EUCCurrent ClassesEUC: Horizon Advanced Integrations 2024 Chapters10. Horizon Integration with Untrusted Active Directory Forests

10. Horizon Integration with Untrusted Active Directory Forests

For as long as Horizon and View have existed, if a Horizon Pod needed to give users access to Horizon based resources. All Active Directory domains had to have at least a one-way AD Trust with the Horizon Domain. The Horizon Domain would have to be Trusted to read the Domain objects in the User Domain.

Many organization's setup separate Active Directory Forests for security reasons, yet they want to give users Access through a singular Horizon Pod. In the past this was almost impossible.

Recently with the 2103 release of Horizon a very simple solution has been developed to allow users from Untrusted Active Directory Domains, access to Horizon resources in an alternate untrusted Active Directory Domain Forest .

In this session we will walk you through the process of configuring a Domain Bind account and configuring Horizon resources to facilitate this process

Part 1. Configuring Domain Bind and Instant Clone Engine Domain Accounts
  1. On your ControlCenter server
    • open your Chrome Browser
      • In the Favourites Bar,
        • launch the Horizon Site 1 shortcut
      • login as username
        • Administrator
      • Login with the password
        • VMware1!
    • select Sign in
  1. In the Horizon Admin Console
    • In the left Inventory pane,
      • under Settings,
        • select Domains
  1. In the Horizon Admin Console
    • under the Domains area
      • select the Domain Bind tab
  1. In the Horizon Admin Console
    • in the Domains area > Domain Bind
      • select Add
  1. In the Untrusted Domain window
    • add the following,
      • next to:-
        • DNS Name: corpPriv.sec
        • Netbios: corpPriv
        • Username: [email protected]
        • Password: Pa$$w0rd
      • select OK
  1. In the Manage Auxiliary Accounts window
    • select Add
    • in the Add Auxiliary Account window
      • next to User Name
        • enter administrator
      • next Password
        • enter Pa$$w0rd
      • select OK
    • to close the Manage Auxiliary Accounts window
      • select OK,
  1. In the Horizon Admin Console
    • under Domains area
      • select the Domain Accounts tab
  1. In Domains area
    • select Add
  1. In the Add Domain Admin window
    • add the following next to:-
      • Full Domain Name:
        • from the dropdown,
          • select corpPriv.sec
        • Username:
          • type Administrator
        • Password:
          • type
            • Pa$$w0rd
      • select OK
Part 2. Configuring a Desktop Pool Assignment for the Untrusted Active Directory Domain
  1. In the Horizon Admin Console
    • In the left Inventory pane
      • under Inventory,
        • select Desktops
  1. In the Desktop Pools area
    • select Add
  1. In the Add Pool wizard
    • select Next
  1. In the Add Pool wizard
    • vCenter Server
      • select Next
  1. In the Add Pool wizard
    • User Assignment
      • Select the radio button next to Floating
      • Select Next
  1. In the Add Pool wizard
    • Storage Optimization
      • select Next
  1. In the Add Pool wizard
    • Desktop Pool Identification, window
      • update the following areas:-
        • under ID
          • enter CorpPrivW11
        • under Display Name
          • enter W11_CorpPriv
        • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • Provisioning Settings
      • under Use a Naming Pattern
        • enter w11CorpPriv
      • under Desktop Pool sizing > Maximum Machines
        • enter 2
          • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • vCenter Settings
      • Configure the following:-
        • in line with Golden Image in vCenter:
          • Browse to W11Master-01a and Submit
        • under Snapshot
          • Browse to baseline and Submit
        • under VM Folder Location
          • Browse to RegionA01 and Submit
        • under Resource Settings > Cluster
          • Browse to Bangalore and Submit
        • under Resource Settings > Resource Pool
          • Browse to Bangalore and Submit
        • under Resource Settings > Datastores
          • Browse to CorpLUN01a and Submit
          • In the Warning window
            • select OK
      • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • Desktop Pool Settings
      • under Log off After Disconnect:
        • from the dropdown
          • select Immediately
      • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • Remote Display Settings
      • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • 10. Guest Customization
      • below Domain
        • from the Dropdown
          • select corpPriv.sec(administrator)
      • below AD Container
        • select Browse
          • select CN=Computers
            • select Submit
        • next to Allow Reuse of Existing Computer Accounts
          • select the checkbox
      • select Next
  1. In the Add Pool  - CorpPrivW11 wizard
    • 11. Ready to Complete
      • next to Entitle Users After Adding Pool
        • select the checkbox
      • select Submit
  1. In the Add Entitlements window
    • select Add
  1. In the Find User or Group window
    • next to Domain,
      • from the dropdown,
        • select corpPriv.sec
    • next to Name/User Name,
      • to the right of Starts with,
        • enter domain users
    • select Find
      • under Find
        • next to Sales
          • select the CheckBox
    • to close Find User or Group
      • select OK
    • to close Add Entitlements
      • select OK
  1. In the Desktop Pools area
    • select CorpPrivW11
  1. In the CorpPrivW11 area
    • under the Summary tab,
      • scroll down to Pending Image
        • view the progress of the pool being Provisioned
      • To the right notice the State is Publishing
        • When complete this will report as Published
      • NOTE: The page does not dynamically update. You will have to refresh periodically.
        • This can be done by selecting the Refresh icon in the top right-corner of the Summary page
      • you will need to have to wait until the Pool is Published
  1. In the Horizon Admin Console
    • under Inventory
      • select Machines
  1. In Machines area
    • look for your CorpPrivW11 virtual Machines
    • wait until the Status is Available
  1. On your Controlcenter server
    • open the Remote Desktops > Site 1 folder
      • launch the Horizon-01a.RDP shortcut
  • Note! you should automatically be authenticated with the account [email protected] with the password Pa$$w0rd
  1. On the Horizon-01a Desktop
    • select the Start button
      • right-click
    • select Run
  1. In the Run window
    • next to Open:
      • enter adsiedit.msc
        • select OK

Connecting to the Horizon DB using ADSI Edit is covered in the below Knowledge Base

  • https://kb.vmware.com/s/article/2012377
  1. In the ADSI Edit window
    • select ADSI Edit
      • right-click
        • In the Menu
          • select Connect to..
  1. In the Connection Settings
    • In the Connection Point area
      • next to Select or type a Distinguished Name or Naming Contect:
        • select the Radio button
      • below Select or type a Distinguished Name or Naming Contect:
        • enter dc=vdi,dc=vmware,dc=int
    • In the Computer area
      • next to Select or type a domain or server: (Server | Domain [:port])
        • enter localhost:389
    • select OK
  1. In the ADSI Edit window
    • select the Default naming contect
      • EXPAND
      • select  DCc=vdi,dc=vmware,dc=int
        • EXPAND
  1. In the ADSI Edit window
    • in the inventory
      • select OU=Server Groups
    • in OU=Server Groups area
      • select CN=W11-BLR-INST
        • right-click
  1. In the CN=W10INST Properties window
    • scroll down until you find the pae-ProvisionScheme attribute
      • select the pae-ProvisionScheme attribute
        • select Edit
  1. In the String Attribute Editor window
    • In the Value area,
      • type ModeA
    • to close the window
      • select OK,
    • to close the CN=W10INST Properties window
      • select OK,
    • Close the ADSI Edit window
Part 3. Testing the Desktop Pool of users from an Untrusted Domain
  1. On your ControlCenter Server
    • launch your Horizon Client
  1. In the Horizon Client
    • select + Add Server
  1. In the Horizon Client
    • below Name of the Connection Server
      • enter horizon-01a.techseals.co
      • select Connect
  1. In the Horizon Client
    • in the Enter your user name area
    • in the Enter your password area
      • enter Pa$$w0rd
    • select Login
  1. In the Horizon Client login
    • select the W11_CorpPriv entitlement
  1. In the Horizon Client session
    • next to Fullscreen
      • select the see more icons (3 dots)
        • from the dropdown menu
          • select Logoff Desktop
  1. In the Disconnect and log off desktop? window
    • select OK
Part 4. Configuring Active Directory Sync
  1. In the Workspace ONE console
    • in the Services area
      • below Access
        • select LAUNCH
  1. In the Workspace ONE console
    • select the Integrations tab
      • in the left menu
        • select Directories
      • in the Directories area
        • select ADD DIRECTORY
          • from the dropdown
            • select Active Directory
  1. In the Directories > Add Directory window
    • next to Directory  name
      • enter CorpPriv.Sec
    • select NEXT
  1. In the Directories > Add Directory window
    • In the step 2.Configure Directory area
      • scroll down
      • In the Bind User Details area,
        • enter the following:- next to
          • Base DN: dc=corpPriv,dc=sec
          • Bind User DN: cn=administrator,cn=users,dc=corpPriv,dc=sec
          • Bind User Password: Pa$$w0rd
            • select SAVE
  1. In the Directories > Add Directory window
    • In the step 3. Select Domain(s) area
      • next to corppriv.sec
        • select the checkbox
          • select Next
  1. In the Directories > Add Directory window
    • In the step 4.  Map User Attributes area
      • Verify that the distinguishedName attribute is mapped to the Active Directory distinguishedName attribute
        • select SAVE
  1. In the Directories > Add Directory window
    1. In the step 5  Select the groups you want to sync area
      • under Sync nested group members
        • select +ADD
    2. In the Create Group window
      • next to Name
        • enter dc=corpPriv,dc=sec
          • select ADD
    3. Below Groups to sync
      • next to Select All,
        • select the checkbox
    4. At the bottom of this area
      • select SAVE
  1. In the Directories > Add Directory window
    • In the step  6. Sync users area
      • under Specify the user DNs,
        • enter dc=corpPriv,dc=sec
    • below Verify
      • select Test (note the number of users- only 1)
        • validate that the Test was succesfull
    • At the bottom of the Select the groups you want to sync area down
      • select SAVE
  1. In In the Directories > Add Directory window
    • In the step  7.  Sync Frequency window
      • select SAVE
  1. In the Directories window
    • select CorpPriv.Sec
  1. In the Directories > CorpPriv.sec area
    • select Sync
      • from the dropdown
        • select Sync without safeguards
  1. In the Directories window
    • Go back to All Directories
      • Observe that the CorpPriv.sec directory sync was successful

Note , in this environment only 1 user object will sync

Part 5. Federating Horizon virtual App Collections for an Untrusted Fores

In our testing , we learned that untrusted Forests do not work in an integration with Workspace ONE Access when the federation is setup with the Unified Access Gateway. This gives us an opportunity to show how to setup Federations with Workspace ONE Access and Horizon Directly

  1. In the Workspace ONE Access console
    • select the Resources tab
      • in the Resources menu
        • select Virtual Apps Collections
        • in the Virtual Apps Collections area
          • select NEW
  1. In the Select the Source Type window
    • below the Horizon area
      • click SELECT
  1. In the New Horizon Collection wizard
    • in the 1 Connector page
      • below Name *
        • enter CorpPrivSEC
          • note the Access Connector you will be using
        • in the bottom right corner
          • select NEXT
  1. In the New Horizon Collection wizard
    • in the 2 Pod and Federation page
      • below Pod and Federation
        • select + ADD A POD
  1. In the Add A Pod window
    • enter the following
      • below Horizon Connection Server
        • type Horizon-01a.techseals.co
      • below Username
        • type administrator
      • below Password
        • type Pa$$w0rd
      • select ADD
  1. In the New Horizon Collection wizard
    • in the 2 Pod and Federation page
      • review your configuration
        • select NEXT
  1. In the New Horizon Collection wizard
    • in the 3 Configuration page
      • scroll down to the bottom
        • below Activation Policy
          • select Automatic
        • below Default Launch Client
          • select Native
      • in the bottom right corner
        • select NEXT
  1. In the New Horizon Collection wizard
    • in the 4 Summary page
      • review your configuration
        • select SAVE
  1. In the Virtual Apps Collections > CorpPrivSEC window
    • select Overview
  1. In the Virtual Apps Collections > CorpPrivSEC window
    • Overview section
      • next to SYNC
        • select the dropdown
        • in the dropdown menu
          • select Sync without safeguards
  1. In the Workspace ONE Access console
    • Resources tab
      • in the left menu
        • select Virtual Apps
  1. On your Controlcenter server
    • log out from all Workspace ONE Access Admin console sessions
    • close all browser sessions
Part 6. Testing the Desktop Pool of users from an Untrusted Domain using Workspace ONE Access
  1. On your ControlCenter Server
    • launch your Horizon Client
  1. In the Horizon Client
    • select corp.techseals.co
  1. In the Workspace ONE login
    • below System Domain
      • select corppriv.sec
        • select Next
  1. In the Workspace ONE login
    • below username
      • enter clint
    • below password
      • enter Pa$$w0rd
    • select Sign in
  1. In the Horizon login window
    • in the username area
      • ensure the username is
      • in the password area
        • enter Pa$$w0rd
      • select Login

Note. The reason you were prompted for password again and the account did not see a single sign on experience is because Password Caching is disabled in Workspace ONE Access.

In the next section we will deploy Horizon Enrollment Services from scratch to facilitate a single-sign on experience

  1. In the Horizon Client login
    • select the W11_CorpPriv entitlement
  1. In the Horizon Client session
    • next to Fullscreen
      • select the see more icons (3 dots)
        • from the dropdown menu
          • select Logoff Desktop
  1. In the Disconnect and log off desktop? window
    • select OK
Part 7. Deploying Horizon Enrollment services to facilitate Single Sign-On with Workspace ONE Access

Introduction:

When logging in through Workspace ONE Access to a Horizon Desktop the user does not have a single sign on experience .

We will now configure Horizon Enrollment services in the Untrusted Domain

  1. On your ControlCenter server
    • Open the Remote Desktops > Site 1 Folder
      • launch TrueSSO-01b.RDP shortcut
        • In the Windows Security page
          • login as corpPriv\administrator
          • In the password area
            • enter Pa$$w0rd
          • select OK
  1. On the TrueSSO-01b server
    • on the Server Manager Interface
      • select Manage > Add Roles and Features
  1. On the Before you begin window
    • Select Next
  1. On the Select installation type window,
    • in front of Role-based or feature-based installation
      • ensure the radio button is selected
    • select Next
  1. On Select destination server window (accept the defaults)
    • select Next
  1. On the Select server roles window,
    • in front of Active Directory Certificate Services,
      • select the check box
    • when prompted for the Add Features window,
      • select Add Features box,
    • select Next
  1. On the Select features window
    • select Next
  1. On the Active Directory Certificate Services window
    • select Next
  1. On the Select role services window
    • select Next
  1. On the Confirm Installation selections window,
    • in front of Restart the destination server automatically if required,
      • select the checkbox
    • on the Add Roles and Features Wizard window
      • select Yes
    • select Install

You will have to wait a short while before moving on to step 10

  1. On the Installation progress page,
    • select the Configure Active Directory Certificate Services on the destination server hyper-link
  1. On the Credentials window
    • select Next
  1. On the Role Services page,
    • select the Certificate Authority checkbox
      • select Next
  1. On the Specify the setup type of the CA window ,
    • next to Enterprise CA
      • select the radio button
        • select Next
  1. On the CA type window
    • ensure the Subordinate CA radio button is selected,
      • select Next
  1. On the Private Key window,
    • in front of Create a new private key
      • ensure the radio button is selected
        • select Next
  1. On the Cryptography for CA window select the following
    • validate the following is selected
      • under Cryptographic Provider:
        • RSA#Microsoft Software Key Storage Provider
      • Next to
        • Key Length: 2048
        • Hash Algorithm: SHA256
  • select Next
  1. On the  Specify the Name of the CA window
    • observe the CA naming convention
      • select Next

 

  1. On the Request a certificate from parent CA ,
    • next to Send a certificate request to a parent CA:
      • select the radio button
    • to the right of the Parent CA box,
      • click the Select button
    • In the Select Certificate Authority window
      • ensure that techseals-CONTROCENTER-CA is selected
        • select OK
    • select Next
  1. On the CA Database window,
    • select Next
  1. On the Confirmation window
    • select Configure
  1. On the Results window
    • select Close
      • on the Installation progress window,
        • select Close
Part 8.  Configuring Horizon TRUE SSO certificate Template

In this section we will create a certificate template for Horizon TRUESSO

  1. On  your TRUESSO-01b server
    • select Start > Run
      • type mmc
    • select File > Add/Remove Snap-in...
      • select the Certificate Authority services snap-in,
        •  select Add
    • In the Certificate Authority window,
      • select the Local computer  radio button
        • select Finish
    • to close the Snap-ins window
      • select OK
  1. On the corpPriv-TRUESSO-01B-CA server
    • expand the inventory
      • select Certificate Templates,
        • right-click
          • select Manage
  1. In the Certificate Template Console
    • Find and select the Smartcard Logon template
  1. In the Certificate Template Console
    • Right-click the Smartcard Logon template
      • select Duplicate Template
  1. In the Properties of New Template window
    • the Compatibility tab
      • below Certification Authority
        • change from Windows 2003 to Windows 2012 R2
          • when prompted for the Resulting changes window
            • select OK.
      • below Certificate recipient
        • change Windows XP / Server 2003 to Windows 8.1 / Server 2012 R2
          • when prompted for the Resulting changes window
            • select OK.
  1. Under the General tab,
    • under Template display name:
      • type TrueSSO Template,
        • you will notice Template name gets filled in automatically.
          • (Don't edit the TemplateName)
    • under Validity period
      • change the period from 1 years to 1 hours
        • when prompted by the Certificate Templates Box
          • select OK
            • The Renewal period will automatically change from 6 weeks to 0 hours
  1. Under the Request Handling tab
    • change the following next to :-
      • Purpose: change: Signature and encryption to Signature and smartcard logon.
        • when prompted, select Yes
      • in front of Allow private key to be exported
        • select the checkbox
      • in front of
        • For automatic renewal of smartcard certificates, use the existing key if a new key cannot be created
          • select the checkbox
      • in front of Prompt the user during enrollment
        • validate the radio button is selected
  1. Under the Cryptography tab
    • configure the following next to
      • Provider Category: Key Storage Provider
    • validate the following next to
      • Minimum key size: 2048
      • Request hash: SHA256
  1. Under the Server tab,
    • in front of Do not store certificates  and requests in the CA database  
      • select the checkbox
        • you will notice that Do not include revocation information in issued certificates is selected automatically.
    • next to  Do not include revocation information in issued certificates
      • Uncheck the check box
  1. Under the Issuance Requirements tab,
    • configure the following:
      • In front of  This number of authorized signatures
        • select the checkbox :
          • to the right
            • validate the value changes to 1 in the box
      • under Policy type required in signature
        • ensure the Application policy is selected (default config)
      • under Application Policy
        • from the dropdown
          • select Certificate Request Agent
      • under  Require the following for reenrollment
        • in front of Valid existing certificate
          • select the radio button
  1. On the Security tab
    • in the Group or user names: area
      • select Add
        • To the right of the Select this object type: box
          • select the Object types button
            • select the checkbox next to Computers,
              • select OK
  1. In the Select Users, Computers, Service Accounts, or Groups window
    • under Enter the object names to select
      • type TRUESSO-01b
        • to the right select Check Names
          • select OK
  1. In the Properties of New Template window
    • below  Permissions for TRUESSO-01b
      • ensure that Read permission is selected
      • next to  Enroll
        • select the checkbox
      • to close the TrueSSO Template Properties,
        • select OK
  1. in the Certificate Templates Console
    • select the Enrollment Agent (computer) template
      • right-click
        • select Properties
  1. In the Enrollment Agent (Computer)  Properties window
    • select the Security tab
  1. In the Enrollment Agent (Computer)  Properties window
    • below Group or user names:
      • select Add

 

  1. In the Select Users, Computers, Service Accounts, or Groups window
    • to the right of the Select this object type: box
      • select the Object types button
        • select the checkbox next to Computers,
          • select OK
  1. In the Select Users, Computers, Service Accounts, or Groups window
    • under Enter the object names to select
      • type TRUESSO-01b
        • to the right select Check Names
          • select OK
  1. In the Enrollment Agent (Computer) Properties window
    • below  Permissions for TRUESSO-01b
      • ensure that Read permission is selected
        • next to  Enroll
          • select the checkbox
        • to close the TrueSSO Template Properties,
          • select OK
    • close the Certificate Templates Window
  1. Switch to the Certificate Authority Console
    • select the Certificate Templates container,
      • right-click
        • select New > Certificate Template to Issue
  1. In the Enable Certificate Templates window,
    • select your TrueSSO Template
      • select OK
  1. In the Certificate Authority Console select
    • right-click the Certificate Templates container,
      • select New > Certificate Template to Issue
  1. In the Enable Certificate Templates window
    • select the Enrollment Agent (Computer) template
      • select OK
  1. We will now configure the CA  for non-persistent certificate processing
    • On the TrueSSO-01b server
      • select  the Start button
        • right-click
      • select Command Prompt (Admin)
  1. In the Administrator: Command Prompt
    • enter the following commands
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
  1. Configure CA to ignore offline CRL errors
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  1. From the command prompt run:
    • Restart the CA service. 
net stop certsvc
net start certsvc
Part 9: Deploying the Enrollment Services
  1. On the TrueSSO-01b server desktop
    • launch the software shortcut
      • In the Software folder,
        • open the Horizon\2312 folder.
    • select and launch the VMware-Horizon-Connection-Server-x86_64-8.12.0-23148203.exe
  1. On the Open File - Security Warning window
    • Select Run
  1. On the Welcome window
    • Select Next
  1. On the License agreement window
    • next to I accept the terms in the license agreement,
      • select the radio button
        • select Next
  1. On Destination Folder window
    • select Next
  1. On the Installation Options window
    • select Horizon Enrollment Server
      • select Next
  1. On Firewall configuration window
    • select Next
  1. On the Ready to Install the Program window
    • select Install
  1. On the Installer Completed Window
    • select Finish
Part 10: Certificate Configuration on the Enrollment Server
  1. On the TrueSSO-01b server
    • select the Start Button,
      • right-click
        • select Run,
          • type MMC,
            • select OK
  1. In the Console window
    • select File > Add/Remove Snap-in..
  1. In the Add or Remove Snap-ins window,
    • select Certificates
      • select Add
  1. In the Certificates snap-in
    • next to Computer account
      • select the radio button
        • select Next
          • select Finish
            • select OK
  1. Expand the Certificates console inventory
    • select the Personal > Certificates container.
      • and right-click
        • select All Tasks > Request New Certificate
  1. On the Certificate Enrollment  window
    • select Next
  1. On the Select Certificate Enrollment Policy window
    • select Next
  1. On the Request Certificates window
    • in front of Enrollment Agent (Computer)
      • select the checkbox
    • select Enroll
  1. On the Certificate Installation Results window,
    • ensure the enrollment was successful
      • select Finish
  1. In the Certificates Console
    • note you now a TrueSSO-01b template for enrollment
Part 11: Federating Enrollment services with Horizon
  1. On our TrueSSO-01b server
    • select your Certificate services Snap-in,
      • select the  VMware Horizon View Enrollment Server Trusted Roots, folder
        • and right-click
          • select All Tasks > Import
  1. On the Welcome window
    • select Next
  1. In the File to import window
    • Under File name,
      • enter the following
        • \\Horizon-01a.techseals.co\software\Horizon\enroll.cer
    • select Next
  1. In the Certificate Store window
    • accept the defaults
      • select Next.
        • on the Summary page
          • select Finish.
          • when Prompted that The Import was successful
            • select OK
  1. In the Certificates Folder
    • select the imported certificate
      • and Right-click
        • select Properties.
    • In the Friendly name: section
      • type vdm.ec
        • select OK
Part 12: Mapping the subordinate CA to a preferred Enrollment service
  1. On your TrueSSO-01b server,
    • select the Start button > RUN
      • type regedit.exe
    • In the regedit inventory,
      • browse to the following location:
        • HKLM\SOFTWARE\VMware, Inc.\VMware VDM\
      • What we should see is an Enrollment Service Key
        • HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
        • You will notice there is no Enrollment Service key,  we need to create one. In our case we have to
    • Create the Enrollment Service key
      • Right-click VMware VDM > New > Key
        • type Enrollment Service

We will add 3 String Values in the Registry Key

  1. In the Registry Editor
    • right-click the Enrollment Service key > New > String Value
      • type PreferLocalCa
    • right-click the PreferLocalCa String value
      • select Modify
      • in the Value data: field
        • enter 1
    • select OK  to close the window
  1. Add your second String Value
    • right-click the Enrollment Service key > New > String Value
      • enter UseKerberosAuthenticationToCa
    • right-click the UseKerberosAuthenticationToCa String value
      • select Modify
      • in the Value data: field
        • enter false
    • select OK to close the window.
  1. Add a third String Value
    • right-click the Enrollment Service key > New > String Value
      • enter UseNTLMAuthenticationToCa
    • right-click the UseNTLMAuthenticationToCa String value
      • select Modify
      • in the Value data: field
        • enter true
    • to close the window.
      • select OK
  1. On your TrueSSO-01b server
    • From the Start button,
      • select Run
        • type services.msc
          • select OK
    • in services menu, scroll down until you find
      • VMware Horizon View Enrollment Server service
    • select and right-click the  VMware Horizon View Enrollment Server service
      • select Restart
    • Close the Services mmc
Part 13: Pairing Horizon with Enrollment and Certificate services
  1. On your ControlCenter server
    • switch to your  HORIZON-01a.RDP session

 

  1. Select and right-click the Start button
    • select Command Prompt (Admin)
  1. In the Administrator: Command Prompt
    • enter the following:-
cd "\Program Files\VMware\VMware View\Server\tools\bin"
  1. In the Administrator: Command Prompt type the following:-
    • The enrollment server is added to the global list.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer TrueSSO-01b.corpPriv.sec
  1. Wait 2 min before doing the next command

In the Administrator: Command Prompt type the following:-

The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority. 

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer TrueSSO-01b.corpPriv.sec --domain corpPriv.sec
  1. To create a True SSO connector, which will hold the configuration information, and enable the connector.
    • Enter the following command 
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --create --connector --domain corpPriv.sec --template TrueSSOTemplate --primaryEnrollmentServer truesso-01b.corpPriv.sec --certificateServer corpPriv-TRUESSO-01B-CA --mode enabled
Part 14. Enabling TrueSSO in Workspace ONE Access Virtual Apps Collections.
  1. In the Workspace ONE Access Console
    • select the Resources tab
    • in the side menu
      • select Virtual Apps Collections
  1. In the Virtual Apps Collections window
    • next toCorpPrivSEC
      • select the radio button
    • select EDIT
  1. In the Edit Horizon Collection wizard
    • select Pod and Federation
  1. In the Pod and Federation window
    • select Horizon-01a.techseals.co
  1. In the Edit Pod window
    • scroll down
      • below True SSO
        • move radio button from Disabled to Enabled
      • to close the Edit Pod window
        • select SAVE
  1. In the Pod and Federation window
    • select NEXT
  1. In the Pod and Federation window
    • 3 Configuration
      • select NEXT
  1. In the Pod and Federation window
    • 4 Summary
      • select SAVE
Part 15. Testing Untrusted Domain Integration with Workspace ONE Access and TrueSSO
  1. On your ControlCenter Server
    • open a New Incognito window
      • in the address bar
        • enter your custom Access URL
  1. In the Workspace ONE login
    • below the Select your Domain area
      • select corpPriv.sec
        • select Next
  1. In the Workspace ONE login
    • under username
      • enter clint
    • under password
      • enter Pa$$w0rd
    • select Sign In
  1. In the Web based Intelligent Hub
    • select the  Apps tab
  1. In the Web based Intelligent Hub
    • under the  Apps tab
      • select the  W11_CorpPriv entitlement
  1. In the W11_CorpPriv window
    • select Launch
    • in the Open VMware Horizon Client? window
      • select Open VMware Horizon Client
  1. On your Horizon web client
    • Note that you had a single sign-on experience
    • when done
      • select Logoff Desktop
    • In the Disconnect and log off desktop? window
      • select OK

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.