Installing and Configuring Horizon TRUESSO
Overview
Traditionally when authenticating to Workspace ONE Access using a 3rd party authentication method, the user we will by default, not have a Single-Sign On experience when trying to launch any VMware Horizon based resource through Workspace ONE Access.
Traditionally when using a password based authentication method Workspace ONE Access would cache the original authentication against Access and then pass this on when required to the Broker.
Traditionally Single-Sign On would only be an issue when using a 3rd Party authentication method. To solve this problem we would deploy what is known as the Horizon Enrollment services to facilitate a single-sign on experience. We integrate with Microsoft Certificate Services to provide a solution to this challenge and we refer to the solution as Horizon TRUE SSO
Since December 2019
Caching of Passwords for Horizon has been disabled and a user will always have to re-authenticate when they select their entitlement. Whilst the session is open we can choose to Cache the users credentials provided the Authentication method is password based.
To continue offering users a seamless single-sign On experience, Enrollment services has now become a critical service with the integration with Workspace ONE Access
In this lab scenario the 3rd party authentication method we use to login into Workspace ONE Access will be a certificate based method of authentication.
We will start off by doing the following:
- Deploy a User Certificate on the Windows 10 Desktop
- Configure Workspace ONE Access for Certificate based Authentication
- Log into a Windows 10 Desktop and demonstrate the limitation
- Deploy and configure TRUE SSO
- Deploy and configure Horizon Enrollment services
- Integrate and configure Active Directory Certificate services with Horizon Enrollment services
- Log into a Windows 10 Desktop and demonstrate the solution
Part 1. Deploying a User Certificate on a Windows 10 Desktop
- Log in to your ControlCenter2 server as [email protected] with the password VMware1!
- On the ControlCenter2 server Desktop, open the Remote Desktop Folder and launch the W10Client01.RDP shortcut, in the login window, select more choices, select Use a different account. Login as [email protected] with the password VMware1!
- Select OK
- On the W10Client01 desktop, select and right-click the Start Button, select Run, type MMC, select OK
- In the Console window select File > Add/Remove Snap-in..
- In the Add or Remove Snap-ins window,
- Select Certificates
- Select Add
- Note! if you are logged on as Administrator and not User1 this will be different
- We need to be logged in as User1
- Select OK
- In the Certificates Console, expand Certificates > Personal
- Right-click Personal, select All Tasks, select Request New Certificate
- On the Certificate Enrollment page select Next
- On the Certificate Enrollment window select Next
- On the Certificate Enrollment window select the check box next User and select Enroll .On the Certificate Installation Results select Finish
- Expand Certificates > Personal > Certificates. You will notice you now have a user based certificate deployed.
Part 2: Configure Workspace ONE Access for Certificate based Authentication
- On your ControlCenter2 server select and right-click the Start Button, select Run, type MMC, select OK
- In the Console window select File > Add/Remove Snap-in..
- In the Add or Remove Snap-ins window, select Certificates and select Add
- Select Computer account radio button select Next and select Finish
- Select OK to Close the Add or Remove Snap-ins window
- In the Certificates Console, expand Certificates > Trusted Root Certificate Authorities > Certificates
- Select the first of a set of 2 euc-livefire-CONTROLCENTER2-CA certificates and select, right-click and select Open
- In the Certificate window select the Details tab, at the bottom of the Details area, select Copy to File..
- On Welcome window select Next
- On the Export File Format window select the radio button next to Base-64 encoded X.509 (.CER), select Next
- In the File to Export window select Browse
- In the Save As window select Downloads
- Next to the Filename box type Root.cer, select Save
- In the File to Export window select Next
- On the Completing the Certificate Export Wizard select Finish
- On The export was successful window select OK
- Click OK to close the Certificate window
- On your ControlCenter2 server, launch your browser and login into your Workspace ONE Access Saas tenant with your custom login credentials
- Select the Identity & Access Management tab, in the Manage area (default) select Authentication Methods
- Next Certificate (Cloud Deployment) select the PENCIL ICON.
- On the Certificate (Cloud Deployment) window next to :
- Enable Certificate Adapter, select the checkbox
- Root and intermediate CA certificates, select Select File
- In the Open window
- Select Downloads
- Select the root.cer file
- Select Open
- On the Update Auth Adapter window select OK
- On the Certificate (Cloud Deployment) window select Save
- Notice your Certificate (Cloud Deployment) authentication method is now Enabled,
- To the left of Authentication Methods select Identity Providers
- In Identity Providers window select Built-in
- In the Built-In window select the following next to:
- Under the Authentication Methods section next to Certificate (Cloud Deployment) select the checkbox
- At the bottom of the window select Save
- To the right of Authentication Methods select Policies
- In the Policies interface select the radio button next to the default_access_policy_set, select EDIT
- In the Edit Policy window select Configuration
- In the Configuration section select ALL RANGES next to Web Browser
- In the Web Browser policy select the following next to:-
- then the user may authenticate using* select Certificate (Cloud Deployment)
- if the preceding method fails or is not applicable, then select Password (cloud deployment)
- select + ADD FALLBACK METHOD
-
In the added if the preceding method fails or is not applicable, then select Password (Local Directory)
- Select SAVE
- Select NEXT
- Select SAVE
Part 3: Log into a Windows 10 Desktop and demonstrate the limitation
- On the ControlCenter2 server Desktop, open the Remote Desktop Folder and launch the W10Client01.RDP shortcut, in the login window, select more choices, select Use a different account. Login as [email protected] with the password VMware1!
- Select OK
- Open a browser on your windows 10 desktop and enter your custom url for your Workspace ONE Access Saas Tenant
- On the select your domain, ensure euc-livefire.com is selected, select Next
- On the Select a certificate window note the account of the certificate and select OK
- On the Workspace ONE console select Apps,
- In the Apps area select and right-click the W10PD1 Desktop Icon and select Open in Browser
- Note that we are being prompted for Authentication, we will now deploy TRUE SSO to solve this issue
Part 4. Installing a sub-ordinate CA on the TrueSSO server
- On your ControlCenter2 server if you have not done so already. Open the Remote Desktop Folder and launch TrueSSO.RDP shortcut
- On the Server Manager Interface select Manage > Add Roles and Features
2. On the Before you begin window select Next
3. On the Select installation type window, ensure the radio button in front of Role-based or feature-based installation is selected select Next
4. On Select destination server window (accept the defaults) select Next
5. On the Select server roles window, select the check box in front of Active Directory Certificate Services, when prompted for the Add Features window, select Add Features box, then select Next
7. On the Select features window select Next
8. On the Active Directory Certificate Services window select Next
9. On the Select role services window select Next
10. On the Confirm Installation selections window, select the checkbox next to Restart the destination server automatically if required, on the Add Roles and Features Wizard window select Yes and then select Install
11. On the Installation progress page, select the Configure Active Directory Certificate Services on the destination server hyper-link
12. On the Credentials window select Next
13. On the Role Services page, select the Certificate Authority checkbox
14. On the Specify the setup type of the CA window , select the radio button next to Enterprise CA and select Next
15. On the CA type window ensure the Subordinate CA radio button is selected, select Next
16. On the Private Key window, ensure the radio button next to Create a new private key is selected and select Next
17. On the Cryptography for CA window select the following
- Under Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
- Next to Key Length: 2048
- Hash Algorithm: SHA256
Select Next
18. On the CA Name window observe the CA naming convention and select Next
19. On the Specify the name of the CA window select Next
20. On the Request a certificate from parent CA , select the radio button next to Send a certificate request to a parent CA:
- To the right of the Parent CA box click the Select button
- Select OK accept the Default and select Next
21. On the CA Database window, select Next
22. On the Confirmation window select Configure
23. On the Results window select Close on the Installation progress window, select Close
Part 5: Deploying and Configuring Horizon TRUE SSO
1. In this section we will create a certificate template for Horizon TRUE SSO
- On your TrueSSO server select Start > RUN > MMC and launch the Certificate Authority services snap-in , ensure you are connected to euc-livefire-TRUESSO-CA certificate Authority
- Expand the euc-livefire-TRUESSO-CA inventory and select Certificate Templates, right-click and select Manage
- In the Certificate Template Console find and select the Smartcard Logon template
4. Right-click the Smartcard Logon template and select Duplicate Template
5. In the Properties of New Template window in the Compatibility tab under Certificate Authority change from Windows 2003 to Windows 2012 R2 and under Certificate recipient change Windows XP / Server 2003 to Windows 8.1 / Server 2012 R2 When prompted for the Resulting changes window select OK.
6. Select the General tab, Under Template display name: type TrueSSO Template, you will notice Template name gets filled in automatically. Under Validity period change the period from 1 years to 1 hours
- when prompted by the Certificate Templates Box select OK
- The Renewal period will automatically change from 6 weeks to 0 hours
7. Select the Request Handling tab change the following next to
- Purpose: change: Signature and encryption to Signature and smartcard logon.
- Select the checkbox in front of Allow private key to be exported
- Select the checkbox in front of For automatic renewal of smartcard certificates, use the existing key if a new key cannot be created
- Select the radio button in front of Prompt the user during enrollment
8. Select the Cryptography tab change the following next to
- Provider Category: Key Storage Provider
- Minimum key size: 2048
- Request hash: SHA256
9. Select the Server tab, select the checkbox in front of Do not store certificates and requests in the CA database
- You will notice that Do not include revocation information in issued certificates is selected automatically
- Uncheck the check box next to Do not include revocation information in issued certificates
10. Select the Issuance Requirements tab, configure the following:
- Select the checkbox : This number of authorized signatures and change the value to 1 in the box
- Under Policy type required in signature
- Select the Application policy dropdown
- Under Application Policy
- Select Certificate Request Agent dropdown
- Under the Require the following for reenrollment
- Select the Valid existing certificate radio button
11. On the Security tab in the Group or user names: area select Add
- To the right of the Select this object type: box select the Object types button and select the checkbox next to Computers, select OK
12. In the Enter the object names to select type Truesso and to the right select Check Names select OK
13. For the Permissions for TRUESSO ensure that the permission Read and Enroll checkboxes are selected.
- Select OK to close the TrueSSO Template Properties,
14. Switch to the Certificate Authority Console select and right-click the Certificate Templates container, select New > Certificate Template to Issue
15. In the Enable Certificate Templates window, select your TrueSSO Template and select OK
16. Switch back to the Certificate Templates Console select and right-click the Enrollment Agent (computer) template and select Properties
17. In the Enrollment Agent Properties window select the Security tab
18. Select Add and add the TRUESSO Computer account with Read and Enroll permissions . Select OK to close the Enrollment agent properties
19. Switch back to the Certificate Authority Console select and right-click the Certificate Templates container, select New > Certificate Template to Issue
20. In the Enable Certificate Templates window select the Enrollment Agent (Computer) template and select OK
21. We will now configure the CA for non-persistent certificate processing
- From the ControlCenter2 Desktop , Open the Remote Desktops folder and launch TrueSSO.rdp shortcut
- On the TrueSSO server select and right-click the Start button and select Command Prompt (Admin)
22. In the Administrator: Command Prompt enter the following commands
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
23. Configure CA to ignore offline CRL errors
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
24. Restart the CA service. From the command prompt run:
net stop certsvc
net start certsvc
25. On the TrueSSO server desktop launch the software shortcut and open the Horizon7 folder. Select and launch the VMware-Horizon-Connection-Server-x86_64-7.11.0-15231595
26. On the Open File - Security Warning window select Run
27. On the Welcome window select Next
28. On the License agreement window select the radio button next I accept the terms in the license agreement, select Next
29. On Destination Folder window select Next
30. On the Installation Options window select Horizon 7 Enrollment Server and under Select an Authentication Mode for the Enrollment Server Instance ensure Horizon 7 is selected.
- Select Next
31. On Firewall configuration window select Next
32. Select Install
33. On the Installer Completed Window select Finish
34. On the TrueSSO server select and right-click the Start Button, select Run, type MMC, select OK
35. In the Console window select File > Add/Remove Snap-in..
36. In the Add or Remove Snap-ins window, select Certificates and select Add
37. Select Computer account radio button select Next and select Finish select OK
38. Expand the Certificates console inventory and select and right-click the Personal container. Select All Tasks > Request New Certificate
39. On the Certificate Enrollment > Before you Begin window select Next
40. On the Select Certificate Enrollment Policy window select Next
41. On the Request Certificates windows select the checkbox in front of Enrollment Agent (Computer) and select Enroll
42. On the Certificate Installation Results window, ensure the enrollment was successful and select Finish.
43. On your ControlCenter2 server, open up your Remote Desktop folder and RDP to CS1-PD1 with username euc-livefire\administrator and password VMware1!
44. On the CS1-PD1 desktop select and open your Cert Console.mmc
45. In the Certificates Console expand the inventory and browse down to VMware Horizon View Certificates > Certificates
46. Expand the console or scroll across the console and notice the guid based certificate has a friendly name of vdm.ec
47. Select your GUID certificate with the friendly name of vdm.ec. Right-Click select All Tasks and select Export
48. On the Welcome window select Next
49. On the Export Private Key page select the radio button next to No, do not export the private key select Next
50. On the Export File Format window select the radio button next to Base-64 encoded X.509 select Next
51. In the File to Export window in the File name area type the following C:\software\Horizon7\enroll.cer and select Next
(Software is a shared folder which we will use to copy from on the TrueSSO server)
52. On the Completing the Certificate Export Wizard window select Finish. When prompted that The export was successful, select OK
53. On your ControlCenter2 server desktop open your Remote Desktop folder and select the TrueSSO RDP short and login to the TrueSSO server with username [email protected] and password VMware1!
54. Open your Certificate services Snap-in, select and right-click the last container in the inventory VMware Horizon View Enrollment Server Trusted Roots, select All Tasks > Import
55. On the Welcome window select Next
56. In the File to import window type the following \\cs1-pd1.euc-livefire.com\software\Horizon7\enroll.cer and select Next
57. In the Certificate Store window accept the defaults and select Next. On the Summary page select Finish. When Prompted that The Import was succesful select OK
58. Right-click the imported certificate and select Properties. In the Friendly name: section type vdm.ec and select OK
59. On your ControlCenter2 server open up your browser and type in the custom URL of your Workspace ONE Access server and login with your custom credentials.
- Select the Catalog tab > Virtual Apps Collection
60. Select the radio button next Horizon and select EDIT next to NEW
61. In the Edit Horizon Collection window, select 2 Pod and Federation, under Horizon Connection Server select cs1-pd1.euc-livefire.com
62. In the Edit Pod window under True SSO, change the toggle from Disabled to Enabled
Select SAVE , select NEXT, select NEXT, select SAVE
63. Configure the enrollment service to give preference to the local certificate authority when they are co-located:
- On the TrueSSO server, select the Start button > RUN and type regedit.exe
- In the regedit inventory, browse to the following location:
- HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service.
- (If there is no Enrollment Service key we need to create one. In our case we have to.)
- Create the Enrollment Service key
- Right-click VMware VDM > New > Key and type Enrollment Service as a name
- Add a new String Value
- Right-click the Enrollment Service key > New > String Value and type the name PreferLocalCaValue
- Right-click the String value and select modify and in the Value data: field enter 1
- Select OK to close the window. Then close RegEdit
64. On your ControlCenter2 server open your Remote Desktops folder and launch a RDP session to CS1-PD1.
65. On CS1-PD1 select and right-click the Start button and select Command Prompt (Admin)
66. In the Administrator: Command Prompt type the following:-
cd\
cd Program Files\VMware\VMware View\Server\tools\bin
67. In the Administrator: Command Prompt type the following:-
The enrollment server is added to the global list.
vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --environment --add --enrollmentServer TrueSSO.euc-livefire.com
68. Wait 3 to 5 min before doing the next command
In the Administrator: Command Prompt type the following:-
The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.
vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --environment --list --enrollmentServer TrueSSO.euc-livefire.com --domain euc-livefire.com
69. Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.
vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --create --connector --domain euc-livefire.com --template TrueSSOTemplate --primaryEnrollmentServer truesso.euc-livefire.com --certificateServer euc-livefire-TRUESSO-CA --mode enabled
70. Enter the command to discover which SAML authenticators are available
Authenticators are created when you configure SAML authentication between Workspace ONE Access and a connection server, using Horizon Administrator.
The output shows the name of the authenticator and shows whether True SSO is enabled
vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --list --authenticator
71. You will notice True SSO mode is Disabled. Enter the command to enable the authenticator to use True SSO mode
vdmUtil --authAs administrator --authDomain euc-livefire --authPassword VMware1! --truesso --authenticator --edit --name "Workspace ONE ACCESS" --truessoMode ENABLED
For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager
Part 5: Testing to see if TrueSSO works
1. On your ControlCenter2 server, open your Remote Desktops folder and launch the W10Client01.RDP shortcut.
2. In the Windows Security window select More Choices
3. Under More choices select Use a different account
4. Log in as User1 with password VMware1! and select OK
5. Open your browser and enter your URL for your Workspace ONE Access Tenant and select enter, on the Domain page ensure euc-livefire.com is selected and select Next
6. On the Select a certificate window, select OK
7. Select Apps tab in the Console
8. Then select the 3 dots to the bottom right of your W10-PD1 Desktop entitlement and select Open in Client. When prompted select Open VMware Horizon Client 32-bit
9. When logging in select the Allow button
0 Comments
Add your comment