True SSO is a VMware Horizon component with built-in integration to VMware Workspace ONE, which eliminates the requirement of entering an Active Directory (AD) password while the end-user accesses their entitled VMware Horizon desktops and published applications.
End-users can log in to Workspace ONE Access by using non-Active Directory authentication and from the Workspace ONE user portal, they are able to launch entitled desktops and applications without using (or being prompted) for their AD password!
Non-AD authentication examples are:
- Certificate (Cloud Deployment)
- RSA Secure ID
- Standards-based third-party identity providers
How does this work? The VMware “Enrollment server(s)” (explained below) request certificates from the AD Certificate Authority (CA) to generate a temporary, short-lived certificate for the end-users. This certificate is used for the login process.
If you want to know a little more about how True SSO works, I can recommend the following blog articles from VMware.
VMware also released a VMware True SSO video how the integration works with Horizon Cloud on IBM Cloud:
This blogpost will focus on implementing True SSO for Horizon DaaS 9.0, Horizon Cloud on IBM Cloud and Horizon Cloud on Azure.
Because the platforms are very similar, the implementation steps are exactly the same.
Before you can even think about implementing True SSO for Horizon DaaS or Cloud, the implementation of Workspace ONE Access is mandatory. Please refer to my previous blog post on how to configure this step-by-step!
Other requirements for True SSO are:
- True SSO Enrollment server(s). Can be Windows Server 2012 R2 or 2016 machine with a minimum of 4GB memory. VMware recommends two Enrollment servers to provide High Availability. In my blog I have only installed one Enrollment server.
- Active Directory Certificate Authority (CA) server(s). VMware recommends at least two CA servers for High Availability. In my blog I’m using only one CA server.
The enrollment service uses TCP 135 RPC for the initial communication with the CA, then a random port from 1024 – 5000 and 49152 -65535.
The Enrollment server also communicates with AD domain controllers, using all relevant ports to discover a DC and bind to and query the Active Directory, like DNS TCP / UDP 53, Global Catalog TCP 3268 / 3269 and LDAP(s) TCP 389 / 636.
The Tenant appliances (Horizon DaaS and Horizon Cloud on IBM Cloud) and Node appliance(s) (Horizon Cloud on Azure) communicate with the Enrollment server with TCP 32111.
For the Virtual Desktops, you will have to open up TCP 80 (HTTP) to access the CRLs on the CA server(s).
Before I show you how to perform the installation, it’s worth mentioning all the required installation steps are also described on the VMware Documentation page.
Step 1: Install and configure the CA server.
This blog will not go into the details how to install a CA server, but an important thing to note is the Hash Algorithm of your root CA certificate. This must be at least SHA256 because the latest browsers nowadays won’t accept SHA1 anymore. You can see your environment’s Hash Algorithm by right-clicking the CA and choosing Properties. It’s shown at the bottom of the General tab.
If your environment is still on SHA1, I can recommend this article from Microsoft how to migrate to SHA256.
So, once the Hash Algorithm is correct, we can proceed with the configuration. First, we need to configure the CA for non-persistent certificate processing and to ignore offline CRL errors. As the last step we will restart the Certificate Services as you can see in the below screenshot. The commands are:
- certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
- certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- net stop certsvc && net start certsvc
Step 2: Create a new Universal Security Group
This is an important step. Creating a new Universal Security group allows you to assign the permissions required for issuing certificates on behalf of end-users. Add your True SSO Enrollment server(s) in this group.
Step 3: Configuring a Certificate Template on the CA server
Next, we need to configure a certificate template on the CA server. Select Control Panel > Administrative Tools > Certificate Authority. Right-click on the Certificate Templates folder and select Manage.
Right-click on the Smartcard Logon template and select Duplicate Template.
Follow all the steps shown in the below slideshow.
As a last step of the template configuration, go to the Security tab and add your created Universal Group created in Step 2 and allow Read and Enroll permissions.
Next, we need to issue our newly created True SSO template and the Enrollment Agent (Computer) template for True SSO.
Open Certificate Authority. Right-click on the Certificate Templates folder and click New, Certificate Template to Issue and issue the two templates.
The Enrollment Agent (Computer) template must have the same security permissions as the True SSO template. In other words, add again the Universal Security group and allow Read and Enroll permissions.
The CA is now correctly configured with certificate templates suitable for use with True SSO!
Step 4: Download the Horizon Admin Pairing Token
The Horizon Admin Pairing Token (or bundle) is required to configure the True SSO server. You can download the pairing bundle in the Horizon Admin portal in the Settings, Active Directory menu.
The downloaded 7-zip file contains two certificate files which we need to important in the True SSO server Trusted Root folder.
Step 5: Set up the Enrollment Server
Install a Windows Server which meets the requirements from the Installation Requirements chapter. Next, go to the MyVMware website and download the True SSO Enrollment Server software for your specific VMware Horizon environment:
Once the download is complete, install the software on the Enrollment Server.
Next, extract the Horizon Admin Pairing Token Z-zip file downloaded in Step 4. There are two files: truesso.crt and truesso2.crt. Import both files into the Local Computer’s certificate store, specifically the VMware Horizon View Enrollment Server Trusted Roots folder.
Next, check if the enrollment agent certificate is present. In the MMC console, if you expand the Personal folder and select Certificates in the left pane, check if you see a the enrollment agent certificate listed in the right pane. If this is not the case, follow the next steps:
- In the Certificates console, expand the console root tree, right-click the Personal folder, and select All Tasks > Request New Certificate.
- In the Certificate Enrollment wizard, accept the defaults until you get to the Request Certificates page.
- On the Request Certificates page, select the Enrollment Agent (Computer) check box and click Enroll.
- Accept the defaults on the other wizard pages, and click Finish on the last page.
Step 6: Add the True SSO Enrollment Server to the Horizon Admin portal
Go to the Horizon Admin portal, the same location as Step 4. This time click the Add button to add the True SSO Enrollment server(s).
Add the FQDN of your server. Click TEST PAIRING.
If the server is reachable and correctly set up, you will see a green checkbox!
Step 7: Configure Workspace ONE Access to use True SSO
As the final step, we must configure our Workspace ONE Access portal to use True SSO. Login to the Admin Console of the Workspace ONE Access portal. Open your Virtual Apps Collection and edit the configured Horizon Environment (in my case the Horizon DaaS 9.0 platform). Edit the tenant and enable True SSO.
These steps complete the True SSO configuration!
The User Experience
Let’s test the result and user experience!
As my primary authentication, I’m using the non-AD authentication type Certificate (Cloud Deployment) and as a fallback the password, should the primary not work for some reason.
When the end-user launches the Workspace ONE Access portal (from a domain-joined machine) they are first logged in with the certificate (yes, I know, you can hide this certificate message, this is just to show the authentication method)
Now the end-users are logged in, they can launch the VMware Horizon Cloud / DaaS resource without ever being prompted for the AD password!
Still not working?
Is True SSO not working for you? It might be caused by the following problems:
- Horizon Windows Desktop or App fails with logon error: ‘an invalid parameter was passed to a service or function’: VMware KB79644
- TrueSSO: “The request is not supported” while launching a published App\Desktop: VMware KB59953
- Event ID 9: “The revocation function was unable to check revocation because the revocation server was offline”
- Please make sure you have opened all required firewall ports (see firewall requirements chapter), including TCP 80 from the Virtual Desktops to the CA server(s).
- You can also download the VMware Fling: True SSO Diagnostic Utility: this is a stand-alone executable you can put on your enrollment server. I would personally recommend the following command-lines:
- es_diag.exe /ListConfigs
- es_diag.exe /enrollmenttest /domain:<domain fqdn> /clusterid:<clusterid> /requester:<domain\userid> /template:<name of the True SSO template>
- For more command-lines, please refer to the True SSO Diagnostic Utility documentation