This blog explains how to setup DUO Security to enable Multi-Factor Authentication (MFA) in Horizon DaaS and in Horizon Cloud. Since these platforms share the same install-base, the configuration is exactly the same.

The setup is a bit different compared to VMware Horizon 7 because in Horizon DaaS and Cloud we have Tenant Appliances which act as the brokering mechanism, instead of Connection Servers. In addition, Horizon DaaS and Cloud do not have the View Administrator console but use the Horizon Admin portal to configure tenant settings, such as Active Directory and RADIUS configurations.

DUO Security

DUO Security delivers a cloud-based MFA. Customers will have to install an Authentication Proxy server, which acts as the local RADIUS server but will actually forward each request to DUO Security. Via this proxy server DUO will integrate with the customer systems, such as Active Directory. Most customers will choose the option to integrate their own Active Directory as the authentication source, but it is also possible to use one provided by DUO.

When using Active Directory as the authentication source, DUO will validate the user account and password against the customer Active Directory before prompting the user for their second authentication factor.

Authentication Process

Before we start configuring the DUO settings, let’s briefly explain how the authentication process is handled if we setup DUO Security correctly:

  1. Primary authentication initiated to VMware Cloud or DaaS
  2. VMware Cloud/DaaS sends the RADIUS authentication request to DUO Security’s authentication proxy
  3. Primary credential verification using Active Directory
  4. DUO Authentication Proxy connection established to DUO Security over TCP port 443
  5. Secondary authentication via DUO Security’s service
  6. The DUO authentication proxy receives an authentication response and sends to VMware Cloud/DaaS
  7. VMware Cloud/DaaS performs primary authentication to Active Directory
  8. Access to the VMware Horizon Cloud or DaaS resources are granted

The process is shown in the following illustration:

2019-02-14 10_36_37-authentication-process.png - Paint

Configuration

If not done already, the first step is to register an account with DUO Security and retrieve the integration keysecret key, and API hostname, which you will need for the Authentication Proxy server configuration. I will not describe these steps in this blog, as this is quite simple to do.

The second step is to install the Authentication Proxy server. Within VMware Horizon Cloud or DaaS, you simply have to create an additional Utility Server (i.e. infrastructure enabling server)

DUO Security recommends the following specifications:

  • Operating Systems: Windows and Linux systems (Windows Server 2012 R2 or later, Red Hat Enterprise Linux 6 or later)
  • Specifications: 1 CPU, 200 MB free disk space, and 4 GB RAM.

Next, install the DUO Security software on this server and follow setup instructions.

After the installation completes, you will need to configure the proxy via a proxy file. The DUO Authentication Proxy configuration file is named authproxy.cfg and is located  in:

  • Windows (64-bit): C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Linux: /opt/duoauthproxy/conf/authproxy.cfg

All options within this file are very well described at the DUO Security page, the only problem is they’re specifically for VMware Horizon 7 (View) and not VMware Horizon DaaS or Cloud.

Below is a Horizon DaaS or Cloud configuration file you can use if the requirements are:

  • Active Directory is the primary authenticator (ad_client)
  • In the event that Duo’s service cannot be contacted, all users’ authentication attempts will be rejected (failmode secure)
  • Importing users to DUO is done via Active Directory synchronization (cloud)

[ad_client]
host=DOMAIN CONTROLLER 1
host_2=DOMAIN CONTROLLER 2
service_account_username= Name
service_account_password= Password
search_dn=DC=demo,DC=local

[radius_server_challenge]
ikey= The integration key – Fetch from DUO Security portal
skey= The secret key – Fetch from DUO Security portal
api_host= The API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
failmode=secure
client=ad_client
radius_ip_1= IP Address UAG 1
radius_ip_2= IP Address UAG 2
radius_secret_1= Insert Password Here
radius_secret_2= Insert Same Password Here
port=1812
prompt_format=short

[cloud]
ikey= Directory sync integration key
skey= Directory sync integration secret
api_host= Directory sync API hostname

 

Horizon Admin portal

Once the configuration of the Authentication Proxy server is complete, we log in to the Horizon Admin portal of the Horizon DaaS or Cloud environment.

Next, we go to Settings -> 2 Factor Auth. Click New.

2019-02-14 15_47_57-VMware Horizon DaaS

2019-02-14 15_48_47-VMware Horizon DaaS

Choose RADIUS. Fill in the DUO Security configuration as shown in the following screenshot. Click Save when done.

2019-02-14 17_12_26-VMware Horizon DaaS

You will then be presented with a TEST Authentication page. Only if the test succeeds, the configuration is completely saved.2019-02-14 17_15_29-VMware Horizon DaaS

External Connections

As shown in the above screenshot, you are able to only present MFA to External Users only. Internal users will then only be asked for their user id and password. The Horizon Cloud and DaaS platform can filter users that are coming from the internet – via the external UAG, or via internal connections – via the Floating IP of the tenant appliances or internal UAG.

You can also force this behavior with Internal Networks. Internal Networks are trusted and will never be presented with MFA. Via Service Center, you can configure one or multiple internal Subnet IP ranges. As a Service Provider in Horizon DaaS, you go to the Tenants menu, Edit Tenant, tab Remote Access. For Horizon Cloud environment, you must request this to VMware.

2019-02-18 09_25_42-FLT-WS19-VDI

After the Subnet IP(s) are configured, you can confirm the configuration in the Horizon Admin portal in the General Settings menu.

2019-02-18 09_27_16-VMware Horizon DaaS

End-User Experience

User experience is very important! A good thing to know with VMware Horizon Cloud or DaaS MFA is both platforms will always ask for the passcode first and then the password. Within both platforms, there is currently no way to switch to the password first and then the passcode.

It’s good to know upfront that passcode first can result in a bit of strange behavior if you are limited by your MFA solution. For example, within some MFA solutions, the passcode is triggered only when filling in the password.

Using the DUO configuration file as shown in this blog, will also trigger the passcode after the password. In this scenario, the user experience will be as follows:

Step 1: In the passcode field, fill in your password

2019-02-18 09_48_02-Untitled - Paint

Step 2: In the Next Code field, fill in the passcode. (Or press “OK” on your mobile if you have configured push authentication)

2019-02-18 09_49_43-Untitled - Paint

Step 3: Fill in your password

2019-02-18 09_51_09-Untitled - Paint

Conclusion

As you can see, the implementation of DUO Security MFA for the VMware Horizon Cloud and DaaS platforms is not very difficult. Use the configuration file in this blog as a base and reconfigure it for your customer requirements. Once implemented, it’s also very important to test and verify the login experience!