End User Computing

11. Ensuring Seamless Single Sign-ON Integration with Horizon and Omnissa Access

Enabling Single Sign-ON for users Authenticating with an Identity Provider

Traditionally when authenticating to Omnissa Access using a 3rd party authentication method, the user we will by default, not have a Single-Sign On experience when trying to launch any Horizon based resource through Omnissa Access.

Traditionally when using a password based authentication method Omnissa Access would cache the original authentication against Access and then pass this on when required to the Broker.

Traditionally Single-Sign On would only be an issue when using a 3rd Party authentication method. To solve this problem we would deploy what is known as the Horizon Enrollment services to facilitate a single-sign on experience. We integrate with Microsoft Certificate Services to provide a solution to this challenge and we refer to the solution as Horizon TRUE SSO

Since December 2019

When connecting to Horizon Resources via Omnissa Access. Caching of Passwords for Horizon has been disabled by default for SAAS, and a user will have to re-authenticate when they select their entitlement. Whilst the session is open we can choose to Cache the users credentials provided the Authentication method is password based.

To continue offering users a seamless single-sign On experience, Enrollment services has now become a critical service with the integration with Omnissa Access

In this lab scenario the 3rd party authentication method we use to login into Omnissa Access will be a certificate based method of authentication.

We will start off by doing the following:

Deploying a User Certificate to a Windows Desktop
Configure Omnissa Access for Certificate based Authentication
Log into a Windows 11 Desktop and demonstrate the limitation
Deploy and configure TRUE SSO
- Deploy and configure Horizon Enrollment services
- Integrate and configure Active Directory Certificate services with Horizon Enrollment services
Log into a Windows 11 Desktop and demonstrate the solution

Part 1. Getting Started deploying Omnissa Access

Section 1: logging into Omnissa Access in your lab environment

On your ControlCenter server
- launch your site 1 browser.
- In the address bar
  - enter your assigned Omnissa Access URL

In the Omnissa Access login window
- In the Username area
  - enter administrator
- in the Password area
  - enter Pa$$w0rd
    - select Sign in

In the Web Intelligent Hub
- top-right corner
  - select the AT icon
- from the dropdown
  - select Access Console

Section 2: Omnissa ONE Access , Connector pairing pre-requisites

In the Omnissa Access Console
- select Integrations
  - under Integrations
    - select Connectors
    - In the Connectors area
      - select NEW

In the Virtual Apps Usage Confirmation window
- select OK
- In the Confirm Connector selection window
  - select CONFIRM

In the Add New Connector wizard
- Download Installer area
  - select NEXT

In the Add New Connector window
- 2. Download Configuration File area
  - next to Password:
    - enter Pa$$w0rdPa$$w0rd
  - next to Reenter Password:
    - enter Pa$$w0rdPa$$w0rd
  - select DOWNLOAD CONFIGURATION FILE
    - note an es-config.json file gets downloaded
- In the top right corner of your browser.
  - select the Download icon
    - note the name of your download file
- In the Add New Connector window
  - 2. Download Configuration File area
    - select NEXT

In the Add New Connector window
1. Summary window
  - select CLOSE

On your ControlCenter server browser
- in your site 1 browser
  - select the Download icon
    - select Show in folder icon

In the File Explorer window
- select and right-click the es-config.json file
  - select Copy
  - In the left pane
    - select Desktop

In the File Explorer window
- Desktop area
  - select the Software shortcut
  - in the Software folder
    - open the ACCESS folder

In the File Explorer window
- ACCESS folder
  - Paste your es-config.json file
- Close your File Explorer window

Section 3: Installing and Configuring the Omnissa Access connector

On your ControlCenter server
- on the Desktop.
  - open the Remote Desktops\Site1 folders
  - select and launch the WS1-Connector.RDP shortcut

On your WS1-Connector server
- open the Software Folder
  - select the ACCESS Folder
    - select and Launch
      - Workspace-ONE-Access-Connector-Installer-24.12.0.0.exe

In the Open File - Security Warning window

On your WS1-Connector server
- on the Open File - Security Warning windows
  - select Run

On the Access Connector - InstallShield Wizard
- Licence Agreement window
  - select the radio button next to:-
    - I accept the terms in the license agreement
  - select Next

On the Access Connector - InstallShield Wizard
- Service Selection window
  - Select Next

On the Omnissa Access Connector - InstallShield Wizard
- Specify Configuration File window
  - In the box in front of Browse...
    - validate the path
      - \\horizon-01a\software\ACCESS\es-config.json
  - next to Password:
    - type Pa$$w0rdPa$$w0rd
- select Next

In the Omnissa Access Connector - InstallShield Wizard
- keep Default
  - select Next

In the Omnissa Access Connector - InstallShield Wizard
- Specify Service Account window
  - under User name: type
    - techseals\WS1Access
  - under Password:
    - type Omnissa1!
- select Next

In the Omnissa Access Connector - InstallShield Wizard
- Ready to Install window
  - select Install

The Installation of the Omnissa Access Connector will take about 5 minutes to complete.

In the Omnissa Access Connector - InstallShield Wizard
- Installation Wizard Completed window
  - Select Finish

Section 4: Configuring Directory Sync with Omnissa Access connector

First we will configure the Attributes.

Note! Every organisation will need to research their requirements when deciding whether or not to set attributes to required.

In the Omnissa Access Admin console
- select Settings
  - select User Attributes

In the User Attributes console
- In the right area under Custom Attributes
  - Select ⊕ ADD ROW 3 times

In the User Attributes console
- Under Name
  - Add the following additional attributes
    - note this is case sensitive :

objectGuid
sid
netBios

In the User Attributes console
- in the top-left corner
  - under User Attributes
    - select SAVE

In the Omnissa Access admin console.
- select Integrations,
  - under the Integrations tab
    - select Directories

In the Directories area
- to the right
  - select Add Directory
- In the Add Directory dropdown
  - select Active Directory

In the Add Active Directory section
- under Directory Information
  - next to 1. Directory Name
    - type TechSeals
  - ensure the Active Directory over LDAP radio button is selected
    - select NEXT

In the Configure Directory section,
- leave the Directory Sync and Authentication as default
  - scroll down to the Bind User Details area
    - enter the following next to :
      - Base DN: dc=techseals,dc=co
      - Bind DN: cn=administrator,ou=corp,dc=techseals,dc=co
      - Bind DN Password: Pa$$w0rd
  - select SAVE

In the Select the Domains section
- next to Domains
  - in front of techseals.co
    - select the checkbox
  - select SAVE

On the Map User Attribute section
- map the following attributes :
  - what you enter here is case sensitive
    - scroll down next to:-
      - netbios:
        
        select custom input
        
        enter msDS-PrincipalName
      - objectGuid:
        
        from the dropdown
        
        select objectGUID
      - sid:
        
        select custom input
        
        enter objectSid
    - in the bottom left corner
      - select SAVE

Note: userPrincipalName is a required attribute for Horizon, it is enabled by default

On the Select the Groups you want to sync section
- select +ADD
- under Create Group
  - enter dc=techseals,dc=co
- select ADD

On the Select the Groups you want to sync section
- next to Select All
  - select the check box
- select SAVE.

In the Select Users you would like to sync section
- under Specify the user DNs
  - edit the existing syntax so that it reads
    - ou=corp,dc=techseals,dc=co
- under Verify
  - select TEST
- select SAVE

In the Sync Frequency area
- next to Sync Frequency
  - from the dropdown
    - select to Every hour
- select SAVE & SYNC

On the Directories window
- Refresh your browser window
  - note the Synced Groups and Synced Users

In your Omnissa Access admin console
- select the Settings tab
  - In the Settings area
    - select Login Preferences
    - under Login Preferences
      - select EDIT

In the Login Preferences area
- In line with:
  - Sync Group Members to the Directory When Adding Group
    - select the Checkbox

In the Login Preferences area
- in the bottom right
  - select SAVE

In the Omnissa Access console
- select Integrations
  - select Directories

In the Directories area
- next to Techseals
  - select the radio button
    - select the Techseals

In the Directories > Techseals area
- In the right corner
  - next to SYNC
    - select the dropdown
      - select Sync without Safeguards

Part 2. Deploying a User Certificate on a Windows Desktop

Note, this process is purely here to facilitate a 3rd Party auth method for TrueSSO in a Proof of Concept environment. There are more secure approaches to delivering Certificates for Certificate Authentication, one being Workspace ONE UEM.

On your ControlCenter server
- on server Desktop,
  - open the Remote Desktops > Site 1 folder
  - In the Site 1 folder
    - launch the W11Client-01a.RDP shortcut
  - If necessary
    - in the Windows Security window
      - login as techseals\craig
        
        In the password area
        
        enter Pa$$w0rd

On the W11Client-01a
- select and right-click the Start Button,
  - select Run,
  - In the Run window
    - enter mmc,
      - select OK

In the Console1 window
- select File > Add/Remove Snap-in..

In the Add or Remove Snap-ins window,
- select Certificates
  - select Add
- select OK

In the Console1 window
- expand Certificates > Personal
  - select & Right-click Personal,
    - from the dropMenu
      - select All Tasks > Request New Certificate
  - on the Certificate Enrollment page
    - select Next

On the Certificate Enrollment window
- select Next

On the Certificate Enrollment window
- next to User
  - select the check box
- to the right of User
  - next to Details
    - select the Dropdown
  - from the Dropdown
    - select Properties

In the Certificate Properties window
- select the Certification Authority tab

In the Certificate Properties window
- next to techseals-TRUESSO-02A-CA
  - uncheck the checkbox
    - to close the window
      - select OK

On the Certificate Enrollment window
- Request Certificates window
  - select Enroll .

On the Certificate Enrollment window
- Certificate Installation Results
  - select Finish

On the Console1 window
- Expand Certificates > Personal > Certificates.
  - You will notice you now have a user based certificate deployed.

Part 3. Configure Omnissa Access for Certificate based Authentication

There are two sections to Part 2

Section 1. Exporting a "Demo Certificate" for Certificate Authentication

On your ControlCenter server
- select and right-click the Start Button,
  - select Run,
  - in the Run window
    - type mmc,
      - select OK

In the Console1 window
- select File > Add/Remove Snap-in..

In the Add or Remove Snap-ins window,
- select Certificates
  - select Add

In the Certificate snap-in window
- next to Computer account
  - select the radio button
    - select Next

In the Select Computer window
- select Finish

In the Add or Remove Snap-ins window
- to close the window
  - select OK

In the Certificates Console,
- expand Certificates > Trusted Root Certificate Authorities > Certificates

In the Certificates area
- in the right section
  - select the first of a set of 2 certificates
    - techseals-CONTROLCENTER-CA
    - select, right-click
      - select Open

In the Certificate window
- select the Details tab,
  - at the bottom of the Details area,
    - select Copy to File..

On Welcome window
- select Next

On the Export File Format window
- next to Base-64 encoded X.509 (.CER),
  - select the radio button
    - select Next

In the File to Export window
- select Browse
  - In the Save As window
    - under Quick access
      - select Downloads
    - next to the Filename box
      - type Root.cer,
  - select Save

In the File to Export window
- select Next

On the Completing the Certificate Export Wizard
- select Finish
- on The export was successful window
  - select OK
- to close the Certificate window
  - select OK

Section 2 : Configuring Omnissa Access for Certificate Authentication

On your ControlCenter server
- switch to your Omnissa Access tenant
  - If necessary, login with
    - Username
      - enter administrator
    - Password
      - enter Pa$$w0rd
        
        select SIGN IN

In the Web Intelligent Hub
- top-right corner
  - select the AT icon
- from the dropdown
  - select Access Console

In the Access admin console
- navigate to the Integrations tab
  - Authentication Methods. is the default area
    - next to Certificate (Cloud Deployment)
      - select the radio button
        
        select CONFIGURE

In the Certificate (cloud deployment) page
- below Enable Certificate Adapter
  - move the Toggle from No to Yes
- below Root and Intermediate CA Certificates
  - click on SELECT FILE for the
    - In the Open window
      - in the Quick Access bar
        
        select Downloads
        
        select the root.cer certificate file
    - select Open
- in the Update Authentication Adapter window
  - select YES

In the Certificate (cloud deployment) page
- Keep the remaining settings as default
  - at the bottom of the page
    - select Save

In the Omnissa Access console
- under the Integrations tab
  - in the Menu pane
    - select Identity Providers
  - in the Identity Providers area
    - select. IDP_for_TechSEALs

In the Identity Providers > IDP for TechSeals window
- scroll down
  - In the Authentication Methods area
    - next to Certificate (cloud deployment)
      - select the checkbox
    - in the bottom right-corner of the page.
      - select SAVE

In the Omnissa Access Admin console
- navigate to Resources
  - in the side menu
    - select Policies

In the Policies area
- in line with Default Policy
  - to the far right next to VIEW
    - select EDIT

In the Edit Policy window,
- In side column
  - select Configuration
- next to Web Browser,
  - select All Ranges

In the Edit Policy Rule window
- next to then the user may authenticate using *
  - from the dropdown
    - select Certificate (Cloud Deployment)
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Cloud Deployment),
- select ADD FALLBACK METHOD
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Local Directory)
  - at the bottom of the window
    - select SAVE

In the Edit Policy Rule window
- select + ADD POLICY RULE

In the Edit Policy Rule window
- next to and user accessing content *
  - from the dropdown.
    - select Windows 10+
- next to then the user may authenticate using *
  - from the dropdown
    - select Certificate (Cloud Deployment) for the first authentication method
- select ADD FALLBACK METHOD twice
  - next to if preceding method fails or is not applicable, then
    - from the dropdown
      - select Password (cloud deployment)
  - next to if preceding method fails or is not applicable, then
    - from the dropdown
    - select Password (Local Directory)
- at the bottom right hand side of the page
  - select SAVE

In the Edit Policy window,
- In side column
  - select Configuration
- next to Omnissa App
  - select All Ranges

In the Edit Policy Rule window
- next to then the user may authenticate using *
  - from the dropdown
    - select Certificate (Cloud Deployment)
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Cloud Deployment),
- select ADD FALLBACK METHOD
- next to if preceding method fails or is not applicable, then *
  - from the dropdown
    - select Password (Local Directory)
  - at the bottom of the window
    - select SAVE

In the Configuration window
- ensure the following Device Types

Omnissa App
- then
- Windows 10+
  - then
- Web Browser
  - are first and second in the authentication flow
- next to ALL RANGES for Omnissa App
  - on the left select the 6 DOTS
    - drag to the top
- next to ALL RANGES for Windows 10 +
  - on the left select the 6 DOTS
    - drag to below Omnissa App
- if necessary,
  - next to ALL RANGES for Web Browser
    - on the left select the 6 DOTS
      - drag below Windows 10+
- In the Configuration window
  - select NEXT

In the Edit Policy Page.
- Summary section
  - review the policy configurations
- select SAVE

Part 4. Horizon Federation with Omnissa Access

Section 1. Configuring SAML Authentication in Horizon on Pod 1

On your ControlCenter server
- open your Site 1 browser
  - In the Favourites bar
    - select the Horizon Site 1 shortcut

In the Horizon login
- in the User Name area
  - enter administrator
- in the Password area
  - enter Pa$$w0rd
- select SIGN IN

In the Horizon Admin console
- Side Menu
  - expand Settings
    - select Servers

In the Horizon Admin console
- Servers area
  - select the Connection Servers tab

In the Horizon Admin console
- Servers area
  - Connection Servers tab
    - next to HORIZON-01A
      - select the Radio button
        
        select EDIT

In the Edit Connection Server Settings window
- select the Authentication tab

In the Edit Connection Server Settings window
- select the Authentication tab
  - below Delegation. of authentication of Horizon (SAML 2.0 Authenticator)
    - from the dropdown
      - select Allowed
  - below No Enabled Authenticator configured
    - select MANAGE SAML AUTHENTICATORS

In the Manage SAML Authenticators window
- select ADD

In the Add SAML 2.0 Authenticator window
- below *Label
  - enter Omnissa Access

In the Add SAML 2.0 Authenticator window
- below *Metadata URL
  - replace https://<YOUR SAML AUTHENTICATOR NAME>/SAAS/API/1.0/GET/metadata/idp.xml
    - with your Omnissa Access tenant id
      - ie https://techseals-trainingXX.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml

In the Add SAML 2.0 Authenticator window
- below *TrueSSO Trigger Mode
  - from the dropdown
    - select Always
    - select OK
- to close the Manage SAML Authenticators window
  - select OK

In the Edit Connection Server Settings window
- below Delegation of authentication to VMware Horizon (SAML2.0 Authenticator)
  - from the dropdown
    - select Required
  - next to Enable Workspace ONE Mode
    - select the checkbox
- below * Workspace ONE Server Hostname
  - enter yourAccess Tenant ID
- to close the Edit Connection Server Settings window
  - select OK

Note that Workspace ONE Mode only becomes available to be enabled when set to Required

Note. Make sure there is no forward slash at the end ".com" of your URL

We enable Workspace ONE Mode and set it to required when we want all authentication to be done by Access.

When the user connects to the Service and is redirected to the Identity Provider, we refer to this as an SP-Init flow

In Horizon, Workspace ONE Mode enforces SP-Init flows

In the Horizon Admin console
- Servers area
  - Connection Servers tab
    - next to HORIZON-01B
      - select the Radio button
        
        select EDIT

In the Edit Connection Server Settings window
- select the Authentication tab

In the Edit Connection Server Settings window
- select the Authentication tab
  - below Delegation. of authentication of Horizon (SAML 2.0 Authenticator)
    - from the dropdown
      - select Required
    - below No Enabled Authenticator configured
      - select MANAGE SAML AUTHENTICATORS

In the Manage SAML Authenticators window
- next to Omnissa Access
  - select the radio button
    - select EDIT

In the Edit SAML 2.0 Authenticator window
- below * TrueSSO Trigger Mode
  - next to Enabled for Connection Server
    - select the check box
- to close the Edit SAML 2.0 Authenticator window
  - select OK

In the Manage SAML Authenticators window
- to close this window
  - select OK

In the Edit Connection Server Settings window
- below MANAGE SAML AUTHENTICATORS
  - next to Enable Workspace ONE mode
    - select the checkbox
  - in the BOX below * Workspace ONE Server Hostname
    - paste your Omnissa Access tenant id
- to close the Edit Connection Server Settings window
  - select OK

Section 2. Configuring SAML Authentication in Horizon on Pod 2

On your ControlCenter server
- open your Site 2 browser
  - In the Favourites bar
    - select the Horizon Site 2 shortcut

In the Horizon login
- in the User Name area
  - enter administrator
- in the Password area
  - enter Pa$$w0rd
- select SIGN IN

In the Horizon Admin console
- Side Menu
  - expand Settings
    - select Servers

In the Horizon Admin console
- Servers area
  - select the Connection Servers tab

In the Horizon Admin console
- Servers area
  - Connection Servers tab
    - next to HORIZON-02A
      - select the Radio button
        
        select EDIT

In the Edit Connection Server Settings window
- select the Authentication tab

In the Edit Connection Server Settings window
- select the Authentication tab
  - below Delegation. of authentication of VMware Horizon (SAML 2.0 Authenticator)
    - from the dropdown
      - select Allowed
  - below No Enabled Authenticator configured
    - select MANAGE SAML AUTHENTICATORS

In the Manage SAML Authenticators window
- select ADD

In the Add SAML 2.0 Authenticator window
- below *Label
  - enter Omnissa Access

In the Add SAML 2.0 Authenticator window
- below *Metadata URL
  - replace https://<YOUR SAML AUTHENTICATOR NAME>/SAAS/API/1.0/GET/metadata/idp.xml
    - with your Omnissa Access tenant id
      - ie https://techseals-trainingXX.vidmpreview.com/SAAS/API/1.0/GET/metadata/idp.xml

In the Add SAML 2.0 Authenticator window
- below *TrueSSO Trigger Mode
  - from the dropdown
    - select Always
      - select OK
- to close the Manage SAML Authenticators window
  - select OK
- to close the Edit Connection Server Settings window
  - select OK

In the Edit Connection Server Settings window
- below Delegation of authentication to Horizon (SAML2.0 Authenticator)
  - from the dropdown
    - select Required
  - next to Enable Workspace ONE Mode
    - select the checkbox
- below * Workspace ONE Server Hostname
  - enter your Omnissa Access Tenant ID
- to close the Edit Connection Server Settings window
  - select OK

Section 3. Federating Horizon Virtual App Collections

In our testing , we learned that untrusted Forests do not work in an integration with Omnissa Access when the federation is setup with the Unified Access Gateway. This gives us an opportunity to show how to setup Federations with Omnissa Access and Horizon directly

In the Omnissa Access console
- select the Resources tab
  - in the Resources menu
    - select Virtual Apps Collections
    - in the Introducing Virtual Apps Collections area
      - select GET STARTED

In the Select the Source Type window
- below the Horizon area
  - click SELECT

In the New Horizon Collection wizard
- in the 1 Connector page
  - below Name *
    - enter TechSeals.co
      - note the Access Connector you will be using
    - in the bottom right corner
      - select NEXT

In the New Horizon Collection wizard
- in the 2 Pod and Federation page
  - below Pod and Federation
    - select + ADD A POD

In the Add A Pod window
- enter the following
  - below Horizon Connection Server
    - type horizon-01a.techseals.co
  - below Username
    - type administrator
  - below Password
    - type Pa$$w0rd
  - below True SSO
    - move the toggle
      - to enabled
  - select ADD

In the New Horizon Collection wizard
- in the 2 Pod and Federation page
  - below Pod and Federation
    - select + ADD A POD

In the Add A Pod window
- enter the following
  - below Horizon Connection Server
    - type horizon-02a.techseals.co
  - below Username
    - type administrator
  - below Password
    - type Pa$$w0rd
  - below True SSO
    - move the toggle
      - to enabled
  - select ADD

In the New Horizon Collection wizard
- in the 2 Pod and Federation page
  - below Have you enabled Cloud Pod Architecture for any of the pods added above?
    - move the Toggle from No to Yes
      - select + ADD A FEDERATION

In the Add A Federation window
- below Federation Name*
  - enter Techseals.co
- below Default Client Access FQDN*
  - enter corp.techseals.co
- below Available Pods
  - select the checkboxes above horizon-01a and horizon-02a
    - select ADD

In the New Horizon Collection wizard
- in the 2 Pod and Federation page
  - select NEXT

In the New Horizon Collection wizard
- in the 3 Configuration page
  - scroll down to the bottom
    - below Activation Policy
      - select Automatic
    - below Default Launch Client
      - select Native
  - in the bottom right corner
    - select NEXT

In the New Horizon Collection wizard
- in the 4 Summary page
  - review your configuration
    - select SAVE

In the Virtual Apps Collections > TechSeals.co window
- select Overview

In the Virtual Apps Collections > Techseals.co window
- Overview section
  - next to SYNC
    - select the dropdown
    - in the dropdown menu
      - select Sync without safeguards

Check that the Sync Status has Completed

In the Omnissa Access console
- Resources tab
  - in the left menu
    - select Virtual Apps

Note that your Global and Local entitlements have been synchronized to Omnissa Access

On your Controlcenter server
- log out from all Omnissa Access Admin console sessions
- close all browser sessions

Part 5. Log into a Windows 11 Desktop and demonstrate the limitation

On the ControlCenter server Desktop,
- switch to your W11Client-01a.RDP session

Note ensure you are still logged in as [email protected]

On your W11Client-01a Desktop
- open your Chrome Browser
  - in your Chrome browser address bar
    - enter your Access URL
      - e.g. https://techseals-trainingxxx.vidmpreview.com/
- on the Select a certificate window
  - select Craig Stroser
    - select OK
  - in the Web Intelligent Hub
    - under Apps
  - select Enterprise_Desktop

On your W11Client-01a Desktop
- in the Enterprise_Desktop window
  - select Launch
- in the Open Omnissa Horizon Client? window
  - select Open Omnissa Horizon Client

In the Horizon Client session,
- notice we are getting a Password request.
  - from the Horizon Client Dropdown
    - select Disconnect
  - In the Disconnect desktop? window
    - select OK

Horizon requires the users password to be part of the SAML Artifact. Using a 3rd Party authentication methods or having Password Caching disabled does not allow that to happen.

In the next Part we will proceed with the deployment of TRUESSO to solve this challenge.

Part 6. Installing and Configuring the sub-ordinate CA and the Enrollment services

Section 1: Installing the Subordinate CA

On your ControlCenter server
- open the Remote Desktop Folder
  - open the Site1 folder
  - launch the TrueSSO-01a.RDP shortcut
    - you should login automatically

If automatic login fails use the following credentials

login as techseals\administrator
enter the password Pa$$w0rd

On the TrueSSO-01a server
- select the Start button
  - from the menu
    - select Server Manager

On the Server Manager Interface
- select Manage > Add Roles and Features

On the Before you begin window
- select Next

On the Select installation type window,
- next to Role-based or feature-based installation
  - select the radio button
- select Next

On Select destination server window (accept the defaults)
- select Next

On the Select server roles window,
- in front of Active Directory Certificate Services,
  - select the check box
- when prompted for the Add Features window,
  - select the Add Features box,
- select Next

On the Select features window
- select Next

On the Active Directory Certificate Services window
- select Next

On the Select role services window
- select Next

On the Confirm Installation selections window,
- next to Restart the destination server automatically if required,
  - select the checkbox
- on the Add Roles and Features Wizard window
  - select Yes
- select Install

You will have to wait a short while before moving on to section 2

Section 2: Configuring Active Directory Certificate Services for a Sub-ordinate CA

On the Installation progress page,
- select the Configure Active Directory Certificate Services on the destination server hyper-link

On the Credentials window
- select Next

On the Role Services page,
- select the Certificate Authority checkbox
  - select Next

On the Specify the setup type of the CA window
- next to Enterprise CA
  - select the radio button
- select Next

On the CA type window
- next to Subordinate CA
  - select the radio button
- select Next

On the Private Key window,
- next to Create a new private key
  - ensure the radio button is selected
- select Next

On the Cryptography for CA window
- validate the following is selected
  - under Cryptographic Provider:
    - RSA#Microsoft Software Key Storage Provider
  - next to Key Length:
    - 2048
  - Hash Algorithm:
    - SHA256
  - select Next

On the Specify the Name of the CA window
- observe the CA naming convention
  - select Next

On the Request a certificate from parent CA ,
- next to Send a certificate request to a parent CA:
  - select the radio button

On the Request a certificate from parent CA ,
- to the right of the Parent CA box,
  - click the Select button
- In the Select Certificate Authority window
  - ensure that techseals-CONTROLCENTER-CA is selected
    - select OK

On the Request a certificate from parent CA window
- select Next

On the CA Database window,
- select Next

On the Confirmation window
- select Configure

On the Results window
- select Close
- on the Installation progress window,
  - select Close

Part 7. Certificate Template configuration for Horizon TRUE SSO

As a result of this being a multi-site setup. We have already deployed all the services for Site 2.

Both Site 1 and Site 2 share the same Active Directory Certificate Services. One of the requirements for TRUESSO is to setup a certificate Template. This has already been setup. In a future lab, which could be optional, that being Integrating with Untrusted Forests, you will have the opportunity to setup the Template in its entirety

In this section we will validate and perform configuration specific to Site 1

On your TRUESSO-01a server
- select Start > Run > type mmc
  - select File > Add/Remove Snap-in...
    - select the Certification Authority services snap-in,
      - select Add
    - In the Certificate Authority window,
      - select Finish
    - to close the Add or Remove Snap-ins window
      - select OK

Expand the techseals-TRUESSO-01a-CA inventory
- select Certificate Templates,
  - right-click
    - select Manage

In the Certificate Template Console
- find and select the TrueSSO template
  - right-click the TrueSSO template
    - select Properties

In the TrueSSO Template Properties
- select the Security tab
  - in the Group or user names: area
    - select Add
      - to the right of the Select this object type: box
        
        select the Object types button
        
        next to Computers,
        
        select the checkbox
        
        select OK

In the Select Users, Computers, Service Accounts, or Groups window
- Enter the object names to select
  - type TRUESSO-01a
    - to the right select Check Names
      - select OK

In the TrueSSO Template Properties windows
- next to Enroll
  - select the checkbox
    - Read should be selected by default
  - to close the TrueSSO Template Properties,
    - select OK

Switch to the Certificate Authority Console
- select and right-click the Certificate Templates container,
  - select New > Certificate Template to Issue

When authoring this content, I had a situation where the TrueSSO Template would not show after adding the Template permissions. I gave the TrueSSO-01a server a reboot , logged in and voila, the template was now available.

This could be a once off as I have not seen this happen with other courses I have authored content for in this scenario.

It have tested this twice now with the same result.

In the Enable Certificate Templates window,
- select your TrueSSO Template
  - select OK

In the Certificate Authority Console
- select Certificate Templates,
  - right-click
    - select Manage

In the Certificate Templates Console
- select Enrollment Agent (computer) template
  - right-click
    - select Properties

In the Enrollment Agent Properties window
- select the Security tab

In the TrueSSO Template Properties
- select the Security tab
  - in the Group or user names: area
    - select Add
      - to the right of the Select this object type: box
        
        select the Object types button
        
        next to Computers,
        
        select the checkbox
        
        select OK

In the Enrollment agent properties window
- next to Enroll
  - select the checkbox
    - Read should be selected by default
- to close the Enrollment Agent (Computer) Properties
  - select OK
  - Switch back to the Certificate Authority Console

In the Certificate Authority Console select
- right-click the Certificate Templates container,
  - select New > Certificate Template to Issue

In the Enable Certificate Templates window
- Select the Enrollment Agent (Computer) template
- Select OK

In the Certificate Authority window
- Note the Templates you now have
  - TrueSSO Template
  - Enrollment Agent (Computer)

Part 8. Pre- Install Configuration and Install of Horizon Enrollment Services

We will now configure the CA for non-persistent certificate processing
- on the TrueSSO-01a server
  - select the Start button
    - right-click
      - select Command Prompt (Admin)

In the Administrator: Command Prompt
- enter the following command

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

In the Administrator: Command Prompt
- enter the following command
  - to Configure the CA to ignore offline CRL errors

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

In the Administrator: Command Prompt
- enter the following command
  - From the command prompt run:
    - Restart the CA service.

net stop certsvc & net start certsvc

On the TrueSSO-01a server desktop
- launch the software shortcut
  - In the Software folder,
    - open the Horizon\2412 folder.
      - select the installer Omnissa-Horizon-Connection-Server-x86_64-2412-8.14.0-xxxx
        
        from the dropdown
        
        select Run as administrator

On the Open File - Security Warning window
- select Run

On the Welcome window
- select Next

On Destination Folder window
- select Next

On the Installation Options window
- select Horizon Enrollment Server
  - select Next

On Firewall configuration window
- select Next

On the Ready to Install Program window
- select Install

On the Installer Completed Window
- select Finish

Part 9. Certificate Configuration on the Enrollment Server

On the TrueSSO-01a server
- select the Start Button,
  - right-click
    - select Run,
      - type MMC,
        
        select OK

In the Console window
- select File > Add/Remove Snap-in..

In the Add or Remove Snap-ins window,
- select Certificates
  - select Add

In the Certificates snap-in
- next to Computer account
  - select the radio button
    - select Next
      - select Finish
        
        select OK

Expand the Certificates console inventory
- select the Personal > Certificates container.
  - and right-click
    - select All Tasks > Request New Certificate

On the Certificate Enrollment window
- select Next

On the Select Certificate Enrollment Policy window
- select Next

On the Request Certificates window
- in front of Enrollment Agent (Computer)
  - select the checkbox
- select Enroll

On the Certificate Installation Results window,
- ensure the enrollment was successful
  - select Finish

In the Certificates Console
- note you now a TrueSSO-01a template for enrollment

Part 10 Federating Enrollment services with Horizon

In a Horizon Pod with multiple Connection Servers, this task is only completed once

Switch to your ControlCenter server,
- Open up your Remote Desktop > Site 1 folder
  - launch the RDP shortcut for Horizon-01a
  - If necessary, authenticate, using the following credentials
    - username techseals\administrator
      - password Pa$$w0rd

On the Horizon Server desktop
- select and open your CACertSnapin.mmc

In the Certificates Console
- Expand the inventory
  - Browse down to:
    - Omnissa Horizon Certificates > Certificates

In the Omnissa Certificates > Certificates folder
- expand the console or scroll across the console
  - notice the guid based certificate has a friendly name of vdm.ec

In the Certificates console
- select your top GUID certificate with the friendly name of vdm.ec.
  - right-Click select All Tasks
    - select Export

Note there are two GUID based certificates with a vdm.enc Friendly name. Select the cert with vdm.ec

In your environment, the certificate order might differ to the screenshot

On the Welcome to the Certificate Export Wizard window
- select Next

On the Export Private Key page
- next to No, do not export the private key
  - select the radio button
    - select Next

On the Export File Format window
- next to Base-64 encoded X.509
  - select the radio button
    - select Next

In the File to Export window
- under File name
  - type the following
    - \\horizon-01a\software\Horizon\enroll.cer
      - select Next

Software is a shared folder which we will use to copy from on the TrueSSO server

On the Completing the Certificate Export Wizard window
- when prompted that The export was successful,
  - select Finish
    - select OK

On your ControlCenter server desktop
- on your TrueSSO-01a RDP session
  - switch from your Horizon-01a RDP session

On our TrueSSO-01a server
- select your Certificate services Snap-in,
  - select the Omnissa Horizon Enrollment Server Trusted Roots, folder
    - and right-click
      - select All Tasks > Import

On the Welcome window
- select Next

In the File to import window
- Under File name,
  - enter the following
    - \\Horizon-01a.techseals.co\software\Horizon\enroll.cer
- select Next

In the Certificate Store window accept the defaults and
- select Next.
  - on the Summary page
    - select Finish.
  - in the Certificate Import Wizard window
    - select OK

In the Certificates Folder
- select the imported certificate
  - and Right-click
    - select Properties.
- In the Friendly name: section
  - type vdm.ec
    - select OK

Part 11. Mapping the subordinate CA to a preferred Enrollment service

On your TrueSSO-01a.RDP session
- select and right-click the Start button > RUN
  - type regedit.exe
- In the regedit inventory,
  - browse to the following location:
    - HKLM\SOFTWARE\Omnissa\Horizon\
  - what we should see is an Enrollment Service Key
    - HKLM\SOFTWARE\Omnissa\Horizon\Enrollment Service.
    - you will notice there is no Enrollment Service key, we need to create one. In our case we have to
- Create the Enrollment Service key
  - Right-click Horizon > New > Key
    - type Enrollment Service

We will add 3 String Values in the Registry Key

In the Registry Editor
- right-click the Enrollment Service key > New > String Value
  - type PreferLocalCa
- right-click the PreferLocalCa String value
  - select Modify
  - in the Value data: field
    - enter 1
- select OK to close the window

Add your second String Value
- right-click the Enrollment Service key > New > String Value
  - enter UseKerberosAuthenticationToCa
- right-click the UseKerberosAuthenticationToCa String value
  - select Modify
  - in the Value data: field
    - enter false
- select OK to close the window.

Add a third String Value
- right-click the Enrollment Service key > New > String Value
  - enter UseNTLMAuthenticationToCa
- right-click the UseNTLMAuthenticationToCa String value
  - select Modify
  - in the Value data: field
    - enter true
- select OK to close the window.

On your TrueSSO-01a server
- From the Start button,
  - select Run
    - type services.msc
      - select OK
- in services menu, scroll down until you find
  - Omnissa Horizon Enrollment Server service
- select and right-click the Omnissa Horizon Enrollment Server service
  - select Restart
- Close the Services mmc

Part 12. Pairing Horizon Connection Server with Horizon-01a Enrollment and Certificate Services for Site 1

On your ControlCenter server
- from the Taskbar
- switch to your HORIZON-01a.RDP session

On the Horizon-01a Connection server
- from the Desktop
  - select and right-click the Command Prompt shortcut
- from the dropdown
  - select Run as administrator

In the Administrator: Command Prompt
- enter the following:-

cd "\Program Files\Omnissa\Horizon\Server\tools\bin"

In the Administrator: Command Prompt
- type the following:-

The enrollment server is added to the global list.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer TrueSSO-01a.techseals.co

Wait 2 min before doing the next command

In the Administrator: Command Prompt
- type the following:-

The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer TrueSSO-01a.techseals.co --domain techseals.co

In the Administrator: Command Prompt
- Enter the command to create a True SSO connector, which will hold the configuration information, and enable the connector.

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --create --connector --domain techseals.co --template TrueSSOTemplate --primaryEnrollmentServer truesso-01a.techseals.co --certificateServer techseals-TRUESSO-01A-CA --mode enabled

In the Administrator: Command Prompt
- Validate the Authenticator is configured

vdmUtil --authAs administrator --authDomain techseals.co --authPassword Pa$$w0rd --truesso --list --authenticator

You will notice True SSO mode now Enabled

For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to Omnissa Access. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to Omnissa Access

Part 13. Testing to see if TrueSSO works

On your ControlCenter server,
- switch to your W11Client-01a.RDP Remote Desktops session

The w11Client-01a session should still be logged in with the techseals\craig account

On your W11Client-01a desktop,
- In the Web Intelligent Hub
  - under the New Apps area
    - select Enterprise_Desktop
    - from the pop-up
      - select Launch from Client
  - on the Open Omnissa Horizon Client? window
    - select Open Omnissa Horizon Client

In the W11Client-01a Horizon session
- If you the see the above message.
  - Follow the below mentioned steps
    - This as a result of the Active Directory Certificate Hierarchy certificates not being replicated to all Domain Controllers and Horizon based Infrastructure. The TrueSSO-01a server is an intermediate issuing server in the Microsoft Active Directory Certificate Authority and every Server that is Active Directory based, requires the certificate of the TrueSSO-01a service in its intermediate list to trust it as an issuing service.
      - Therefore the above mentioned message regarding a certificate from an untrusted authority.

On the following Servers:
- Site 1
  - ControlCenter.techseals.co
  - Horizon-01a.techseals.co
- Site 2
  - DC-02a.techseals.co
- open the Administrator: Command Prompt
  - enter gpupdate /force

On your W11Client-01a desktop
- on the Web Intelligent Hub
  - In the New Apps area
    - double click Enterprise_Desktop
  - In the Open Omnissa Horizon Client? window
    - select Open Omnissa Horizon Client

On your W11Client-01a desktop,
- Note you have a single sign on experience
  - shut down and close all your windows

On your W11Client-01a desktop,
- from the Virtual Desktop session
  - MORE icon dropdown
    - select Logoff Desktop
- on the Disconnect and log off desktop? window
  - select OK
- close all windows sessions

Part 14. Turning off enforced authentication with Omnissa Access

Now that we have demonstrated the Potential of Omnissa Access and the relevance of Enrollment Services. We will turn off Enforced authentication as we are using an unreliable Certificate Authentication method

On your ControlCenter server
- open your Site 1 browser
  - In the Favourites bar
    - select the Horizon Site 1 shortcut

In the Horizon login
- in the User Name area
  - enter administrator
- in the Password area
  - enter Pa$$w0rd
- select Sign In

In the Horizon Admin console
- Side Menu
  - in the Settings category
    - select Servers

In the Horizon Admin console
- Servers area
  - select the Connection Servers tab

In the Horizon Admin console
- Servers area
  - Connection Servers tab
    - next to HORIZON-01A
      - select the Radio button
        
        select EDIT

In the Edit Connection Server Settings window
- select the Authentication tab

In the Edit Connection Server Settings window
- select the Authentication tab
  - below Delegation. of authentication of VMware Horizon (SAML 2.0 Authenticator)
    - from the dropdown
      - select Allowed

In the Edit Connection Server Settings window
- To close the Edit Connection Server Settings window
  - select OK

In the Horizon Admin console
- Servers area
  - Connection Servers tab
    - next to HORIZON-01B
      - select the Radio button
        
        select EDIT

In the Edit Connection Server Settings window
- select the Authentication tab

In the Edit Connection Server Settings window
- select the Authentication tab
  - below Delegation. of authentication of VMware Horizon (SAML 2.0 Authenticator)
    - from the dropdown
      - select Allowed

In the Edit Connection Server Settings window
- To close the Edit Connection Server Settings window
  - select OK

References

https://docs.omnissa.com/bundle/Horizon-AdministrationVmulti/page/ConfigureHorizonConnectionServerforTrueSSO.html

Omnissa Product Specialist and Technical Enablement

End User Computing

11. Ensuring Seamless Single Sign-ON Integration with Horizon and Omnissa Access

References

0 Comments

Add your comment

Topics

Last Updated