Integrating with Untrusted Forests, you will have the opportunity to setup the Template in its entirety

In this section we will validate and perform configuration specific to Site 1

On your TRUESSO-01a server
- select Start > Run > type mmc
  - select File > Add/Remove Snap-in...
    - select the Certificate Authority services snap-in,
      - select Add
    - In the Certificate Authority window,
      - next to Another computer
        
        select the radio button
        
        In line with Another computer
        
        select Browse
        
        select Finish
    - to close the Add or Remove Snap-ins window
      - select OK

Expand the euc-livefire-TRUESSO-01a-CA inventory
- select Certificate Templates,
  - right-click
    - select Manage

In the Certificate Template Console
- find and select the TrueSSO template
  - right-click the TrueSSO template

In the TrueSSO Template Properties
- select the Security tab
  - in the Group or user names: area
    - select Add
      - to the right of the Select this object type: box
        
        select the Object types button
        
        next to Computers,
        
        select the checkbox
        
        select OK

In the Select Users, Computers, Service Accounts, or Groups window
- Enter the object names to select
  - type TRUESSO-01a
    - to the right select Check Names
      - select OK

In the TrueSSO Template Properties windows
- next to Enroll
  - select the checkbox
    - Read should be selected by default
  - to close the TrueSSO Template Properties,
    - select OK

Switch to the Certificate Authority Console
- select and right-click the Certificate Templates container,
  - select New > Certificate Template to Issue

In the Enable Certificate Templates window,
- select your TrueSSO Template
  - select OK

In the Certificate Authority Console
- select Certificate Templates,
  - right-click
    - select Manage

In the Certificate Templates Console
- select Enrollment Agent (computer) template
  - right-click
    - select Properties

In the Enrollment Agent Properties window
- select the Security tab

In the TrueSSO Template Properties
- select the Security tab
  - in the Group or user names: area
    - select Add
      - to the right of the Select this object type: box
        
        select the Object types button
        
        next to Computers,
        
        select the checkbox
        
        select OK

In the Enrollment agent properties window
- next to Enroll
  - select the checkbox
    - Read should be selected by default
- to close the Enrollment Agent (Computer) Properties
  - select OK
  - Switch back to the Certificate Authority Console

In the Certificate Authority Console select
- right-click the Certificate Templates container,
  - select New > Certificate Template to Issue

In the Enable Certificate Templates window
- Select the Enrollment Agent (Computer) template
- Select OK

In the Certificate Authority window
- Note the Templates you now have
  - TrueSSO Template
  - Enrollment Agent (Computer)

Part 10: Pre- Install Configuration and Install of Horizon Enrollment Services

We will now configure the CA for non-persistent certificate processing
- on the TrueSSO-01a server
  - select the Start button
    - right-click
      - select Command Prompt (Admin)

In the Administrator: Command Prompt
- enter the following command

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

In the Administrator: Command Prompt
- enter the following command
  - to Configure the CA to ignore offline CRL errors
- certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

In the Administrator: Command Prompt
- enter the following command
  - From the command prompt run:
    - Restart the CA service.
  - net stop certsvc
  - net start certsvc

On the TrueSSO-01a server desktop
- launch the software shortcut
  - In the Software folder,
    - open the Horizon\2312 folder.
      - select and launch the VMware-Horizon-Connection-Server-x86_64-8.12.0-23148203

On the Open File - Security Warning window
- Select Run

On the Welcome window
- Select Next

On the License agreement window
- next to I accept the terms in the license agreement,
  - select the radio button
    - select Next

On Destination Folder window
- select Next

On the Installation Options window
- select Horizon Enrollment Server
  - select Next

On Firewall configuration window
- select Next

On the Ready to Install Program window
- select Install

On the Installer Completed Window
- select Finish

Part 11: Certificate Configuration on the Enrollment Server

On the TrueSSO-01a server
- select the Start Button,
  - right-click
    - select Run,
      - type MMC,
        
        select OK

In the Console window
- select File > Add/Remove Snap-in..

In the Add or Remove Snap-ins window,
- select Certificates
  - select Add

In the Certificates snap-in
- next to Computer account
  - select the radio button
    - select Next
      - select Finish
        
        select OK

Expand the Certificates console inventory
- select the Personal > Certificates container.
  - and right-click
    - select All Tasks > Request New Certificate

On the Certificate Enrollment window
- select Next

On the Select Certificate Enrollment Policy window
- select Next

On the Request Certificates window
- in front of Enrollment Agent (Computer)
  - select the checkbox
- select Enroll

On the Certificate Installation Results window,
- ensure the enrollment was successful
  - select Finish

In the Certificates Console
- note you now a TrueSSO-01a template for enrollment

Part 12: Federating Enrollment services with Horizon

Switch to your ControlCenter server,
- Open up your Remote Desktop > Site 1 folder
  - launch the RDP shortcut for Horizon-01a
  - If necessary, authenticate, using the following credentials
    - username techseals\administrator
      - password Pa$$w0rd

On the Horizon Server desktop
- select and open your CACertSnapin.mmc

In the Certificates Console
- Expand the inventory
  - Browse down to:
    - VMware Horizon View Certificates > Certificates

In the VMware Horizon View Certificates > Certificates folder
- expand the console or scroll across the console
  - notice the guid based certificate has a friendly name of vdm.ec

In the Certificates console
- select your top GUID certificate with the friendly name of vdm.ec.
  - Right-Click select All Tasks
  - Select Export

Note there are two GUID based certificates with a vdm.enc Friendly name. Select the cert with vdm.ec

In your environment, the certificate order might differ to the screenshot

On the Welcome to the Certificate Export Wizard window
- Select Next

On the Export Private Key page
- next to No, do not export the private key
  - select the radio button
    - select Next

On the Export File Format window
- next to Base-64 encoded X.509
  - select the radio button
    - select Next

In the File to Export window
- under File name
  - type the following
    - \\horizon-01a\software\Horizon\enroll.cer
      - select Next

Software is a shared folder which we will use to copy from on the TrueSSO server

On the Completing the Certificate Export Wizard window
- when prompted that The export was successful,
  - select Finish.
    - select OK

On your ControlCenter server desktop
- on your TrueSSO-01a RDP session
  - switch from your Horizon-01a RDP session

On our TrueSSO-01a server
- select your Certificate services Snap-in,
  - select the VMware Horizon View Enrollment Server Trusted Roots, folder
    - and right-click
      - select All Tasks > Import

On the Welcome window
- select Next

In the File to import window
- Under File name,
  - enter the following
    - \\Horizon-01a.techseals.co\software\Horizon\enroll.cer
- select Next

In the Certificate Store window accept the defaults and
- select Next.
  - on the Summary page
    - select Finish.
    - when Prompted that The Import was successful
      - select OK

In the Certificates Folder
- select the imported certificate
  - and Right-click
    - select Properties.
- In the Friendly name: section
  - type vdm.ec
    - select OK

Part 13: Enabling TRUESSO support on the Unified Access Gateway servers

We will enable full SAML authentication on both our sites for all Unified Access Gateway servers

Section 1. Enabling SAML Federation on Site 1 , UAG-HZN-01a

On your Site 1 Browser profile
- In the Favourites bar
  - select the UAG-HZN-01a shortcut

In the VMware Unified Access Gateway login
- in the Username area
  - enter admin
- in the Password area
  - enter Pa$$w0rd
- select Login

In the VMware Unified Access Gateway admin console
- below Configure Manually
  - click Select

In the VMware Unified Access Gateway admin console
- In the General Settings area
  - next to Edge Service Settings
    - turn the TOGGLE from OFF to ON
  - to the right of Horizon Settings
    - select the GEAR icon

In the Horizon Settings window
- scroll down to the bottom
  - next to More
    - select the expand icon

In the Horizon Settings window
- next to Auth Methods
  - from the dropdown
    - select SAML

In the Horizon Settings window
- scroll down to the bottom of the window
  - select Save

Section 2. Enabling SAML Federation on Site 1 , UAG-HZN-01b

On your Site 1 Browser profile
- in the Favourites bar
  - select the UAG-HZN-01b shortcut

In the VMware Unified Access Gateway login
- in the Username area
  - enter admin
- in the Password area
  - enter Pa$$w0rd
- select Login

In the VMware Unified Access Gateway admin console
- below Configure Manually
  - click Select

In the VMware Unified Access Gateway admin console
- In the General Settings area
  - next to Edge Service Settings
    - turn the TOGGLE from OFF to ON
  - to the right of Horizon Settings
    - select the GEAR icon

In the Horizon Settings window
- scroll down to the bottom
  - next to More
    - select the expand icon

In the Horizon Settings window
- next to Auth Methods
  - from the dropdown
    - select SAML

In the Horizon Settings window
- scroll down to the bottom of the window
  - select Save

Section 3. Enabling SAML Federation on Site 2 , UAG-HZN-02a

On your Site 1 Browser profile
- In the Favourites bar
  - select the UAG-HZN-02a shortcut

In the VMware Unified Access Gateway login
- in the Username area
  - enter admin
- in the Password area
  - enter Pa$$w0rd
- select Login

In the VMware Unified Access Gateway admin console
- below Configure Manually
  - click Select

In the VMware Unified Access Gateway admin console
- In the General Settings area
  - next to Edge Service Settings
    - turn the TOGGLE from OFF to ON
  - to the right of Horizon Settings
    - select the GEAR icon

In the Horizon Settings window
- scroll down to the bottom
  - next to More
    - select the expand icon

In the Horizon Settings window
- next to Auth Methods
  - from the dropdown
    - select SAML

In the Horizon Settings window
- scroll down to the bottom of the window
  - select Save

Section 4. Enabling SAML Federation on Site 2 , UAG-HZN-02b

On your Site 1 Browser profile
- In the Favourites bar
  - select the UAG-HZN-02bshortcut

In the VMware Unified Access Gateway login
- in the Username area
  - enter admin
- in the Password area
  - enter Pa$$w0rd
- select Login

In the VMware Unified Access Gateway admin console
- below Configure Manually
  - click Select

In the VMware Unified Access Gateway admin console
- In the General Settings area
  - next to Edge Service Settings
    - turn the TOGGLE from OFF to ON
  - to the right of Horizon Settings
    - select the GEAR icon

In the Horizon Settings window
- scroll down to the bottom
  - next to More
    - select the expand icon

In the Horizon Settings window
- next to Auth Methods
  - from the dropdown
    - select SAML

In the Horizon Settings window
- scroll down to the bottom of the window
  - select Save

Part 14: Mapping the subordinate CA to a preferred Enrollment service

On the ControlCenter server,
- switch back to your TrueSSO.RDP session
- select the Start button > RUN
  - type regedit.exe
- In the regedit inventory,
  - browse to the following location:
    - HKLM\SOFTWARE\VMware, Inc.\VMware VDM\
  - What we should see is an Enrollment Service Key
    - HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
    - You will notice there is no Enrollment Service key, we need to create one. In our case we have to
- Create the Enrollment Service key
  - Right-click VMware VDM > New > Key
    - type Enrollment Service

We will add 3 String Values in the Registry Key

In the Registry Editor
- right-click the Enrollment Service key > New > String Value
  - type PreferLocalCa
- right-click the PreferLocalCa String value
  - select Modify
  - in the Value data: field
    - enter 1
- select OK to close the window

Add your second String Value
- right-click the Enrollment Service key > New > String Value
  - enter UseKerberosAuthenticationToCa
- right-click the UseKerberosAuthenticationToCa String value
  - select Modify
  - in the Value data: field
    - enter false
- select OK to close the window.

Add a third String Value
- right-click the Enrollment Service key > New > String Value
  - enter UseNTLMAuthenticationToCa
- right-click the UseNTLMAuthenticationToCa String value
  - select Modify
  - in the Value data: field
    - enter true
- Select OK to close the window.

On your TrueSSO-01a server
- From the Start button,
  - select Run
    - type services.msc
      - select OK
- in services menu, scroll down until you find
  - VMware Horizon View Enrollment Server service
- select and right-click the VMware Horizon View Enrollment Server service
  - select Restart
- Close the Services mmc

Part 15: Pairing Horizon with Enrollment and Certificate services

Section 1: Pairing Enrollment and Certificate Services for Site 1

On your ControlCenter server
- switch to your HORIZON-01a.RDP session

Select and right-click the Start button
- select Command Prompt (Admin)

In the Administrator: Command Prompt
- enter the following:-

cd "\Program Files\VMware\VMware View\Server\tools\bin"

In the Administrator: Command Prompt type the following:-

The enrollment server is added to the global list.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer TrueSSO-01a.techseals.co

Wait 2 min before doing the next command

In the Administrator: Command Prompt type the following:-

The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer TrueSSO-01a.techseals.co --domain techseals.co

Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --create --connector --domain techseals.co --template TrueSSOTemplate --primaryEnrollmentServer truesso-01a.techseals.co --certificateServer techseals-TRUESSO-01A-CA --mode enabled

Section 2: Configuring the SAML Authenticator for Site 1

On your Horizon-01a Server
- Enter the command to discover which SAML authenticators are available
  - Authenticators are created when you configure SAML authentication between Workspace ONE Access and a connection server, using Horizon Administrator.
  - The output shows the name of the authenticator and shows whether True SSO is enabled

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --list --authenticator

On your ControlCenter server
- On your Site 1 Chrome browser
  - from the Favourites bar
    - launch your Horizon Site 1 shortcut
  - In the Horizon Login
    - in the Username area
      - enter Administrator
    - in the Password area
      - enter Pa$$w0rd
    - select Sign in

In the Horizon Admin console
- In the Inventory
  - expand Settings
    - select Servers

In the Servers area
- next to Horizon-01a
  - select the Radio Button
    - select Edit

In the Edit Connection Server Settings
- select the Authentication tab
  - below SAML Authenticator
    - select Manage SAML Authenticators

In the Manage SAML Authenticators window
- next to Workspace ONE
  - select the Radio button
    - select Edit

In the Edit SAML 2.0 Authenticator window
- below * TrueSSO Trigger Mode
  - from the dropdown
    - select Enabled
  - to close the Edit SAML 2.0 Authenticator window
    - select OK
  - to close the Manage SAML Authenticators window
    - select OK
  - to close the Edit Connection Server Settings window
    - select OK

On your TrueSSO-01a server
- Go back to the command prompt Admin

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --list --authenticator

You will notice True SSO mode now Enabled

For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager

Part 16: Testing to see if TrueSSO works

On your ControlCenter server,
- switch your Remote Desktops session for W11Client-01a.RDP.

On your W11Client-01a desktop,
- shutdown all windows
- open the Intelligent Hub
  - in the side menu
    - select Apps
  - In the Apps area
    - select Enterprise Instant Clone Windows 11 Desktops

On the Select a Certificate window,
- select Craig
  - select OK

In the Open VMware Horizon Client? window
- select Open VMware Horizon Client

Acknowledgments

A Huge thank you to

Rahul Jha from Global Support Services in Bangalore India for his support in development of this content
Spas Kalarov from the Hybrid Cloud Team at Livefire for help in Troubleshooting Certificate Services
Graeme Gordon from Tech Marketing for their guidance on Tech Zone

References

https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-administration/GUID-7314E2AF-2DA0-4BD0-939D-F5F352B3EEE0.html

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture#Setting-truesso

About the Author: Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

Any questions related to this session, email Reinhart at RACE-Livefire-EUC <[email protected]>

EUC

8. Workspace ONE Integration with Horizon

Enabling Single Sign-ON for users Authenticating with an Identity Provider

Acknowledgments

References

About the Author: Reinhart Nel

0 Comments

Add your comment

Topics

Last Updated