8. Workspace ONE Integration with Horizon
Enabling Single Sign-ON for users Authenticating with an Identity Provider
Traditionally when authenticating to Workspace ONE Access using a 3rd party authentication method, the user we will by default, not have a Single-Sign On experience when trying to launch any VMware Horizon based resource through Workspace ONE Access.
Traditionally when using a password based authentication method Workspace ONE Access would cache the original authentication against Access and then pass this on when required to the Broker.
Traditionally Single-Sign On would only be an issue when using a 3rd Party authentication method. To solve this problem we would deploy what is known as the Horizon Enrollment services to facilitate a single-sign on experience. We integrate with Microsoft Certificate Services to provide a solution to this challenge and we refer to the solution as Horizon TRUE SSO
Since December 2019
When connecting to Horizon Resources via Workspace ONE Access. Caching of Passwords for Horizon has been disabled by default for SAAS, and a user will have to re-authenticate when they select their entitlement. Whilst the session is open we can choose to Cache the users credentials provided the Authentication method is password based.
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/rn/VMware-Workspace-ONE-Access-Cloud-Release-Notes.html
To continue offering users a seamless single-sign On experience, Enrollment services has now become a critical service with the integration with Workspace ONE Access
In this lab scenario the 3rd party authentication method we use to login into Workspace ONE Access will be a certificate based method of authentication.
We will start off by doing the following:
- Configure Certificate Based Authentication using Workspace ONE UEM and Access
- Configure Workspace ONE Access for Certificate based Authentication
- Log into a Windows 11 Desktop and demonstrate the limitation
- Deploy and configure TRUE SSO
- Deploy and configure Horizon Enrollment services
- Integrate and configure Active Directory Certificate services with Horizon Enrollment services
- Log into a Windows 11 Desktop and demonstrate the solution
- In the Workspace ONE Cloud console
- below the Services area
- below the UEM block
- select LAUNCH
- below the UEM block
- below the Services area
- In Workspace ONE UEM Admin Console
- select GROUPS & SETTINGS
-
In the Groups & Settings area
- select All Settings
- In the Workspace ONE UEM Admin Console
- navigate to
- System > Enterprise Integration > Workspace ONE Access > Configuration
- navigate to
- In the Workspace ONE Access > Configuration area
-
scroll down and find the Certificate area
- next to Certificate Provisioning
- select ENABLE
- next to Certificate Provisioning
-
scroll down and find the Certificate area
- In the Certificate area
- next to Issuer Certificate
- select EXPORT
- note this will download a .cer file called:
- VidmAirWatchRootCertificate.cer
- note this will download a .cer file called:
- select EXPORT
- to close the Settings window
- in the top right corner
- scroll up and select X
- in the top right corner
- next to Issuer Certificate
- From the Workspace ONE UEM console
- navigate to RESOURCES > Profiles
- select > ADD > Add Profile
- navigate to RESOURCES > Profiles
-
In the Add Profile window
-
select Windows > Windows Desktop > User Profile
- next to Name*
- enter: W11 - SCEP - SSO .
- next to Name*
-
select Windows > Windows Desktop > User Profile
- In the Add Profile window
-
General tab, area
- scroll down to Smart Groups
- select All Devices(YOUR SAAS Tenant)
- scroll down to Smart Groups
-
General tab, area
- In the Add Profile window
- in the left menu
- below the General tab,
- select SCEP
- below the General tab,
- In the SCEP area
- select CONFIGURE
- in the left menu
- In the SCEP area
- validate
- Credential Source: AirWatch Certificate Authority (default)
- Certificate Authority: AirWatch Certificate Authority (default
- Certificate Template: Single Sign-On (default)
-
configure
- Key Location: Software
- to save the configuration
- at the bottom right of the window
- select SAVE AND PUBLISH
- at the bottom right of the window
- validate
- In the View Device Assignment page
- select PUBLISH
- Switch to your Workspace ONE Access tenant
- If necessary, go to your Workspace ONE, console
- in the Access area
- select LAUNCH
- in the Access area
- If necessary, go to your Workspace ONE, console
- In the Access admin console
- navigate to the Integrations tab
-
Authentication Methods. is the default area
- next to Certificate (Cloud Deployment)
- select the radio button
- select CONFIGURE
- select the radio button
- next to Certificate (Cloud Deployment)
-
Authentication Methods. is the default area
- navigate to the Integrations tab
- In the Certificate (cloud deployment) page
- below Enable Certificate Adapter
- move the Toggle from No to Yes
- below Root and Intermediate CA Certificates
- click on SELECT FILE for the
- In the Open window
- in the Quick Access bar
- select Downloads
- select the VIDMAirWatchRootCertificate.cer certificate file
- select Downloads
- in the Quick Access bar
- select Open
- In the Open window
- click on SELECT FILE for the
-
in the Update Authentication Adapter window
- select YES
- below Enable Certificate Adapter
- In the Certificate (cloud deployment) page
- Keep the remaining settings as default
- at the bottom of the page
- select Save
- at the bottom of the page
- Keep the remaining settings as default
- In the Workspace ONE Access console
- under the Integrations tab
- in the Menu pane
- select Identity Providers
- in the Identity Providers area
- select Built-in
- in the Menu pane
- under the Integrations tab
- In the Identity Providers > Built-In window
- In the Users area
- next to TechSEALS
- select the checkbox
- next to TechSEALS
-
scroll down
- In the Network area
- next to ALL RANGES
- select the checkbox
- at the bottom of the page.
- select SAVE
- next to ALL RANGES
- In the Network area
- In the Users area
- In the Workspace ONE Access Admin console
- navigate to Resources
- in the side menu
- select Policies
- in the side menu
- In the Policies area
- next to default_access_policy_set
- select the radio button
- next to default_access_policy_set
- navigate to Resources
- In the Policies area
- select EDIT
- In the Edit Policy window,
- In side column
- select Configuration
- next to Web Browser,
- select All Ranges
- In side column
- In the Edit Policy Rule window
- next to then the user may authenticate using *
- from the dropdown
- select Certificate (Cloud Deployment)
- from the dropdown
- next to if preceding method fails or is not applicable, then *
- from the dropdown
- select Password (Cloud Deployment),
- from the dropdown
- select ADD FALLBACK METHOD
- next to if preceding method fails or is not applicable, then *
- from the dropdown
- select Password (Local Directory)
- at the bottom of the window
- select SAVE
- from the dropdown
- next to then the user may authenticate using *
- In the Edit Policy Rule window
- select + ADD POLICY RULE
- In the Edit Policy Rule window
- next to and user accessing content *
- from the dropdown.
- select Windows 10+
- from the dropdown.
- next to then the user may authenticate using *
- from the dropdown
- select Certificate (Cloud Deployment) for the first authentication method
- from the dropdown
- select ADD FALLBACK METHOD twice
- next to if preceding method fails or is not applicable, then
- from the dropdown
- select Password (cloud deployment)
- from the dropdown
- next to if preceding method fails or is not applicable, then
- from the dropdown
- select Password (Local Directory)
- next to if preceding method fails or is not applicable, then
- at the bottom right hand side of the page
- select SAVE
- next to and user accessing content *
- In the Configuration window
- ensure the following Device Types
-
Windows 10+
- and
-
Web Browser
- are first and second in the authentication flow
-
Windows 10+
- next to ALL RANGES for Windows 10 +
- on the left select the 6 DOTS
- drag to the top
- on the left select the 6 DOTS
- next to ALL RANGES for Web Browser
- on the left select the 6 DOTS
- drag below Windows 10+
- on the left select the 6 DOTS
- In the Configuration window
- select NEXT
- ensure the following Device Types
- In the Edit Policy Page.
- Summary section
- review the policy configurations
- select SAVE
- Summary section
- In the Workspace ONE UEM console
- select GROUPS & SETTINGS
- in the GROUPS & SETTINGS area
- select All Settings
- In the Enrollment window
- navigate to Devices & Users > General > Enrollment
- in the Enrollment area
- next to Override
- select the radio button
- next to Override
- scroll down
- in the Enrollment area
- navigate to Devices & Users > General > Enrollment
- In the Enrollment window
- in line with Authentication Mode(s)
- next to Directory
- select the checkbox
- next to Directory
- in line with Source of Authentication for Intelligent Hub
- select WORKSPACE ONE ACCESS
- scroll down
- select WORKSPACE ONE ACCESS
- at the bottom of the page.
- select SAVE
- in line with Authentication Mode(s)
NOTE: We are doing this as we want the user to authenticate during enrollment with Workspace ONE Access.
Organizations can leverage the provisioning adapter in WorkspaceONE Access to provision users into Workspace ONE UEM. This implementation does not require the AirWatch Cloud Connector and will leverage SAML JIT to create users in UEM during the enrollment process.
- In the Workspace ONE Access admin console
- select the Resources tab
- in the side menu
- ensure Web Apps is selected (default)
- in the Web Apps area
- select NEW
- in the side menu
- select the Resources tab
- In the New SaaS Application wizard
- select OR BROWSE FROM CATALOG
- In the New SaaS Application wizard
- in the top right corner FILTER area
- enter AirWatch
- in line with AirWatch Provisioning
- select the the +
- In the New SaaS Application wizard
- select NEXT
- in the top right corner FILTER area
- In the New SaaS Application wizard
- below Single Sign-On URL
- replace www.airwatch.com
- with your YOUR UEM Tenant URL
- replace www.airwatch.com
- below Recipient URL
- replace www.airwatch.com
- with your YOUR UEM Tenant URL
- leave everything else default
- with your YOUR UEM Tenant URL
- select NEXT
- replace www.airwatch.com
- below Single Sign-On URL
- In the New SaaS Application wizard
- Access Policies window
- select NEXT
- Access Policies window
- In the New SaaS Application wizard
-
Summary window
- select SAVE
-
Summary window
- In your Workspace ONE Access console
-
Resources tab
- Web Apps area
- next to AirWatch Provisioning
- select the Checkbox
- select EDIT
- select the Checkbox
-
Resources tab
- In the Edit SaaS Application window
- In the side menu
- select 4 Provisioning
- in the Provisioning Adapter Configuration area
- below Enable Certificate Auth
- move the Toggle from No to Yes
- below Enable Certificate Auth
- under Workspace ONE UEM Group ID
- enter YOUR UEM GroupID.
- select TEST CONNECTION
- select NEXT
- In the side menu
- In the Edit SaaS Application window
- in the User Provisioning area
- leave all values default
- select NEXT
- leave all values default
- in the User Provisioning area
- In the Edit SaaS Application window
- in the Group Provisioning area
- select ADD GROUP
- In the Add Group to Provision window
- below Group Name*
- enter developer
- select [email protected]
- enter developer
-
below Nickname*
- type Developers.
- select SAVE.
- below Group Name*
- In the Edit SaaS Application window
- in the Group Provisioning area
- select ADD GROUP
- In the Add Group to Provision window
- below Group Name*
- enter sales
- select [email protected]
- below Nickname*
- type Sales.
- select SAVE.
- enter sales
- below Group Name*
- Repeat the process for Marketing and IT support
- In the Edit SaaS Application window
- in the Group Provisioning area
- select NEXT.
- in the Group Provisioning area
- In the Edit SaaS Application window
- on the Summary area
- select SAVE & ASSIGN
- on the Summary area
- In the Assign window
- below Users / User Groups search area
- enter All Users
- select All Users
- enter All Users
- next to Deployment Type
- select Automatic
- In the bottom right-corner
- select SAVE.
- below Users / User Groups search area
- In the Workspace ONE UEM admin console
- Select Groups & Settings > All Settings > System > Enterprise Integration
- Under Enterprise Integration
- Select Directory Services
- In the Directory Services window
- Select the Overide radio button
- Select Skip wizard and configure manually
- From the Directory Services Interface,
- Under the Server Tab , enable the following .
- Directory Type*: LDAP-Active Directory
- DNS SRV: Disabled (default)
- Server : ControlCenter.euc-livefire.com
- Bind User Name: administrator
- Bind Password: Pa$$w0rd
- Domain: euc-livefire.com
- Under the Server Tab , enable the following .
- From the Directory Services Interface,
- Under the User Tab ,
- Validate the following configuration is configured
- Under Base DN,
- ensure that DC=euc-livefire,DC=com has automatically populated.
- If not, click on the + icon
- add DC=euc-livefire,DC=com
- Next to User Object Class,
- ensure person is the property
- Next to User Search Filter,
- ensure (&(objectCategory=person)(sAMAccountName={EnrollmentUser})) is the string
- Under Base DN,
- Validate the following configuration is configured
- Under the User Tab ,
- From the Directory Services Interface,
- Repeat these steps for the third tab Group
- Under Base DN,
- notice validate that DC=euc-livefire,DC=com, is entered.
-
Scroll to the bottom of the page
- select Save
-
Scroll to the bottom of the page
- Select TEST CONNECTION
- Under Base DN,
- Repeat these steps for the third tab Group
-
You should have a Test Connection window launch saying Connection successful....
- Select CANCEL to close the window
- Let's ensure users can enroll their devices using Active Directory credentials.
- Under Settings ,
- select Devices & Users
-
Select > General
- Select > Enrollment
-
Select > General
- select Devices & Users
- Under Settings ,
- Under the Enrollment area
- Select the Override radio button
- Scroll down.
- Under the Enrollment area
- In line with Authentication Modes(s)
- ensure the the Directory check box is selected
- In line with Source of Authentication for Intelligent Hub,
- select Workspace ONE ACCESS
-
Scroll down
- Select SAVE
-
Close the Settings window,
- by selecting the X on the right of the window
- In line with Authentication Modes(s)
- In the Workspace ONE Access admin console
- select the Integrations tab
- from the left menu
- select Hub Configuration
- In the Hub Configuration area
- select LAUNCH
- from the left menu
- select the Integrations tab
- In the Optimize the Intelligent Hub Experience window
- Select BEGIN
- In the Welcome to Hub Services
- Review the associated options.
- In Workspace ONE Hub Services
- Select the Branding section
- Find Logos > Organization Logo , to the right select UPLOAD
- In the left pane,
- Under Quick access,
- select Desktop
- select the Software shortcut
- GO TO
-
DesktopBackground > GEN-99 TechSEALs Wallpaper and Logo
- select TechSEALs Logo - Normal.png
- select Open
-
DesktopBackground > GEN-99 TechSEALs Wallpaper and Logo
- select Desktop
-
Scroll down
- and select SAVE
- Under Quick access,
- Select the Branding section
- In the Workspace ONE Hub Services page
- In the left pane, select People
- Under People area,
- next to Enable People,
- move the toggle to the right
- next to Enable People,
- Select SAVE
- In the Workspace ONE Hub Services page
- from the left menu,
- select the Custom Tab.
- next to Enable Custom Tab,
- move the toggle right.
- next to Web
- move the toggle right.
- next to Title
- enter: EUC TZ
- Best practice is not use a label longer than 6 characters.
- enter: EUC TZ
- next to URL:
- enter https://techzone.vmware.com
-
next to Position,
- enable the First radio button.
- select SAVE
- next to Enable Custom Tab,
- select the Custom Tab.
- from the left menu,
- To the top right of the Workspace ONE Hub Services page
- select LOG OUT OF HUB SERVICES
- In the Workspace ONE Access Console
- under Integrations
- select People Search
- under Integrations
- In the People Search area
- next to Directory,
- from the dropdown
- select the TechSEALs
- select NEXT
- from the dropdown
- next to Directory,
- In the People Search page
- Step 2 Select User attributes
- note the attributes
- Scroll down
- In the bottom left
- Select NEXT
- Step 2 Select User attributes
- In the People Search page `
- Step 3 Select users and sync to directory
- review the User DNs
- It should read
- ou=corp,DC=techseals,dc=co
- select SAVE & SYNC
- It should read
- review the User DNs
- Step 3 Select users and sync to directory
Step 1 : Enrolling W11Client-01a on Site 1 with the Active Directory Domain User Mark
Steps 1 - 4 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- open the Site1 folder
- select the W11Client-01a RDP client and
- sign-in with
- username: [email protected]
- password: Pa$$w0rd
- sign-in with
- to the right of the Start button
- in the search area,
- start typing intel
- in the search area,
- select the Workspace ONE Intelligent Hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- From the RUN > Services.msc > Start the Airwatch service
- Attempt to re-launch the hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- On the Desktop open the Remote Desktop folder.
- In the Workspace ONE Cloud Console
- under Services
- below UEM
- select LAUNCH
- below UEM
- under Services
- In the Workspace ONE UEM console
- in the address bar
- copy YOUR UEM tenant address
- eg. cn1784.awmdm.com
- copy YOUR Group ID
- eg. dwpg9677
- copy YOUR UEM tenant address
- in the address bar
- On your W11Client-01a desktop
- on the native Intelligent Hub
- under Email or Server Address,
- enter https://YOUR.awmdm.com tenant address
- select Next
- enter https://YOUR.awmdm.com tenant address
- under Email or Server Address,
- on the native Intelligent Hub
- On your W11Client-01a desktop
- on the native Intelligent Hub
- under Group ID
- enter your unique your Workspace ONE UEM tenant Group ID
- under Group ID
- select NEXT
- on the native Intelligent Hub
- In the Workspace ONE Intelligent Hub under
- under Select Your Domain
- select techseals.co
- select Next
- select techseals.co
- under the Username area
- enter craig
- under the Password area
- enter Pa$$w0rd
- select Sign in
- under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started
Step 2 : Enrolling W11Ext-01a on Site 1 with the Active Directory Domain User Jackie
- On your ControlCenter server
- on the Desktop open the Remote Desktop folder.
- open the Site1 folder
- select the W11Ext-01a.RDP client
- sign-in with
- username : W11Ext-01a\Jackie (default)
- password: Pa$$w0rd
- sign-in with
- to the right of the Start button in the search area, start typing intel
- select the Workspace ONE Intelligent Hub
- on the Desktop open the Remote Desktop folder.
- In Workspace ONE Intelligent Hub
- under Email or Server Address,
- enter https://YOURUEM.awmdm.com
- select Next
- enter https://YOURUEM.awmdm.com
- under Email or Server Address,
- In Workspace ONE Intelligent Hub
- under Group ID unique
- enter YOUR unique your Workspace ONE UEM tenant Group ID
- select NEXT
- under Group ID unique
- In the Workspace ONE Intelligent Hub under
- under Select Your Domain
- select techseals.co
- select Next
- select techseals.co
- under the Username area
- enter Jackie
- under the Password area
- enter Pa$$w0rd
- select Sign in
- enter Pa$$w0rd
- under Select Your Domain
- In the Workspace ONE Intelligent Hub
- select I Agree
- On the Congratulations window,
- select Done
-
Re-open the Intelligent Hub
- select Get Started
-
Re-open the Intelligent Hub
- select Done
Step 3 : Enrolling W11Client-02a on Site 2 with the Active Directory Domain User Malcolm
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- open the Site2 folder
- select the W10Client-02a RDP client and
- sign-in with
- username w11client-02a\malcolm
- Password Pa$$w0rd
- select OK
- sign-in with
- to the right of the Start button in the search area,
- start typing intel
- select the Workspace ONE Intelligent Hub
- On the Desktop open the Remote Desktop folder.
- In the Workspace ONE Intelligent Hub
- under Email or Server Address,
- enter YOUR https://YOUR.awmdm.com tenant ID
- select Next
- enter YOUR https://YOUR.awmdm.com tenant ID
- under Email or Server Address,
- In the Workspace ONE Intelligent Hub
- under Group ID
- enter YOUR tenant Group ID
- select NEXT
- under Group ID
- In the Workspace ONE Intelligent Hub under
- under Select Your Domain
- select techseals.co
- select Next
- select techseals.co
- under the Username area
- enter Malcolm
- under the Password area
- enter Pa$$w0rd
- select Sign in
- under Select Your Domain
- In the Workspace ONE Intelligent Hub
- select I Agree
- On the Congratulations window,
- select Done
- select Get Started
Step 4: Enrolling W11Ext-02a on Site 2 with the Active Directory Domain User Nancy
- On your ControlCenter server
- on the Desktop open the Remote Desktop folder.
- Open the Site2 folder
- select the W11Ext-02a.RDP client
- sign-in with
- username w11Ext-02a\Nancy
- Password Pa$$w0rd
- sign-in with
- to the right of the Start button in the search area, start typing intel
- select the Workspace ONE Intelligent Hub
- on the Desktop open the Remote Desktop folder.
- In the Workspace ONE Intelligent Hub
- under Email or Server Address,
- enter YOUR https://YOUR.awmdm.com tenant ID
- select Next
- under Email or Server Address,
- In the Workspace ONE Intelligent Hub
- under Group ID
- enter YOUR tenant Group ID
- select NEXT
- enter YOUR tenant Group ID
- under Group ID
- In the Workspace ONE Intelligent Hub under
- under Select Your Domain
- select techseals.co
- select Next
- select techseals.co
- under the Username area
- enter Nancy
- under the Password area
- enter Pa$$w0rd
- select Sign in
- under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- select Done
- select Get Started
- On the ControlCenter server Desktop,
- open the Remote Desktops folder,
- select the W11Client-01a.RDP shortcut
- ensure the username is
- w11client-01a\craig,
- enter the password
- Pa$$w0rd
- select OK
- open the Remote Desktops folder,
- On W11Client-01a desktop
- select Start > Run,
- next to Open,
- type mmc,
- select OK
- type mmc,
- next to Open,
- In the Console,
- select Add/Remove Snap-in
- select Start > Run,
- In the Add or Remove Snap-ins window
- Select Certificates,
- Select Add
- In the Certificates snap-in,
- accept the Defaults,
- select Finish
- select OK
- accept the Defaults,
-
Expand Certificates - Current User
- Expand Personal
- select Certificates
- Note you have an enrolled certificate. If you dont have a certificate, reach out for support.
- On your W11Client-01a Desktop
- on your windows 11 desktop
- open the native Intelligent Hub
- in the native Intelligent Hub
- select Apps
- under All Apps
- select Enterprise Instant Clone Windows 11 Desktops
- on the Select a certificate window
- select Craig
- select OK
- on your windows 11 desktop
- On your W11Client-01a Desktop
- in the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- in the Open VMware Horizon Client? window
- Select Calculator,
-
Notice we are getting a Password request.
- The 1st reason is, we used a 3rd party Auth method to login to Workspace ONE Access. (In our session a Certificate based Auth method was used) Workspace ONE Access did not have the UPN it would have received from a password Auth method, to pass on to the Horizon Agent.
- Up to version 1903, Workspace ONE Access would CACHE the credential when a password method of Authentication was used to login to the Console. Prior to version 20.01 or up to version 1903, when a user logged into Workspace ONE Access with a password method of authentication, the user would enjoy a Single-Sign on experience. It was therefore only necessary to Deploy TRUESSO if the users were authenticating with an Auth method that was NOT password based.
- From version 20.01 Saas onwards, the automatic CACHING of password credentials is no longer a feature in Workspace ONE Access. This is an enhancement of Workspace ONE Access security.
- In June this year a feature was re-introduced to allow Automatic Caching of Passwords on the Saas Instance of Access
- We however still need Enrollment services when authenticating with 3rd party auth methods
- In the next Part, we will proceed with the deployment of TRUESSO to solve this challenge.
- Select Cancel to close the Password Request window.
- Logout and close all windows on W11Client-01a
-
Notice we are getting a Password request.
- On your ControlCenter server
- open the Remote Desktop Folder
- open the Site1 folder
- launch the TrueSSO-01a.RDP shortcut
- login as techseals\administrator
- enter the password Pa$$w0rd
- open the Remote Desktop Folder
- On the TrueSSO-01a server
- select the Start button
- from the menu
- select Server Manager
- from the menu
- select the Start button
- On the Server Manager Interface
- select Manage > Add Roles and Features
- On the Before you begin window
- select Next
- On the Select installation type window,
- next to Role-based or feature-based installation
- select the radio button
- select Next
- next to Role-based or feature-based installation
- On Select destination server window (accept the defaults)
- select Next
- On the Select server roles window,
- in front of Active Directory Certificate Services,
- select the check box
- when prompted for the Add Features window,
- select the Add Features box,
- select Next
- in front of Active Directory Certificate Services,
- On the Select features window
- select Next
- On the Active Directory Certificate Services window
- select Next
- On the Select role services window
- select Next
- On the Confirm Installation selections window,
- next to Restart the destination server automatically if required,
- select the checkbox
- on the Add Roles and Features Wizard window
- select Yes
- select Install
- next to Restart the destination server automatically if required,
You will have to wait a short while before moving on to section 2
- On the Installation progress page,
- select the Configure Active Directory Certificate Services on the destination server hyper-link
- On the Credentials window
- select Next
- On the Role Services page,
- select the Certificate Authority checkbox
- select Next
- select the Certificate Authority checkbox
- On the Specify the setup type of the CA window
- next to Enterprise CA
- select the radio button
- select Next
- next to Enterprise CA
- On the CA type window
- next to Subordinate CA
- select the radio button
- select Next
- next to Subordinate CA
- On the Private Key window,
- next to Create a new private key
- ensure the radio button is selected
- select Next
- next to Create a new private key
- On the Cryptography for CA window
- validate the following is selected
- under Cryptographic Provider:
- RSA#Microsoft Software Key Storage Provider
- next to Key Length:
- 2048
-
Hash Algorithm:
- SHA256
- select Next
- under Cryptographic Provider:
- validate the following is selected
- On the Specify the Name of the CA window
- observe the CA naming convention
- select Next
- observe the CA naming convention
- On the Request a certificate from parent CA ,
- next to Send a certificate request to a parent CA:
- select the radio button
- to the right of the Parent CA box,
- click the Select button
- In the Select Certificate Authority window
- ensure that techseals-CONTROCENTER-CA is selected
- select OK
- ensure that techseals-CONTROCENTER-CA is selected
- select Next
- next to Send a certificate request to a parent CA:
- On the CA Database window,
- select Next
- On the Confirmation window
- select Configure
- On the Results window
- select Close
- on the Installation progress window,
- select Close
As a result of this being a multi-site setup. We have already deployed all the services for Site 2.
Both Site 1 and Site 2 share the same Active Directory Certificate Services. One of the requirements for TRUESSO is to setup a certificate Template. This has already been setup. In a future lab, which could be optional, that being Integrating with Untrusted Forests, you will have the opportunity to setup the Template in its entirety
In this section we will validate and perform configuration specific to Site 1
- On your TRUESSO-01a server
- select Start > Run > type mmc
- select File > Add/Remove Snap-in...
- select the Certificate Authority services snap-in,
- select Add
- In the Certificate Authority window,
- next to Another computer
- select the radio button
- In line with Another computer
- select Browse
- select Finish
- next to Another computer
- to close the Add or Remove Snap-ins window
- select OK
- select the Certificate Authority services snap-in,
- select File > Add/Remove Snap-in...
- select Start > Run > type mmc
- Expand the euc-livefire-TRUESSO-01a-CA inventory
- select Certificate Templates,
-
right-click
- select Manage
-
right-click
- select Certificate Templates,
- In the Certificate Template Console
- find and select the TrueSSO template
- right-click the TrueSSO template
- find and select the TrueSSO template
- In the TrueSSO Template Properties
- select the Security tab
- in the Group or user names: area
- select Add
- to the right of the Select this object type: box
- select the Object types button
- next to Computers,
- select the checkbox
- next to Computers,
- select OK
- select the Object types button
- to the right of the Select this object type: box
- select Add
- in the Group or user names: area
- select the Security tab
- In the Select Users, Computers, Service Accounts, or Groups window
-
Enter the object names to select
- type TRUESSO-01a
- to the right select Check Names
- select OK
- to the right select Check Names
- type TRUESSO-01a
-
Enter the object names to select
- In the TrueSSO Template Properties windows
- next to Enroll
- select the checkbox
- Read should be selected by default
- to close the TrueSSO Template Properties,
- select OK
- select the checkbox
- next to Enroll
- Switch to the Certificate Authority Console
- select and right-click the Certificate Templates container,
- select New > Certificate Template to Issue
- select and right-click the Certificate Templates container,
- In the Enable Certificate Templates window,
- select your TrueSSO Template
- select OK
- select your TrueSSO Template
- In the Certificate Authority Console
- select Certificate Templates,
-
right-click
- select Manage
-
right-click
- select Certificate Templates,
- In the Certificate Templates Console
- select Enrollment Agent (computer) template
- right-click
- select Properties
- right-click
- select Enrollment Agent (computer) template
- In the Enrollment Agent Properties window
- select the Security tab
- In the TrueSSO Template Properties
- select the Security tab
- in the Group or user names: area
- select Add
- to the right of the Select this object type: box
- select the Object types button
- next to Computers,
- select the checkbox
- next to Computers,
- select OK
- select the Object types button
- to the right of the Select this object type: box
- select Add
- in the Group or user names: area
- select the Security tab
- In the Enrollment agent properties window
- next to Enroll
- select the checkbox
- Read should be selected by default
- select the checkbox
- to close the Enrollment Agent (Computer) Properties
- select OK
- Switch back to the Certificate Authority Console
- next to Enroll
- In the Certificate Authority Console select
- right-click the Certificate Templates container,
- select New > Certificate Template to Issue
- right-click the Certificate Templates container,
- In the Enable Certificate Templates window
- Select the Enrollment Agent (Computer) template
- Select OK
- In the Certificate Authority window
- Note the Templates you now have
- TrueSSO Template
- Enrollment Agent (Computer)
- Note the Templates you now have
- We will now configure the CA for non-persistent certificate processing
- on the TrueSSO-01a server
- select the Start button
- right-click
- select Command Prompt (Admin)
- right-click
- select the Start button
- on the TrueSSO-01a server
- In the Administrator: Command Prompt
- enter the following command
- enter the following command
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
- In the Administrator: Command Prompt
- enter the following command
- to Configure the CA to ignore offline CRL errors
- to Configure the CA to ignore offline CRL errors
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- enter the following command
- In the Administrator: Command Prompt
- enter the following command
- From the command prompt run:
- Restart the CA service.
net stop certsvc
net start certsvc
- From the command prompt run:
- enter the following command
- On the TrueSSO-01a server desktop
- launch the software shortcut
- In the Software folder,
- open the Horizon\2312 folder.
- select and launch the VMware-Horizon-Connection-Server-x86_64-8.12.0-23148203
- open the Horizon\2312 folder.
- In the Software folder,
- launch the software shortcut
- On the Open File - Security Warning window
- Select Run
- On the Welcome window
- Select Next
- On the License agreement window
- next to I accept the terms in the license agreement,
- select the radio button
- select Next
- select the radio button
- next to I accept the terms in the license agreement,
- On Destination Folder window
- select Next
- On the Installation Options window
- select Horizon Enrollment Server
- select Next
- select Horizon Enrollment Server
- On Firewall configuration window
- select Next
- On the Ready to Install Program window
- select Install
- On the Installer Completed Window
- select Finish
- On the TrueSSO-01a server
-
select the Start Button,
-
right-click
-
select Run,
-
type MMC,
- select OK
-
type MMC,
-
select Run,
-
right-click
-
select the Start Button,
- In the Console window
- select File > Add/Remove Snap-in..
- In the Add or Remove Snap-ins window,
- select Certificates
- select Add
- select Certificates
- In the Certificates snap-in
- next to Computer account
- select the radio button
- select Next
- select Finish
- select OK
- select Finish
- select Next
- select the radio button
- next to Computer account
- Expand the Certificates console inventory
- select the Personal > Certificates container.
- and right-click
- select All Tasks > Request New Certificate
- and right-click
- select the Personal > Certificates container.
- On the Certificate Enrollment window
- select Next
- On the Select Certificate Enrollment Policy window
- select Next
- On the Request Certificates window
- in front of Enrollment Agent (Computer)
- select the checkbox
- select Enroll
- in front of Enrollment Agent (Computer)
- On the Certificate Installation Results window,
- ensure the enrollment was successful
- select Finish
- ensure the enrollment was successful
- In the Certificates Console
- note you now a TrueSSO-01a template for enrollment
- Switch to your ControlCenter server,
- Open up your Remote Desktop > Site 1 folder
- launch the RDP shortcut for Horizon-01a
- If necessary, authenticate, using the following credentials
-
username techseals\administrator
- password Pa$$w0rd
-
username techseals\administrator
- Open up your Remote Desktop > Site 1 folder
- On the Horizon Server desktop
- select and open your CACertSnapin.mmc
- In the Certificates Console
-
Expand the inventory
- Browse down to:
- VMware Horizon View Certificates > Certificates
- Browse down to:
-
Expand the inventory
- In the VMware Horizon View Certificates > Certificates folder
- expand the console or scroll across the console
- notice the guid based certificate has a friendly name of vdm.ec
- expand the console or scroll across the console
- In the Certificates console
- select your top GUID certificate with the friendly name of vdm.ec.
- Right-Click select All Tasks
- Select Export
- select your top GUID certificate with the friendly name of vdm.ec.
Note there are two GUID based certificates with a vdm.enc Friendly name. Select the cert with vdm.ec
In your environment, the certificate order might differ to the screenshot
- On the Welcome to the Certificate Export Wizard window
- Select Next
- On the Export Private Key page
- next to No, do not export the private key
- select the radio button
- select Next
- select the radio button
- next to No, do not export the private key
- On the Export File Format window
- next to Base-64 encoded X.509
- select the radio button
- select Next
- select the radio button
- next to Base-64 encoded X.509
- In the File to Export window
- under File name
- type the following
-
\\horizon-01a\software\Horizon\enroll.cer
- select Next
-
\\horizon-01a\software\Horizon\enroll.cer
- type the following
- under File name
Software is a shared folder which we will use to copy from on the TrueSSO server
- On the Completing the Certificate Export Wizard window
- when prompted that The export was successful,
- select Finish.
- select OK
- select Finish.
- when prompted that The export was successful,
- On your ControlCenter server desktop
- on your TrueSSO-01a RDP session
- switch from your Horizon-01a RDP session
- on your TrueSSO-01a RDP session
- On our TrueSSO-01a server
- select your Certificate services Snap-in,
- select the VMware Horizon View Enrollment Server Trusted Roots, folder
- and right-click
- select All Tasks > Import
- and right-click
- select the VMware Horizon View Enrollment Server Trusted Roots, folder
- select your Certificate services Snap-in,
- On the Welcome window
- select Next
- In the File to import window
- Under File name,
- enter the following
- \\Horizon-01a.techseals.co\software\Horizon\enroll.cer
- enter the following
- select Next
- Under File name,
- In the Certificate Store window accept the defaults and
- select Next.
- on the Summary page
- select Finish.
- when Prompted that The Import was successful
- select OK
- on the Summary page
- select Next.
- In the Certificates Folder
- select the imported certificate
- and Right-click
- select Properties.
- and Right-click
- In the Friendly name: section
- type vdm.ec
- select OK
- type vdm.ec
- select the imported certificate
We will enable full SAML authentication on both our sites for all Unified Access Gateway servers
- On your Site 1 Browser profile
- In the Favourites bar
- select the UAG-HZN-01a shortcut
- In the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter Pa$$w0rd
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your Site 1 Browser profile
- in the Favourites bar
- select the UAG-HZN-01b shortcut
- in the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter Pa$$w0rd
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your Site 1 Browser profile
- In the Favourites bar
- select the UAG-HZN-02a shortcut
- In the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter Pa$$w0rd
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On your Site 1 Browser profile
- In the Favourites bar
- select the UAG-HZN-02bshortcut
- In the Favourites bar
- In the VMware Unified Access Gateway login
- in the Username area
- enter admin
- in the Password area
- enter Pa$$w0rd
- select Login
- in the Username area
- In the VMware Unified Access Gateway admin console
- below Configure Manually
- click Select
- below Configure Manually
- In the VMware Unified Access Gateway admin console
- In the General Settings area
- next to Edge Service Settings
- turn the TOGGLE from OFF to ON
- to the right of Horizon Settings
- select the GEAR icon
- next to Edge Service Settings
- In the General Settings area
- In the Horizon Settings window
-
scroll down to the bottom
- next to More
- select the expand icon
- next to More
-
scroll down to the bottom
- In the Horizon Settings window
- next to Auth Methods
- from the dropdown
- select SAML
- from the dropdown
- next to Auth Methods
- In the Horizon Settings window
-
scroll down to the bottom of the window
- select Save
-
scroll down to the bottom of the window
- On the ControlCenter server,
- switch back to your TrueSSO.RDP session
- select the Start button > RUN
- type regedit.exe
- In the regedit inventory,
- browse to the following location:
- HKLM\SOFTWARE\VMware, Inc.\VMware VDM\
-
What we should see is an Enrollment Service Key
- HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
- You will notice there is no Enrollment Service key, we need to create one. In our case we have to
- browse to the following location:
- Create the Enrollment Service key
- Right-click VMware VDM > New > Key
- type Enrollment Service
- Right-click VMware VDM > New > Key
We will add 3 String Values in the Registry Key
- In the Registry Editor
- right-click the Enrollment Service key > New > String Value
- type PreferLocalCa
- right-click the PreferLocalCa String value
- select Modify
- in the Value data: field
- enter 1
- select OK to close the window
- right-click the Enrollment Service key > New > String Value
- Add your second String Value
- right-click the Enrollment Service key > New > String Value
- enter UseKerberosAuthenticationToCa
- right-click the UseKerberosAuthenticationToCa String value
- select Modify
- in the Value data: field
- enter false
- select OK to close the window.
- right-click the Enrollment Service key > New > String Value
- Add a third String Value
- right-click the Enrollment Service key > New > String Value
- enter UseNTLMAuthenticationToCa
- right-click the UseNTLMAuthenticationToCa String value
- select Modify
- in the Value data: field
- enter true
- Select OK to close the window.
- right-click the Enrollment Service key > New > String Value
- On your TrueSSO-01a server
- From the Start button,
- select Run
- type services.msc
- select OK
- type services.msc
- select Run
- in services menu, scroll down until you find
- VMware Horizon View Enrollment Server service
- select and right-click the VMware Horizon View Enrollment Server service
- select Restart
- Close the Services mmc
- From the Start button,
- On your ControlCenter server
- switch to your HORIZON-01a.RDP session
- Select and right-click the Start button
- select Command Prompt (Admin)
- In the Administrator: Command Prompt
- enter the following:-
- enter the following:-
cd "\Program Files\VMware\VMware View\Server\tools\bin"
- In the Administrator: Command Prompt type the following:-
The enrollment server is added to the global list.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer TrueSSO-01a.techseals.co
- Wait 2 min before doing the next command
In the Administrator: Command Prompt type the following:-
The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer TrueSSO-01a.techseals.co --domain techseals.co
- Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --create --connector --domain techseals.co --template TrueSSOTemplate --primaryEnrollmentServer truesso-01a.techseals.co --certificateServer techseals-TRUESSO-01A-CA --mode enabled
- On your Horizon-01a Server
- Enter the command to discover which SAML authenticators are available
- Authenticators are created when you configure SAML authentication between Workspace ONE Access and a connection server, using Horizon Administrator.
- The output shows the name of the authenticator and shows whether True SSO is enabled
- Enter the command to discover which SAML authenticators are available
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --list --authenticator
- On your ControlCenter server
- On your Site 1 Chrome browser
- from the Favourites bar
- launch your Horizon Site 1 shortcut
- In the Horizon Login
- in the Username area
- enter Administrator
- in the Password area
- enter Pa$$w0rd
- select Sign in
- in the Username area
- from the Favourites bar
- On your Site 1 Chrome browser
- In the Horizon Admin console
- In the Inventory
- expand Settings
- select Servers
- expand Settings
- In the Inventory
- In the Servers area
- next to Horizon-01a
- select the Radio Button
- select Edit
- select the Radio Button
- next to Horizon-01a
- In the Edit Connection Server Settings
- select the Authentication tab
- below SAML Authenticator
- select Manage SAML Authenticators
- below SAML Authenticator
- select the Authentication tab
- In the Manage SAML Authenticators window
- next to Workspace ONE
- select the Radio button
- select Edit
- select the Radio button
- next to Workspace ONE
- In the Edit SAML 2.0 Authenticator window
- below * TrueSSO Trigger Mode
- from the dropdown
- select Enabled
- to close the Edit SAML 2.0 Authenticator window
- select OK
- to close the Manage SAML Authenticators window
- select OK
- to close the Edit Connection Server Settings window
- select OK
- from the dropdown
- below * TrueSSO Trigger Mode
- On your TrueSSO-01a server
- Go back to the command prompt Admin
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --list --authenticator
You will notice True SSO mode now Enabled
For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager
- On your ControlCenter server,
- switch your Remote Desktops session for W11Client-01a.RDP.
- On your W11Client-01a desktop,
- shutdown all windows
-
open the Intelligent Hub
-
in the side menu
- select Apps
-
In the Apps area
- select Enterprise Instant Clone Windows 11 Desktops
-
in the side menu
- On the Select a Certificate window,
- select Craig
- select OK
- select Craig
- In the Open VMware Horizon Client? window
- select Open VMware Horizon Client
Acknowledgments
A Huge thank you to
- Rahul Jha from Global Support Services in Bangalore India for his support in development of this content
- Spas Kalarov from the Hybrid Cloud Team at Livefire for help in Troubleshooting Certificate Services
- Graeme Gordon from Tech Marketing for their guidance on Tech Zone
References
About the Author: Reinhart Nel
https://www.livefire.solutions/meet-the-team/reinhartnel/
Any questions related to this session, email Reinhart at RACE-Livefire-EUC <[email protected]>
0 Comments
Add your comment