Skip to content

VMware Horizon authentication using AzureAD (with multifactor) – Part 2: Certification Template

This is part of a series of post for setting up VMware Horizon authentication using AzureAD.


Certification Template

The way TrueSSO works is it is using a certificate issued for the user after a successful SAML authentication and authenticates against AD using a smartcard type logon with that certificate. Those certificates are short-lived certificates, valid for approximately 8 or 12 hours (depending on the user’s average working time). Therefore we must create a specific certificate template to be used by TrueSSO based on the built-in template for smartcard logons.

On one of the newly installed sub-CA servers open the Certification Authority console. Right-click the Certificate Templates node and select Manage

In the Certificate templates window, search the “Smartcard Logon” template, right-click and choose “Duplicate Template”

On the new template properties, we need to adjust several settings.
On the “compatibility” tab, change the compatibility settings to at least Windows Server 2012 R2 for both the authority and the recipient. A popup will show the changes with the previous value, confirm that with OK

On the “general” tab, enter a display name and a template name. For simplicity, keep those the same and don’t use spaces. We will need this name later on.
Set the validity period to the average working time of the user (e.g. 10 hours), but longer than Kerberos TGT renewal time (by default 10 hours). Set the renewal period to 50%~75% of the validity period. Do not check the “Publish certificate in AD”!

On the “Request Handling” tab, change the purpose to “Signature and smartcard logon” and check the option “For automatic renewal of smart card…”

On the “Cryptography” tab, change the Provider Category to “Key Storage Provider” and make sure the Algorithm name is set to RSA.

On the “Server” tab, check the option “Do not store certificates…”. By checking that option, the second option also becomes checked. Be sure to uncheck “Do not include revocation…”

On the “Issuance Requirements” tab, select “This number of authorized signatures” and make sure “1” is filled in the box. Select “Application policy” for the Policy type required in signature and “Certificate Request Agent” for Application policy.
Choose the option “Valid existing certificate” for the “Require the following for reenrollment” option.

On the “Security” tab, add the 2 sub-CA servers and give them “Read” and “Enroll” rights

Once you have completed all these changes, you can click OK to save them and return to the Certificate templates window.

Back in the Certificate templates window, search the template “Enrollment Agent (computer)”. Right-click the template and choose Properties

On the Security tab, add again the 2 sub-CA servers and give them Read and Enroll rights and click OK

Next close the Certificate templates window.

The previous changes to the certificate templates should only be done once and will be replicated throughout the domain to all CA servers.

Now we will add those 2 certificate templates we have modified to both of our sub-CA servers. Remember to repeat the next steps on both servers!

In the Certification Authority console, right-click the Certificate Templates node, choose New > Certificate Template to Issue

Select the newly created certificate template in the list and click OK. If you don’t find the template on the sub-CA, wait a bit until the new template is replicated throughout the domain.

Right-click again on the Certificate templates node and choose New > Certificate Template to Issue. Now select the template “Enrollment Agent (computer)”

The Sub-CA servers are now ready with the correct templates loaded. Continue with the next part: Enrollment Servers


This is part of a series of post for setting up VMware Horizon authentication using AzureAD.


Leave a Reply

Your email address will not be published.