10. Horizon Integration with Untrusted Active Directory Forests
For as long as Horizon and View have existed, if a Horizon Pod needed to give users access to Horizon based resources. All Active Directory domains had to have at least a one-way AD Trust with the Horizon Domain. The Horizon Domain would have to be Trusted to read the Domain objects in the User Domain.
Many organization's setup separate Active Directory Forests for security reasons, yet they want to give users Access through a singular Horizon Pod. In the past this was almost impossible.
Recently with the 2103 release of Horizon a very simple solution has been developed to allow users from Untrusted Active Directory Domains, access to Horizon resources in an alternate untrusted Active Directory Domain Forest .
In this session we will walk you through the process of configuring a Domain Bind account and configuring Horizon resources to facilitate this process
- On your ControlCenter server
- open your Chrome Browser
- In the Favourites Bar,
- launch the Horizon Site 1 shortcut
- login as username
- Administrator
- Login with the password
- VMware1!
- In the Favourites Bar,
- select Sign in
- open your Chrome Browser
- In the Horizon Admin Console
- In the left Inventory pane,
- under Settings,
- select Domains
- under Settings,
- In the left Inventory pane,
- In the Horizon Admin Console
- under the Domains area
- select the Domain Bind tab
- under the Domains area
- In the Horizon Admin Console
- in the Domains area > Domain Bind
- select Add
- in the Domains area > Domain Bind
- In the Untrusted Domain window
- add the following,
- next to:-
- DNS Name: corpPriv.sec
- Netbios: corpPriv
- Username: [email protected]
- Password: Pa$$w0rd
- select OK
- next to:-
- add the following,
- In the Manage Auxiliary Accounts window
- select Add
- in the Add Auxiliary Account window
- next to User Name
- enter administrator
- next Password
- enter Pa$$w0rd
- select OK
- next to User Name
- to close the Manage Auxiliary Accounts window
- select OK,
- In the Horizon Admin Console
- under Domains area
- select the Domain Accounts tab
- under Domains area
- In Domains area
- select Add
- In the Add Domain Admin window
- add the following next to:-
-
Full Domain Name:
- from the dropdown,
- select corpPriv.sec
-
Username:
- type Administrator
-
Password:
- type
- Pa$$w0rd
- type
- from the dropdown,
- select OK
-
Full Domain Name:
- add the following next to:-
- In the Horizon Admin Console
- In the left Inventory pane
- under Inventory,
- select Desktops
- under Inventory,
- In the left Inventory pane
- In the Desktop Pools area
- select Add
- In the Add Pool wizard
- select Next
- In the Add Pool wizard
-
vCenter Server
- select Next
-
vCenter Server
- In the Add Pool wizard
-
User Assignment
- Select the radio button next to Floating
- Select Next
-
User Assignment
- In the Add Pool wizard
-
Storage Optimization
- select Next
-
Storage Optimization
- In the Add Pool wizard
-
Desktop Pool Identification, window
- update the following areas:-
- under ID
- enter CorpPrivW11
- under Display Name
- enter W11_CorpPriv
- select Next
- under ID
- update the following areas:-
-
Desktop Pool Identification, window
- In the Add Pool - CorpPrivW11 wizard
-
Provisioning Settings
- under Use a Naming Pattern
- enter w11CorpPriv
- under Desktop Pool sizing > Maximum Machines
-
enter 2
- select Next
-
enter 2
- under Use a Naming Pattern
-
Provisioning Settings
- In the Add Pool - CorpPrivW11 wizard
-
vCenter Settings
- Configure the following:-
- in line with Golden Image in vCenter:
- Browse to W11Master-01a and Submit
- under Snapshot
- Browse to baseline and Submit
- under VM Folder Location
- Browse to RegionA01 and Submit
- under Resource Settings > Cluster
- Browse to Bangalore and Submit
- under Resource Settings > Resource Pool
- Browse to Bangalore and Submit
- under Resource Settings > Datastores
- Browse to CorpLUN01a and Submit
-
In the Warning window
- select OK
- in line with Golden Image in vCenter:
- select Next
- Configure the following:-
-
vCenter Settings
- In the Add Pool - CorpPrivW11 wizard
-
Desktop Pool Settings
- under Log off After Disconnect:
- from the dropdown
- select Immediately
- from the dropdown
- select Next
- under Log off After Disconnect:
-
Desktop Pool Settings
- In the Add Pool - CorpPrivW11 wizard
-
Remote Display Settings
- select Next
-
Remote Display Settings
- In the Add Pool - CorpPrivW11 wizard
-
10. Guest Customization
- below Domain
- from the Dropdown
- select corpPriv.sec(administrator)
- from the Dropdown
-
below AD Container
-
select Browse
- select CN=Computers
- select Submit
- select CN=Computers
- next to Allow Reuse of Existing Computer Accounts
- select the checkbox
-
select Browse
- select Next
- below Domain
-
10. Guest Customization
- In the Add Pool - CorpPrivW11 wizard
-
11. Ready to Complete
- next to Entitle Users After Adding Pool
- select the checkbox
- select Submit
- next to Entitle Users After Adding Pool
-
11. Ready to Complete
- In the Add Entitlements window
- select Add
- In the Find User or Group window
- next to Domain,
- from the dropdown,
- select corpPriv.sec
- from the dropdown,
- next to Name/User Name,
- to the right of Starts with,
- enter domain users
- to the right of Starts with,
- select Find
- under Find
- next to Sales
- select the CheckBox
- next to Sales
- under Find
- to close Find User or Group
- select OK
- to close Add Entitlements
- select OK
- next to Domain,
- In the Desktop Pools area
- select CorpPrivW11
- In the CorpPrivW11 area
- under the Summary tab,
- scroll down to Pending Image
- view the progress of the pool being Provisioned
- To the right notice the State is Publishing
- When complete this will report as Published
- NOTE: The page does not dynamically update. You will have to refresh periodically.
- This can be done by selecting the Refresh icon in the top right-corner of the Summary page
- you will need to have to wait until the Pool is Published
- scroll down to Pending Image
- under the Summary tab,
- In the Horizon Admin Console
- under Inventory
- select Machines
- under Inventory
- In Machines area
- look for your CorpPrivW11 virtual Machines
- wait until the Status is Available
- On your Controlcenter server
- open the Remote Desktops > Site 1 folder
- launch the Horizon-01a.RDP shortcut
- open the Remote Desktops > Site 1 folder
- Note! you should automatically be authenticated with the account [email protected] with the password Pa$$w0rd
- On the Horizon-01a Desktop
- select the Start button
- right-click
- select Run
- select the Start button
- In the Run window
- next to Open:
- enter adsiedit.msc
- select OK
- enter adsiedit.msc
- next to Open:
Connecting to the Horizon DB using ADSI Edit is covered in the below Knowledge Base
- https://kb.vmware.com/s/article/2012377
- In the ADSI Edit window
- select ADSI Edit
-
right-click
- In the Menu
- select Connect to..
- In the Menu
-
right-click
- select ADSI Edit
- In the Connection Settings
- In the Connection Point area
- next to Select or type a Distinguished Name or Naming Contect:
- select the Radio button
- below Select or type a Distinguished Name or Naming Contect:
- enter dc=vdi,dc=vmware,dc=int
- next to Select or type a Distinguished Name or Naming Contect:
- In the Computer area
- next to Select or type a domain or server: (Server | Domain [:port])
- enter localhost:389
- next to Select or type a domain or server: (Server | Domain [:port])
- select OK
- In the Connection Point area
- In the ADSI Edit window
- select the Default naming contect
- EXPAND
- select DCc=vdi,dc=vmware,dc=int
- EXPAND
- select the Default naming contect
- In the ADSI Edit window
- in the inventory
- select OU=Server Groups
- in OU=Server Groups area
- select CN=W11-BLR-INST
- right-click
- select CN=W11-BLR-INST
- in the inventory
- In the CN=W10INST Properties window
- scroll down until you find the pae-ProvisionScheme attribute
- select the pae-ProvisionScheme attribute
- select Edit
- select the pae-ProvisionScheme attribute
- scroll down until you find the pae-ProvisionScheme attribute
- In the String Attribute Editor window
- In the Value area,
- type ModeA
- to close the window
- select OK,
- to close the CN=W10INST Properties window
- select OK,
- Close the ADSI Edit window
- In the Value area,
- On your ControlCenter Server
- launch your Horizon Client
- In the Horizon Client
- select + Add Server
- In the Horizon Client
- below Name of the Connection Server
- enter horizon-01a.techseals.co
- select Connect
- below Name of the Connection Server
- In the Horizon Client
- in the Enter your user name area
- enter [email protected]
- in the Enter your password area
- enter Pa$$w0rd
- select Login
- in the Enter your user name area
- In the Horizon Client login
- select the W11_CorpPriv entitlement
- In the Horizon Client session
- next to Fullscreen
- select the see more icons (3 dots)
- from the dropdown menu
- select Logoff Desktop
- from the dropdown menu
- select the see more icons (3 dots)
- next to Fullscreen
- In the Disconnect and log off desktop? window
- select OK
- In the Workspace ONE console
- in the Services area
- below Access
- select LAUNCH
- below Access
- in the Services area
- In the Workspace ONE console
- select the Integrations tab
- in the left menu
- select Directories
- in the Directories area
- select ADD DIRECTORY
- from the dropdown
- select Active Directory
- from the dropdown
- select ADD DIRECTORY
- in the left menu
- select the Integrations tab
- In the Directories > Add Directory window
- next to Directory name
- enter CorpPriv.Sec
- select NEXT
- next to Directory name
- In the Directories > Add Directory window
- In the step 2.Configure Directory area
- scroll down
- In the Bind User Details area,
- enter the following:- next to
- Base DN: dc=corpPriv,dc=sec
- Bind User DN: cn=administrator,cn=users,dc=corpPriv,dc=sec
-
Bind User Password: Pa$$w0rd
- select SAVE
- enter the following:- next to
- In the step 2.Configure Directory area
- In the Directories > Add Directory window
- In the step 3. Select Domain(s) area
- next to corppriv.sec
- select the checkbox
- select Next
- select the checkbox
- next to corppriv.sec
- In the step 3. Select Domain(s) area
- In the Directories > Add Directory window
- In the step 4. Map User Attributes area
- Verify that the distinguishedName attribute is mapped to the Active Directory distinguishedName attribute
- select SAVE
- Verify that the distinguishedName attribute is mapped to the Active Directory distinguishedName attribute
- In the step 4. Map User Attributes area
- In the Directories > Add Directory window
- In the step 5 Select the groups you want to sync area
- under Sync nested group members
- select +ADD
- under Sync nested group members
- In the Create Group window
- next to Name
- enter dc=corpPriv,dc=sec
- select ADD
- enter dc=corpPriv,dc=sec
- next to Name
- Below Groups to sync
- next to Select All,
- select the checkbox
- next to Select All,
- At the bottom of this area
- select SAVE
- In the step 5 Select the groups you want to sync area
- In the Directories > Add Directory window
- In the step 6. Sync users area
- under Specify the user DNs,
- enter dc=corpPriv,dc=sec
- under Specify the user DNs,
- below Verify
- select Test (note the number of users- only 1)
- validate that the Test was succesfull
- select Test (note the number of users- only 1)
- At the bottom of the Select the groups you want to sync area down
- select SAVE
- In the step 6. Sync users area
- In In the Directories > Add Directory window
- In the step 7. Sync Frequency window
- select SAVE
- In the step 7. Sync Frequency window
- In the Directories window
- select CorpPriv.Sec
- In the Directories > CorpPriv.sec area
- select Sync
- from the dropdown
- select Sync without safeguards
- from the dropdown
- select Sync
- In the Directories window
- Go back to All Directories
- Observe that the CorpPriv.sec directory sync was successful
- Go back to All Directories
Note , in this environment only 1 user object will sync
In our testing , we learned that untrusted Forests do not work in an integration with Workspace ONE Access when the federation is setup with the Unified Access Gateway. This gives us an opportunity to show how to setup Federations with Workspace ONE Access and Horizon Directly
- In the Workspace ONE Access console
- select the Resources tab
- in the Resources menu
- select Virtual Apps Collections
- in the Virtual Apps Collections area
- select NEW
- in the Resources menu
- select the Resources tab
- In the Select the Source Type window
- below the Horizon area
- click SELECT
- below the Horizon area
- In the New Horizon Collection wizard
- in the 1 Connector page
- below Name *
- enter CorpPrivSEC
- note the Access Connector you will be using
- in the bottom right corner
- select NEXT
- enter CorpPrivSEC
- below Name *
- in the 1 Connector page
- In the New Horizon Collection wizard
- in the 2 Pod and Federation page
- below Pod and Federation
- select + ADD A POD
- below Pod and Federation
- in the 2 Pod and Federation page
- In the Add A Pod window
- enter the following
- below Horizon Connection Server
- type Horizon-01a.techseals.co
- below Username
- type administrator
- below Password
- type Pa$$w0rd
- select ADD
- below Horizon Connection Server
- enter the following
- In the New Horizon Collection wizard
- in the 2 Pod and Federation page
-
review your configuration
- select NEXT
-
review your configuration
- in the 2 Pod and Federation page
- In the New Horizon Collection wizard
- in the 3 Configuration page
- scroll down to the bottom
- below Activation Policy
- select Automatic
- below Default Launch Client
- select Native
- below Activation Policy
- in the bottom right corner
- select NEXT
- scroll down to the bottom
- in the 3 Configuration page
- In the New Horizon Collection wizard
- in the 4 Summary page
-
review your configuration
- select SAVE
-
review your configuration
- in the 4 Summary page
- In the Virtual Apps Collections > CorpPrivSEC window
- select Overview
- In the Virtual Apps Collections > CorpPrivSEC window
-
Overview section
-
next to SYNC
- select the dropdown
-
in the dropdown menu
- select Sync without safeguards
-
next to SYNC
-
Overview section
- In the Workspace ONE Access console
-
Resources tab
- in the left menu
- select Virtual Apps
- in the left menu
-
Resources tab
- On your Controlcenter server
- log out from all Workspace ONE Access Admin console sessions
- close all browser sessions
- On your ControlCenter Server
- launch your Horizon Client
- In the Horizon Client
- select corp.techseals.co
- In the Workspace ONE login
- below System Domain
- select corppriv.sec
- select Next
- select corppriv.sec
- below System Domain
- In the Workspace ONE login
- below username
- enter clint
- below password
- enter Pa$$w0rd
- select Sign in
- below username
- In the Horizon login window
- in the username area
- ensure the username is
- in the password area
- enter Pa$$w0rd
- select Login
- in the username area
Note. The reason you were prompted for password again and the account did not see a single sign on experience is because Password Caching is disabled in Workspace ONE Access.
In the next section we will deploy Horizon Enrollment Services from scratch to facilitate a single-sign on experience
- In the Horizon Client login
- select the W11_CorpPriv entitlement
- In the Horizon Client session
- next to Fullscreen
- select the see more icons (3 dots)
- from the dropdown menu
- select Logoff Desktop
- from the dropdown menu
- select the see more icons (3 dots)
- next to Fullscreen
- In the Disconnect and log off desktop? window
- select OK
Introduction:
When logging in through Workspace ONE Access to a Horizon Desktop the user does not have a single sign on experience .
We will now configure Horizon Enrollment services in the Untrusted Domain
- On your ControlCenter server
- Open the Remote Desktops > Site 1 Folder
- launch TrueSSO-01b.RDP shortcut
- In the Windows Security page
- login as corpPriv\administrator
- In the password area
- enter Pa$$w0rd
- select OK
- In the Windows Security page
- launch TrueSSO-01b.RDP shortcut
- Open the Remote Desktops > Site 1 Folder
- On the TrueSSO-01b server
- on the Server Manager Interface
- select Manage > Add Roles and Features
- on the Server Manager Interface
- On the Before you begin window
- Select Next
- On the Select installation type window,
- in front of Role-based or feature-based installation
- ensure the radio button is selected
- select Next
- in front of Role-based or feature-based installation
- On Select destination server window (accept the defaults)
- select Next
- On the Select server roles window,
- in front of Active Directory Certificate Services,
- select the check box
- when prompted for the Add Features window,
- select Add Features box,
- select Next
- in front of Active Directory Certificate Services,
- On the Select features window
- select Next
- On the Active Directory Certificate Services window
- select Next
- On the Select role services window
- select Next
- On the Confirm Installation selections window,
- in front of Restart the destination server automatically if required,
- select the checkbox
- on the Add Roles and Features Wizard window
- select Yes
- select Install
- in front of Restart the destination server automatically if required,
You will have to wait a short while before moving on to step 10
- On the Installation progress page,
- select the Configure Active Directory Certificate Services on the destination server hyper-link
- On the Credentials window
- select Next
- On the Role Services page,
- select the Certificate Authority checkbox
- select Next
- select the Certificate Authority checkbox
- On the Specify the setup type of the CA window ,
- next to Enterprise CA
- select the radio button
- select Next
- select the radio button
- next to Enterprise CA
- On the CA type window
- ensure the Subordinate CA radio button is selected,
- select Next
- ensure the Subordinate CA radio button is selected,
- On the Private Key window,
- in front of Create a new private key
- ensure the radio button is selected
- select Next
- ensure the radio button is selected
- in front of Create a new private key
- On the Cryptography for CA window select the following
- validate the following is selected
- under Cryptographic Provider:
- RSA#Microsoft Software Key Storage Provider
- Next to
- Key Length: 2048
- Hash Algorithm: SHA256
- under Cryptographic Provider:
- validate the following is selected
- select Next
- On the Specify the Name of the CA window
- observe the CA naming convention
- select Next
- observe the CA naming convention
- On the Request a certificate from parent CA ,
- next to Send a certificate request to a parent CA:
- select the radio button
- to the right of the Parent CA box,
- click the Select button
- In the Select Certificate Authority window
- ensure that techseals-CONTROCENTER-CA is selected
- select OK
- ensure that techseals-CONTROCENTER-CA is selected
- select Next
- next to Send a certificate request to a parent CA:
- On the CA Database window,
- select Next
- On the Confirmation window
- select Configure
- On the Results window
- select Close
- on the Installation progress window,
- select Close
- on the Installation progress window,
- select Close
In this section we will create a certificate template for Horizon TRUESSO
- On your TRUESSO-01b server
- select Start > Run
- type mmc
- select File > Add/Remove Snap-in...
- select the Certificate Authority services snap-in,
- select Add
- select the Certificate Authority services snap-in,
- In the Certificate Authority window,
- select the Local computer radio button
- select Finish
- select the Local computer radio button
-
to close the Snap-ins window
- select OK
- select Start > Run
- On the corpPriv-TRUESSO-01B-CA server
- expand the inventory
- select Certificate Templates,
- right-click
- select Manage
- right-click
- select Certificate Templates,
- expand the inventory
- In the Certificate Template Console
- Find and select the Smartcard Logon template
- In the Certificate Template Console
- Right-click the Smartcard Logon template
- select Duplicate Template
- Right-click the Smartcard Logon template
- In the Properties of New Template window
- the Compatibility tab
- below Certification Authority
- change from Windows 2003 to Windows 2012 R2
- when prompted for the Resulting changes window
- select OK.
- when prompted for the Resulting changes window
- change from Windows 2003 to Windows 2012 R2
- below Certificate recipient
- change Windows XP / Server 2003 to Windows 8.1 / Server 2012 R2
- when prompted for the Resulting changes window
- select OK.
- when prompted for the Resulting changes window
- change Windows XP / Server 2003 to Windows 8.1 / Server 2012 R2
- below Certification Authority
- the Compatibility tab
- Under the General tab,
- under Template display name:
- type TrueSSO Template,
- you will notice Template name gets filled in automatically.
- (Don't edit the TemplateName)
- you will notice Template name gets filled in automatically.
- type TrueSSO Template,
- under Validity period
- change the period from 1 years to 1 hours
- when prompted by the Certificate Templates Box
- select OK
- The Renewal period will automatically change from 6 weeks to 0 hours
- select OK
- when prompted by the Certificate Templates Box
- change the period from 1 years to 1 hours
- under Template display name:
- Under the Request Handling tab
- change the following next to :-
-
Purpose: change: Signature and encryption to Signature and smartcard logon.
- when prompted, select Yes
- in front of Allow private key to be exported
- select the checkbox
- in front of
- For automatic renewal of smartcard certificates, use the existing key if a new key cannot be created
- select the checkbox
- For automatic renewal of smartcard certificates, use the existing key if a new key cannot be created
- in front of Prompt the user during enrollment
- validate the radio button is selected
-
Purpose: change: Signature and encryption to Signature and smartcard logon.
- change the following next to :-
- Under the Cryptography tab
- configure the following next to
- Provider Category: Key Storage Provider
- validate the following next to
- Minimum key size: 2048
- Request hash: SHA256
- configure the following next to
- Under the Server tab,
- in front of Do not store certificates and requests in the CA database
- select the checkbox
- you will notice that Do not include revocation information in issued certificates is selected automatically.
- select the checkbox
- next to Do not include revocation information in issued certificates
- Uncheck the check box
- in front of Do not store certificates and requests in the CA database
- Under the Issuance Requirements tab,
- configure the following:
- In front of This number of authorized signatures
- select the checkbox :
- to the right
- validate the value changes to 1 in the box
- to the right
- select the checkbox :
- under Policy type required in signature
- ensure the Application policy is selected (default config)
- under Application Policy
- from the dropdown
- select Certificate Request Agent
- from the dropdown
- under Require the following for reenrollment
- in front of Valid existing certificate
- select the radio button
- in front of Valid existing certificate
- In front of This number of authorized signatures
- configure the following:
- On the Security tab
- in the Group or user names: area
- select Add
- To the right of the Select this object type: box
- select the Object types button
- select the checkbox next to Computers,
- select OK
- select the checkbox next to Computers,
- select the Object types button
- To the right of the Select this object type: box
- select Add
- in the Group or user names: area
- In the Select Users, Computers, Service Accounts, or Groups window
- under Enter the object names to select
- type TRUESSO-01b
- to the right select Check Names
- select OK
- to the right select Check Names
- type TRUESSO-01b
- under Enter the object names to select
- In the Properties of New Template window
- below Permissions for TRUESSO-01b
- ensure that Read permission is selected
-
next to Enroll
- select the checkbox
- to close the TrueSSO Template Properties,
- select OK
- below Permissions for TRUESSO-01b
- in the Certificate Templates Console
- select the Enrollment Agent (computer) template
- right-click
- select Properties
- right-click
- select the Enrollment Agent (computer) template
- In the Enrollment Agent (Computer) Properties window
- select the Security tab
- In the Enrollment Agent (Computer) Properties window
- below Group or user names:
- select Add
- below Group or user names:
- In the Select Users, Computers, Service Accounts, or Groups window
- to the right of the Select this object type: box
- select the Object types button
- select the checkbox next to Computers,
- select OK
- select the checkbox next to Computers,
- select the Object types button
- to the right of the Select this object type: box
- In the Select Users, Computers, Service Accounts, or Groups window
- under Enter the object names to select
- type TRUESSO-01b
- to the right select Check Names
- select OK
- to the right select Check Names
- type TRUESSO-01b
- under Enter the object names to select
- In the Enrollment Agent (Computer) Properties window
- below Permissions for TRUESSO-01b
- ensure that Read permission is selected
-
next to Enroll
- select the checkbox
- to close the TrueSSO Template Properties,
- select OK
-
next to Enroll
- ensure that Read permission is selected
- close the Certificate Templates Window
- below Permissions for TRUESSO-01b
- Switch to the Certificate Authority Console
- select the Certificate Templates container,
- right-click
- select New > Certificate Template to Issue
- right-click
- select the Certificate Templates container,
- In the Enable Certificate Templates window,
- select your TrueSSO Template
- select OK
- select your TrueSSO Template
- In the Certificate Authority Console select
- right-click the Certificate Templates container,
- select New > Certificate Template to Issue
- right-click the Certificate Templates container,
- In the Enable Certificate Templates window
- select the Enrollment Agent (Computer) template
- select OK
- select the Enrollment Agent (Computer) template
- We will now configure the CA for non-persistent certificate processing
- On the TrueSSO-01b server
- select the Start button
- right-click
- select Command Prompt (Admin)
- select the Start button
- On the TrueSSO-01b server
- In the Administrator: Command Prompt
- enter the following commands
- enter the following commands
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
- Configure CA to ignore offline CRL errors
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- From the command prompt run:
- Restart the CA service.
net stop certsvc
net start certsvc
- On the TrueSSO-01b server desktop
- launch the software shortcut
- In the Software folder,
- open the Horizon\2312 folder.
- In the Software folder,
- select and launch the VMware-Horizon-Connection-Server-x86_64-8.12.0-23148203.exe
- launch the software shortcut
- On the Open File - Security Warning window
- Select Run
- On the Welcome window
- Select Next
- On the License agreement window
- next to I accept the terms in the license agreement,
- select the radio button
- select Next
- select the radio button
- next to I accept the terms in the license agreement,
- On Destination Folder window
- select Next
- On the Installation Options window
- select Horizon Enrollment Server
- select Next
- select Horizon Enrollment Server
- On Firewall configuration window
- select Next
- On the Ready to Install the Program window
- select Install
- On the Installer Completed Window
- select Finish
- On the TrueSSO-01b server
-
select the Start Button,
-
right-click
-
select Run,
-
type MMC,
- select OK
-
type MMC,
-
select Run,
-
right-click
-
select the Start Button,
- In the Console window
- select File > Add/Remove Snap-in..
- In the Add or Remove Snap-ins window,
- select Certificates
- select Add
- select Certificates
- In the Certificates snap-in
- next to Computer account
- select the radio button
- select Next
- select Finish
- select OK
- select Finish
- select Next
- select the radio button
- next to Computer account
- Expand the Certificates console inventory
- select the Personal > Certificates container.
- and right-click
- select All Tasks > Request New Certificate
- and right-click
- select the Personal > Certificates container.
- On the Certificate Enrollment window
- select Next
- On the Select Certificate Enrollment Policy window
- select Next
- On the Request Certificates window
- in front of Enrollment Agent (Computer)
- select the checkbox
- select Enroll
- in front of Enrollment Agent (Computer)
- On the Certificate Installation Results window,
- ensure the enrollment was successful
- select Finish
- ensure the enrollment was successful
- In the Certificates Console
- note you now a TrueSSO-01b template for enrollment
- On our TrueSSO-01b server
- select your Certificate services Snap-in,
- select the VMware Horizon View Enrollment Server Trusted Roots, folder
- and right-click
- select All Tasks > Import
- and right-click
- select the VMware Horizon View Enrollment Server Trusted Roots, folder
- select your Certificate services Snap-in,
- On the Welcome window
- select Next
- In the File to import window
- Under File name,
- enter the following
- \\Horizon-01a.techseals.co\software\Horizon\enroll.cer
- enter the following
- select Next
- Under File name,
- In the Certificate Store window
- accept the defaults
- select Next.
- on the Summary page
- select Finish.
- when Prompted that The Import was successful
- select OK
- on the Summary page
- select Next.
- accept the defaults
- In the Certificates Folder
- select the imported certificate
- and Right-click
- select Properties.
- and Right-click
- In the Friendly name: section
- type vdm.ec
- select OK
- type vdm.ec
- select the imported certificate
- On your TrueSSO-01b server,
- select the Start button > RUN
- type regedit.exe
- In the regedit inventory,
- browse to the following location:
- HKLM\SOFTWARE\VMware, Inc.\VMware VDM\
-
What we should see is an Enrollment Service Key
- HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
- You will notice there is no Enrollment Service key, we need to create one. In our case we have to
- browse to the following location:
- Create the Enrollment Service key
- Right-click VMware VDM > New > Key
- type Enrollment Service
- Right-click VMware VDM > New > Key
- select the Start button > RUN
We will add 3 String Values in the Registry Key
- In the Registry Editor
- right-click the Enrollment Service key > New > String Value
- type PreferLocalCa
- right-click the PreferLocalCa String value
- select Modify
- in the Value data: field
- enter 1
- select OK to close the window
- right-click the Enrollment Service key > New > String Value
- Add your second String Value
- right-click the Enrollment Service key > New > String Value
- enter UseKerberosAuthenticationToCa
- right-click the UseKerberosAuthenticationToCa String value
- select Modify
- in the Value data: field
- enter false
- select OK to close the window.
- right-click the Enrollment Service key > New > String Value
- Add a third String Value
- right-click the Enrollment Service key > New > String Value
- enter UseNTLMAuthenticationToCa
- right-click the UseNTLMAuthenticationToCa String value
- select Modify
- in the Value data: field
- enter true
- to close the window.
- select OK
- right-click the Enrollment Service key > New > String Value
- On your TrueSSO-01b server
- From the Start button,
- select Run
- type services.msc
- select OK
- type services.msc
- select Run
- in services menu, scroll down until you find
- VMware Horizon View Enrollment Server service
- select and right-click the VMware Horizon View Enrollment Server service
- select Restart
- Close the Services mmc
- From the Start button,
- On your ControlCenter server
- switch to your HORIZON-01a.RDP session
- Select and right-click the Start button
- select Command Prompt (Admin)
- In the Administrator: Command Prompt
- enter the following:-
- enter the following:-
cd "\Program Files\VMware\VMware View\Server\tools\bin"
- In the Administrator: Command Prompt type the following:-
- The enrollment server is added to the global list.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer TrueSSO-01b.corpPriv.sec
- Wait 2 min before doing the next command
In the Administrator: Command Prompt type the following:-
The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer TrueSSO-01b.corpPriv.sec --domain corpPriv.sec
- To create a True SSO connector, which will hold the configuration information, and enable the connector.
- Enter the following command
vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --create --connector --domain corpPriv.sec --template TrueSSOTemplate --primaryEnrollmentServer truesso-01b.corpPriv.sec --certificateServer corpPriv-TRUESSO-01B-CA --mode enabled
- In the Workspace ONE Access Console
- select the Resources tab
- in the side menu
- select Virtual Apps Collections
- In the Virtual Apps Collections window
- next toCorpPrivSEC
- select the radio button
- select EDIT
- next toCorpPrivSEC
- In the Edit Horizon Collection wizard
- select Pod and Federation
- In the Pod and Federation window
- select Horizon-01a.techseals.co
- In the Edit Pod window
- scroll down
- below True SSO
- move radio button from Disabled to Enabled
- to close the Edit Pod window
- select SAVE
- below True SSO
- scroll down
- In the Pod and Federation window
- select NEXT
- In the Pod and Federation window
-
3 Configuration
- select NEXT
-
3 Configuration
- In the Pod and Federation window
-
4 Summary
- select SAVE
-
4 Summary
- On your ControlCenter Server
- open a New Incognito window
- in the address bar
- enter your custom Access URL
- in the address bar
- open a New Incognito window
- In the Workspace ONE login
- below the Select your Domain area
- select corpPriv.sec
- select Next
- select corpPriv.sec
- below the Select your Domain area
- In the Workspace ONE login
- under username
- enter clint
- under password
- enter Pa$$w0rd
- select Sign In
- under username
- In the Web based Intelligent Hub
- select the Apps tab
- In the Web based Intelligent Hub
- under the Apps tab
- select the W11_CorpPriv entitlement
- under the Apps tab
- In the W11_CorpPriv window
- select Launch
-
in the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- On your Horizon web client
- Note that you had a single sign-on experience
- when done
- select Logoff Desktop
-
In the Disconnect and log off desktop? window
- select OK
0 Comments
Add your comment