Lab 28: Deploy an Enrollment Server and configure True SSO

Objective and Tasks

In this lab, you will install a Horizon Enrollment Server, add it to your Horizon pod, and configure True SSO. While this lab only covers installing a single Enrollment Server, it is recommended to install two Enrollment Servers per Horizon pod to provide resiliency.

  1. Configure the Microsoft Certification Authority service.
  2. Setup a certificate template for use with True SSO.
  3. Add permissions on the Enrollment Agent (Computer) template.
  4. Issue the certificate templates.
  5. Install the Enrollment Server.
  6. Install the enrollment agent (computer) certificate on the Enrollment Server.
  7. Configure Connection Server pairing.
  8. Add the SAML authenticator to the Connection Servers.
  9. Complete the required configuration to add the Enrollment Server and connectors to the Connection Servers and pod.
  10. Check the True SSO status in the Horizon admin console.

The purpose of this lab is for you to progress through the necessary installation and configuration steps to setup an Enrollment Server and configure True SSO for your Horizon 8 pod.

Expand or collapse content Task 1: Configure the Microsoft Certification Authority service

The Microsoft Certification Authority service has already been installed for you to use in this lab. You will update the configuration and restart the service before using it.

  1. Open a command prompt, as an Administrator.
    • On your ControlCenter VM use the Search box in the bottom toolbar.
    • Type cmd
    • Select Run as administrator.
  2. Enable non-persistent certificate processing and help reduce the CA database growth rate.
    • Run the following command.
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
Click to copy
  1. Ignore offline CRL (certificate revocation list) errors on the CA.
    • Run the following command.
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
Click to copy
  1. Restart the Certificate Authority Service so that these changes can take effect.
    • Run the following commands.
sc stop certsvc
sc start certsvc
Click to copy

If you had multiple Certificate Authority servers, you would repeat these steps on each server.

Expand or collapse content Task 2: Setup a certificate template for use with True SSO

Create a certificate template that will be used for issuing short-lived certificates. This is used by the Horizon Enrollment Servers to facilitate True SSO for users.

  1. Open the Microsoft Certification Authority console
    • On your ControlCenter VM open Server Manager.
    • From the Tools menu, select Certification Authority.
  2. Create a new certificate template.
    • Expand the tree in the left pane.
    • Right-click Certificate Templates and select Manage.
    • Right-click the Smartcard Logon template and select Duplicate Template.

Do not click OK until you have completed all the tab configurations listed below.

  1. On the Compatibility tab
    • Certification Authority: Windows Server 2008 R2
    • Certificate recipient: Windows 7 / Server 2008 R2
  2. On the General tab
    • Template display name: True SSO
    • Template name: TrueSSO
    • Validity period: 1 hour
    • Renewal period: 0 hours
  3. On the Request handling tab
    • Purpose: Signature and smartcard logon
    • Select Allow private key to be exported.
    • Select For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  4. On the Cryptography tab
    • Provider category: Key Storage Provider
    • Algorithm name: RSA
    • Minimum key size: 2048
    • Request hash: SHA256
  5. On the Subject name tab
    • Leave as is.
  6. On the Server tab
    • Select Do not store certificates and requests in the CA database.
    • De-select Do not include revocation information in issued certificates.
  7. On the Issuance requirements tab
    • Select This number of authorized signatures with a value of 1
    • Policy type required in signature: Application policy
    • Application Policy: Certificate Request Agent
    • Require the following for reenrollment: Valid existing certificate
  8. On the Security tab
    • Add the AD group for the enrollment servers: enrollment-servers
    • Give this group permissions to Read and Enroll.
  9. Click OK to save the new template.
Expand or collapse content Task 3: Add permissions on the Enrollment Agent (Computer) template

In addition to the True SSO certificate template you just created, the Enrollment Servers require permissions on the Enrollment Agent (Computer) template.

  1. Use the Certificate Templates Console to edit the template
    • Right-click the Enrollment Agent (Computer) template.
    • Select Properties.
  2. On the Security tab
    • Add the AD group for the enrollment servers: enrollment-servers
    • Give this group permissions to Read and Enroll.
  3. Click OK.
  4. Close the Certificate Templates Console.
Expand or collapse content Task 4: Issue the certificate templates

The certificate templates need to be issued to the Certification Authority server so that it can generate certificates based on them.

  1. Use the Certification Authority console on your ControlCenter VM.
  2. Issue the True SSO certificate template.
    • Right-click Certificate Templates and select New > Certificate Template to Issue.
    • Select the new True SSO template you just created, and click OK.
  3. Issue the Enrollment Agent (Computer) certificate template.
    • Right-click Certificate Templates and select New > Certificate Template to Issue.
    • Select the Enrollment Agent (Computer) template, and click OK.
  4. Close the Certification Authority console.

If you had multiple Certificate Authority servers, you would repeat these steps on each one, so that each Certificate Authority can issue certificates based on these templates.

Expand or collapse content Task 5: Install the Enrollment Server

RDP to truesso-01a and run the Connection Server installer. When prompted, select the Enrollment Server option.

  1. Use RDP to connect to truesso-01a
    • On your ControlCenter desktop open the RDP folder.
    • Click the RDP shortcut to truesso-01a
    • This should automatically log you into the truesso-01a VM
  2. Run the Connection Server installer executable on truesso-01a
    • Open File Explorer on the task bar at the bottom.
    • Select the Resources (S:) drive.
    • Browse to S:\Software\Horizon_2512
    • Run Omnissa‑Horizon‑Connection‑Server‑x86_64‑2512‑8.17.0‑20302007542.exe

The installer may get hidden behind other Windows. Use the taskbar to select it and bring it to the front.

  1. Proceed through the initial installation screens
    • The installer will first display a Licensing confirmation message. Click Yes.
    • When the Installer Introduction screen appears, click Next.
    • Leave the default installation path: C:\Program Files\Omnissa\Horizon\Server, and click Next.
  2. On the Installation Options screen:
    • Select Horizon Enrollment Server as the type to install.
    • Click Next.
  3. On the Firewall Configuration screen:
    • Ensure that Configure Windows Firewall automatically is selected.
    • Click Next.
  4. On the Ready to Install the Program screen:
    • Click Install.
  5. When the installation completes, uncheck the Show the documentation check box and click Finish.

The Enrollment Server is now installed. Move onto the following tasks to complete the required configuration for True SSO.

Expand or collapse content Task 6: Install the enrollment agent (computer) certificate on the Enrollment Server

This authorizes this Enrollment Server to act as an Enrollment Agent and generate certificates on behalf of users.

  1. Open the Microsoft Management Console (MMC) on truesso-01a, so that you can work with certificates.
    • In Windows > Start > Run > MMC
    • Use the File menu and select Add/Remove Snap-in.
    • Select Certificates and Add.
    • Select Computer account and click Next.
    • Leave the default selection of Local computer and click Finish.
    • Click OK to close the Add/Remove Snap-ins window.
  2. Request and enroll the Enrollment Agent (Computer) certificate.
    • Navigate to the Certificates > Personal folder.
    • Right-click All tasks > Request New Certificate.
    • Click Next twice to progress through the wizard.
    • Select the entry for the Enrollment Agent (Computer) certificate.
    • Click Enroll.

If you have multiple Enrollment Servers, repeat these steps on each server.

Expand or collapse content Task 7: Configure Connection Server pairing

Configure Connection Server pairing so that the enrollment service will trust the Connection Server when it prompts the Enrollment Servers to issue a short-lived certificate for an Active Directory user.

  1. Use RDP to connect to the Connection Server horizon-01a
    • On your ControlCenter desktop open the rdp folder.
    • Click the RDP shortcut to horizon-01a
    • This will automatically log you into the horizon-01a VM
  2. Open the Microsoft Management Console (MMC) on horizon-01a, so that you can work with certificates
    • In Windows > Start > Run > MMC
    • Use the File menu and select Add/Remove Snap-in.
    • Select Certificates and Add.
    • Select Computer account and click Next.
    • Leave the default selection of Local computer and click Finish.

Export the Connection Server certificate. When you save the file save it to the S: drive so that you can access it from the Enrollment Server later in the process.

  1. Start the Export of the Connection Server certificate.
    • Navigate to the Certificates > Omnissa Horizon Certificates > Certificates folder.
    • Right-click the certificate file with the friendly name vdm.ec
    • Select All Tasks > Export.
  2. Complete the Certificate Export wizard.
    • Accept the defaults, including leaving the No, do not export the private key radio button selected.
    • Save the file with a meaningful name: S:\Scripts\horizon01-enrollclient.cer

You only need to export the certificate from one of the Connection Servers in the pod.

Now import the Connection Server certificate into the Enrollment Server Trusted Roots folder.

  1. Use RDP to connect to truesso-01a
    • You should already have an RDP session open from the previous tasks.
  2. Open the Microsoft Management Console (MMC) on truesso-01a, so that you can work with certificates
    • You should have already added the required MMC snap-in for truesso-01a in the previous task.
  3. Import the Connection Server certificate into the Enrollment Server, truesso-01a
    • Navigate to the Certificates > Omnissa Horizon Enrollment Server Trusted Roots folder.
    • Right-click All tasks > Import and
    • Browse to the file you saved from the Connection Server export: S:\Scripts\horizon01-enrollclient.cer
    • Ensure that the certificate will be placed in the Omnissa Horizon Enrollment Server Trusted Roots store.

If you had multiple Enrollment Servers, you would repeat steps 6 and 7 on each Enrollment Server.

Expand or collapse content Task 8: Add the SAML authenticator to the Connection Servers

The Horizon Connection Servers need to trust your SAML Authenticator (iDP). Update the configuration of the Connection Servers to allow delegation of authentication and also to define the connection to the SAML authenticator.

  1. Open the Horizon admin console for horizon-01a.
    • On your ControlCenter desktop, open the Google Chrome browser.
    • Click the bookmark on the bookmark bar for horizon-01a
    • This will connect you to the Horizon administrator console at https://horizon-01a.omnissatraining.com/admin
  2. Login to the Horizon admin console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Domain: OmnissaTraining

Edit one Connection Server and add a new SAML 2.0 Authenticator. The Authenticator will be added to the pod.

  1. Edit the settings for Connection Server horizon-01a
    • Navigate to Settings > Servers > Connection Servers
    • Select the entry for HORIZON-01A and click Edit.
  2. Change the allowed authentication methods.
    • Select the Authentication tab.
    • Change Delegation of authentication to Horizon (SAML 2.0 Authenticator) to Allowed.
  3. Manage the SAML Authenticators available for this Horizon pod.
    • Click on MANAGE SAML AUTHENTICATORS.
  1. Start the Add SAML 2.0 Authenticator wizard.
    • Click ADD.
    • Ensure the Type is the default selection of Dynamic.

In this lab you are using an Omnissa Access tenant, as the SAML iDP, which provides the dynamic metadata. Some SAML iDPs will only provide static metadata. Choose the appropriate type, referring to the iDP vendors documentation.

  1. Define a Label for the SAML Authenticator so that you can identify it.
    • Type an appropriate name for the authenticator in the label field. In this lab use: omnissatraining.com
  2. Update the Metadata URL.
    • Edit the Metadata URL to replace the text portion <YOUR SAML AUTHENTICATOR NAME> with the following:
omnissatraining.ie.wss.workspaceone.com
  1. Close the Add SAML 2.0 Authenticator wizard.
    • Click OK.
  2. Close the Manage SAML Authenticators dialog.
    • Click OK.
  3. Close the Edit Connection Server Settings dialog.
    • Click OK.

While the SAML Authenticator only needs to be defined once per pod, it is enabled on a per Connection Server basis. When you add the SAML 2.0 Authenticator to the pod, it is enabled only on the Connection Servers you chose to edit.

If you have additional Connection Servers in the pod that you want to use this SAML Authenticator, you need to enable it on each one individually.

  1. Edit the settings for Connection Server horizon-01b
    • Select the entry for HORIZON-01B and click Edit.
  2. Change the allowed authentication methods for this Connection Server.
    • Select the Authentication tab.
    • Change Delegation of authentication to Horizon (SAML 2.0 Authenticator) to Allowed.
  3. Enable the SAML 2.0 Authenticator on Horizon-01b.
    • Click on MANAGE SAML AUTHENTICATORS.
    • Select the SAML Authenticato0, omnissatraining.com, and click Edit.
    • Tick the box Enabled for Connection Server.
    • Click OK.
  4. Close the Manage SAML Authenticators dialog.
    • Click OK.
  5. Close the Edit Connection Server Settings dialog.
    • Click OK.
Expand or collapse content Task 9: Connection Server configuration

The last configuration is to add the enrollment servers to the Horizon Connection Servers, and to enable the authenticator.

You will use the vdmutil.exe command tool on one of the Connection Servers in the following steps. Note that some steps will require synchronization to occur. Use the list commands indicated below to ensure that the previous step has completed before moving on to the next  step.

  1.  Use RDP to connect to horizon-01a
    • You should already have an RDP session open from the previous tasks.
  2. Open a command prompt, as an Administrator.
    • On horizon-01a use the Search box in the bottom toolbar.
    • Type cmd
    • Select Run as administrator.
    • Change directory to C:\Program Files\Omnissa\Horizon\Server\tools\bin.

You can copy text from the lab manual using the lab Type Clipboard Text feature.

  • Copy the text (Select, right-click , Copy).
  • Click where you want to copy the text to.
  • Select the keyboard icon in the top left of the lab interface.
  • Select Type Text > Type Clipboard Text, and then click the Paste button.
  1. Add the Enrollment Server to the Horizon 8 pod.
    • Run the following command to add the Enrollment Server you installed to the Connect Server pod.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --environment --add --enrollmentServer truesso-01a.omnissatraining.com
Click to copy

Just installing the Enrollment Server software on the Windows Server does not add it to your Horizon 8 pod. This needs to be done manually using the command given above.

After running the above command to add your Enrollment Server to the Horizon pod, there can be a slight delay of 30-40 seconds before it is fully registered with the pod.  You may need to run the next command a few times before you see the Enrollment Server listed.

  1. List the Enrollment Servers that have been added to the pod.
    • Run the following command.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServers
Click to copy

Listing all the Enrollment Servers that have been added to the pod confirms that they have been correctly added.

  1. List an individual Enrollment Server (truesso-01a) to give detailed info about various components of the environment which will be useful for configuring True SSO.
    • Run the following command.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --environment --list --enrollmentServer truesso-01a.omnissatraining.com --domain omnissatraining.com
Click to copy

Listing the details of an individual Enrollment Server gives information, including the AD domain, name of the certificate template, and the Certificate Authority.

  1. Create the True SSO connector.
    • Run the following command.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --create --connector --domain omnissatraining.com --template TrueSSO --primaryEnrollmentServer truesso-01a.omnissatraining.com --certificateServer omnissatraining-CA --mode enabled
Click to copy

A True SSO connector is a configuration set where you specify details like Enrollment Server(s), Certificate Authorities(s) and a certificate template to use for a certain Active Directory domain. When a Connection Server gets a request to launch a desktop for an Active Directory user, it will look up the True SSO connector for the domain the user belongs to and will use the components as specified to obtain a certificate on behalf of the user.

  1. List the SAML authenticator details. This is the SAML authenticator you created earlier.
    • Run the following command.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --list –-authenticator
Click to copy

The SAML Authenticator contains the trust and metadata exchange between the Horizon pod and the SAML iDP.  You need to identify the correct SAML Authenticator, so that you can enable it for use with True SSO in the next command.

You will see the SAML Authenticator you added to your Horizon-01 pod in task 8.

  1. Enable TrueSSO for the SAML Authenticator.
    • Run the following command.
vdmutil --authAs administrator --authDomain omnissatraining --authPassword Pa$$w0rd --truesso --authenticator --edit --name omnissatraining.com --truessoMode ENABLED
Click to copy

The last step required is to enable the True SSO connector you have added to your Horizon pod so that it can be used for True SSO.

True SSO is now configured.

Expand or collapse content Task 10: Check the True SSO status in the Horizon admin console

The Horizon admin console dashboard can be used to vie the status of the True SSO components.

  1. Open the Horizon admin console for horizon-01a.
    • On your ControlCenter desktop, open the Google Chrome browser.
    • Click the bookmark on the bookmark bar for horizon-01a
    • This will connect you to the Horizon administrator console at https://horizon-01a.omnissatraining.com/admin
  2. Login to the Horizon admin console.
    • Username: administrator
    • Password: Pa$$w0rd
    • Domain: OmnissaTraining
  3. Open the Dashboard view.
    • Navigate to Monitor > Dashboard
    • Click on View in the System Health pane.
  4. View the TrueSSO components.
    • Click on the TrueSSO tab.
    • Verify that the Manged Domain, Enrollment Server, Certificate Authority, Template are all present with a healthy status reported.

This concludes this lab.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.