An Enterprise Certificate Authority needs to be accessible. Certificates are a big part of True SSO. There are going to be short term certificates that will be issued. True SSO will require the following servers and services:
- A deployed and configured Workspace ONE Access appliance
- A configured Workspace ONE Access connector with the VMware Virtual App Sync service configured
- A synced Virtual Apps Collection in Workspace ONE Access
- An Enterprise Certificate Authority
- Smart Cards authentication configured in Active Directory
- VMware Horizon Connection Server
- VMware Horizon Enrollment Server
- VMware Workspace ONE Access appliance
- VMware Workspace ONE Access Connector
Familiarity with the command line is helpful, but not necessary as well.
Table of Contents
Configure the Enterprise Certificate Authority
I was able to get True SSO working without this step, but for completness sake, I am going to include, here.
Configure the CA for non-persistent certificate processing.
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
(Optional) Ignore offline Certificate Revocation List (CRL) errors .
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
Restart the Certificate Authority service.
sc stop certsvc sc start certsvc
Create Certificate Templates for True SSO Use
ref: https://docs.vmware.com/en/VMware-Horizon/2306/horizon-console-administration/GUID-0341205C-07E2-4285-9538-F7992EDF5341.html
Create a Security Group (VMware Horizon Enrollment Servers) and add the enrollment server objects. This security group will be added to the permissions of the two certificate templates configured, here.
On the certificate authority computer that issues certificates, open the Certification Authority (certsrv.msc) Microsoft Common Console (MMC).
Expand Certification Authority (Local) tree to find Certificate Templates. Right-click and select Manage.
Smartcard Logon Template
Duplicate the Smartcard Logon template.
Important: If someone else is duplicating the template, be sure they set the Compatibility and General settings before saving the template.
Compatibility Tab
Set the Certification Authority and Certificate recipient settings.
General Tab
Change the Template display name accordingly. Set the Validity period and Renewal period.
VMware recommends, “Change the validity period to a period that is as long as a typical working day; that is, as long as the user is likely to remain logged into the system.” and “Change the renewal period to 50%-75% of the validity period.”
Request Handling Tab
Change the purpose to Signature and smartcard logon and check the box For automatic renewal of smart card…
Cryptography Tab
Note: If the Provider Category is greyed out, duplicate a new Smartcard Logon template and be sure to set the Compatibility.
Change the Provider Category to Key Storage Provider and set the Algorithm name to RSA.
Server Tab
Select Do not store certificates and requests in the CA database and deselect Do not include revocation information in issued certificates (this box gets selected automatically).
Issuance Requirements Tab
Select This number of authorized signatures and type 1 in the box. For Policy type, select Application policy and set the policy to Certificate Request Agent. Finally, select Valid existing certificate for Require the following for reenrollment.
Security Tab
Add the security group containing the Horizon Enrollment Server objects and select the Read and Enroll permissions.
Select Apply and OK to save and close the certificate template.
Enrollment Agent (Computer) Template
Add the security group containing the Horizon Enrollment Server objects and select the Read and Enroll permissions.
Select Certificates to Issue
Back on the Certification Authority window, right-click Certificate Templates, select New, and select Certificate Template to Issue.
Select the Enrollment Agent (Computer) template to issue.
Repeat the steps above to issue the True SSO certificate template.
A view of the Certificate Authority with the two additional templates.
Install and Set Up an Enrollment Server
ref: https://docs.vmware.com/en/VMware-Horizon/2306/horizon-console-administration/GUID-63B1EA25-FBED-465B-B695-7C1982CE860A.html
Log into a Windows Server and open the Certificates – Local Computer MMC (certlm.msc).
Right-click the white space or the Personal > Certificates folder, select All Tasks and then Request New Certificate…
Select the Enrollment Agent (Computer) certificate and select Enroll.
Verify the certificate is in the list.
Install the VMware Horizon Enrollment Server
Run the installer and choose Horizon Enrollment Server.
I chose to deselect Show the documentation.
You can verify the VMware Horizon Connection Server exists in Apps & features.
Export the Enrollment Server Client Certificate
From a Horizon Connection Server, open the Certificates – Local Computer (certlm.msc) MMC. Navigate through the tree to VMware Horizon View Certificates > Certificates.
Look for the certificate with the Friendly Name vdm.ec. Right-click the certificate and export it.
In the Certificate Export wizard, accept the defaults, including leaving the No, do not export the private key radio button selected.
Either the DER encoded binary X.509 (.CER) or the Base-64 encoded X.509 (.CER) formats can be used. I prefer to use the Base-64 encoded X.509 (.CER) format.
Save the certificate in a location that is easily accessible.
Review the Certificate Export Wizard settings and click Finish.
Import the Enrollment Service Client Certificate on the Enrollment Server
On the Horizon Enrollment Server, open the Certificates – Local Computer (certlm.msc) MMC. Navigate through the tree to VMware Horizon View Enrollment Server Trusted Roots > Certificates. Right-click on Certificates, select All Tasks, then Import…
Follow the prompts to import the certificate that was just exported from the previous task.
After clicking on Finish, a pop-up should show that the import was successful.
The certificate is imported. Notice there is no Friendly Name assigned to the certificate.
Right-click the certificate and choose Properties. Add vdm.ec to the Friendly name.
Now the certificate has a Friendly Name assigned.
Configure SAML Authentication on Horizon Console to Work with True SSO
ref: https://docs.vmware.com/en/VMware-Horizon/2306/horizon-console-administration/GUID-9522ACDA-91A1-4666-BCA5-FC48777746C5.html
Note: I recommend using trusted certificates from an Enterprise Certification Authority (CA). Make sure the Workspace ONE Access appliance has trusted certificates before configuring the following.
Log in to the Horizon Console and verify Single Sign-On (SSO) is Enabled in Global Settings.
In Horizon Console, under Settings > Servers, select the Connection Servers tab.
Select a Connection Server instance, and select Edit. When the Edit Connection Server Settings window opens, select the Authentication tab.
On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu, select Allowed or Required. I select Allowed while I am initially configuring.
Click Manage SAML Authenticators. When the window opens, click Add. Configure the SAML Authenticator settings with your Workspace ONE Access instance settings.
<YOUR HORIZON SERVER NAME> is actually the fully qualified domain name (FQDN) of the Workspace ONE Access appliance.
The Administration URL is the Workspace ONE Access appliance FQDN, with the port number (:8443) appended to the end.
Note: I am using an Enterprise CA in my lab, I do not get any prompts for trusting certificates since I have my trust chain configured. At this point, if you are using self-signed certificates, you will likely get a security prompt to trust the self-signed certificate.
After clicking OK, the SAML Authenticator should be listed.
The configuration health can be viewed by navigating to System Health > View (at the bottom of the System Health view) > Other Components (0) > SAML 2.0.
Note: These next step require a configured Workspace ONE Access appliance, connector, directory, and Virtual Apps Collections.
Log in to the VMware Workspace ONE Access console, navigate to Resources > Virtual Apps Collections, and select the collection to edit.
Select Pod and Federation and then select the Horizon Connection Server instance to configure by clicking on the link.
Enable the True SSO setting and click Save.
On the Configuration page, select Next and on the Summary page, select Save.
Configure Horizon Connection Server for True SSO
Verify you have the fully qualified domain name (FQDN) for the following servers:
- Connection Server
- Enrollment Server
- Enterprise Certificate Authority (CA)
The following commands are going to use the vdmUtil command-line interface. This utility is located at in a default installation:
C:\Program Files\VMware\VMware View\Server\tools\bin\vdmutil.cmd
Most of the commands will require the same information. I find it easier to create a text document before starting and get all the statements worked out, first.
–authAs : Specifies the name of the user to authenticate to the broker as
–authDomain : Specifies the domain name of the user to authenticate to the broker as
–authPassword : Specifies the password for the user to authenticate to the broker as
–enrollmentServer : FQDN of Enrollment Server
Add an Enrollment Server
On a Horizon Connection Server, open a Command Prompt (cmd.exe) and enter the following command to add an enrollment server.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server-fqdn
Example:
"C:\Program Files\VMware\VMware View\Server\tools\bin\vdmutil.cmd" --authAs svc.horizon --authDomain aaronrombaut.com --authPassword VMware1!VMware1! --truesso --environment --add --enrollmentServer hzne-92-31.aaronrombaut.com
List Information for the Enrollment Server
The following command lists information for the enrollment server.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
Example:
"C:\Program Files\VMware\VMware View\Server\tools\bin\vdmutil.cmd" --authAs svc.horizon --authDomain aaronrombaut.com --authPassword VMware1!VMware1! --truesso --environment --list --enrollmentServer hzne-92-31.aaronrombaut.com --domain aaronrombaut.com
Create a True SSO Connector
The following command will create a True SSO connector. For the –template switch, use the information from the previous command. In this example, it is TrueSSO. For the –certificateServer switch, use the information from the previous command. Use the Certificate Authority (CA) where the template is issuing from.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --certificateServer ca-common-name --mode enabled
Example:
"C:\Program Files\VMware\VMware View\Server\tools\bin\vdmutil.cmd" --authAs svc.horizon --authDomain aaronrombaut.com --authPassword VMware1!VMware1! --truesso --create --connector --domain aaronrombaut.com --template TrueSSO --primaryEnrollmentServer hzne-92-31.aaronrombaut.com --certificateServer aaronrombaut-ICA-92-13-CA --mode enabled
Discover Available SAML Authenticators
The following command shows the name of the authenticator and shows whether True SSO is enabled.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator
Example: vdmUtil --authAs svc.horizon --authDomain aaronrombaut.com --authPassword VMware1!VMware1! --truesso --list --authenticator
Enable the Authenticator to use True SSO
This step is not necessary if the True SSO mode above is set to ENABLED (ENABLE_IF_NO_PASSWORD) or ALWAYS (ENABLE_ALWAYS).
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
Example: vdmUtil --authAs svc.horizon --authDomain aaronrombaut.com --authPassword VMware1!VMware1! --truesso --authenticator --edit --name "Workspace ONE Access" --truessoMode ENABLED
