Employee Ramesh V Posted June 13 Employee Share Posted June 13 In the realm of virtual desktop infrastructure (VDI), seamless user experience and security are paramount. VMware Horizon, a leading VDI solution, offers True Single Sign-On™ (True SSO™) to enhance both aspects. True SSO allows users to authenticate once and gain access to their virtual desktops and applications without the need for re-entering credentials. This not only improves user convenience but also strengthens security by reducing the risk of credential theft. Understanding True SSO True SSO is an advanced feature in VMware Horizon that integrates with VMware Workspace ONE Access. It leverages smart cards, RSA SecurID, RADIUS, or third-party identity providers for authentication. Once users log in to Workspace ONE Access using these methods, they can launch virtual desktops or applications without providing their Active Directory credentials. This is particularly beneficial for users who access resources from untrusted domains or use devices outside the corporate network. Prerequisites for True SSO Before setting up True SSO, ensure that you have the following prerequisites in place: Microsoft Certificate Authority is set up, which is crucial for managing and issuing digital certificates. Certificate templates for True SSO are created, defining the rules and policies for issuing certificates. Horizon Enrollment server is installed and configured to manage the enrollment of users and devices. Horizon Enrollment service client certificate is exported and imported onto the enrollment server. Configuring True SSO The process of configuring True SSO involves several steps: Set Up an Microsoft Certificate Authority: If you don't have an existing CA, you'll need to add the Active Directory Certificate Services (AD CS) role to a Windows server and configure it as an enterprise CA. Create Certificate Templates Used with True SSO: Define the certificate templates that will be used to issue certificates for True SSO. Install and Set Up an Enrollment Server: Deploy an Horizon Enrollment server to handle the enrollment process for users and devices. Export the Enrollment Service Client Certificate: Export the client certificate from the Horizon Enrollment server for later use in the configuration process. Configure SAML Authentication to Work with True SSO: Set up SAML authentication to integrate with VMware Workspace ONE Access, which is a prerequisite for True SSO. Configure Horizon Connection Server for True SSO: Use the vdmutil command-line interface to configure True SSO on the connection server. Advanced Configuration Settings For more granular control over True SSO, you can manage advanced settings using Group Policy Objects (GPOs) on the Horizon Agent machine, registry settings on the Horizon Enrollment server, and LDAP entries on the Connection Server. These settings include configuring default timeouts, load balancing, and specifying domains to be included. Troubleshooting True SSO If True SSO stops working, users might see an "incorrect username or password" message. To troubleshoot, administrators can use the system health dashboard in Horizon Console to identify and resolve issues related to True SSO. Conclusion True SSO in VMware Horizon is a powerful feature that simplifies the authentication process for users while enhancing security. By following the steps outlined in this guide, you can set up True SSO in your Horizon environment, providing your users with a more seamless and secure experience. Remember to refer to the official VMware documentation for the most up-to-date information and best practices. 1 1 2 Quote Link to comment Share on other sites More sharing options...
Gerard Strouth Posted June 13 Share Posted June 13 With TrueSSO and Windows Hello for Business are you looking at adding more options than just certificate trust like cloud trust? Quote Link to comment Share on other sites More sharing options...
StephenWagner7 Posted June 13 Share Posted June 13 I'm also curious what the status is of TrueSSO being used with Hybrid Domain Joined Instant Clones, as last I heard it doesn't support Azure Parts (Primary Refresh Tokens). TrueSSO with support for PRT would be AMAZINGGGGG 😎👌 Quote Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa EUC Expert, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 14 Employee Share Posted June 14 (edited) Shared this internally, Engineering is validating from their side still before adding it to the KB. Also with instant clones you will always see delays until they are hybrid joined right?! The method was tested with persistent machines. But the underlying issue would be the same. Quote SSO using Azure PRT token with VDIs and TrueSSO So I tested it in one env so far and need to replicate it still, but if somebody else wants to test you can try the following when using TrueSSO and a non federated EntraID/AzureAD together with Hybrid Entra/Azure join. The issue is that with TrueSSO the login is based on a certificate/smartcard login and the login method is saved in the login information. To get an Azure PRT the Windows Sign In uses the information against the active login endpoint. Without TrueSSO the user signs in with username/password and that info works against the active flow endpoint of Azure without issues because it offers that method. When you use TrueSSO it will send the cert data to that active flow endpoint, which cannot validate it as this is not a default method in Entra. You should see non interactive Sign-In log entries for the user and the Windows Sign In service resulting in Failure and with the authentication method x.509 failing. But since last year you can actually configure CBA for EntraID directly and with that give it an option to handle and validate the TrueSSO certificate information. So what we did was activate CBA on the Entra tenant and configure it as authentication method with the Root CA certificate used by the Enrollment server. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication It will take some minutes for the settings to be applied, so be patient. It is correctly applied when it shows up in the sign in dialog under other ways to sign in or sign in with a certificate link. Afterwards, when signing in with TrueSSO we can see the Windows Sign In using x.509 successfully, creating the Azure PRT for the user and adding the user under Settings > Accounts > Email & Accounts. SSO was tested with portal.office.com and picks up the PRT. Edited June 14 by Sascha Warno Quote Link to comment Share on other sites More sharing options...
StephenWagner7 Posted June 14 Share Posted June 14 (edited) /Deleted Edited June 14 by StephenWagner7 Deletion Quote Stephen Wagner (President, Digitally Accurate Inc.) VMware vExpert (vExpert Pro, vSphere, vSAN Awards), Omnissa EUC Expert, NVIDIA NGCA Advisor, VMUG Leader, and Director (Board of Directors) at World of EUC Check out my Tech Blog: https://www.StephenWagner.com Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.