VMware Horizon authentication using AzureAD (with multifactor) – Part 3: Enrollment Servers

This is part of a series of post for setting up VMware Horizon authentication using AzureAD.


Enrollment server(s)

Repeat all steps in this part on both enrollment/sub-CA servers!

On the enrollment/sub-CA server, open the local machine certificate manager:

certlm.msc

Right-click the Personal node, choose All Tasks > Request New Certificate

Click next on the welcome page. Select “Active Directory Enrollment Policy” and click next

Select “Enrollment Agent (computer)” and click Enroll. If you don’t see the enrollment template, cancel the wizard, force a gpupdate and start the “Request New Certificate” wizard again.

A few seconds later, the enrollment certificate should be issued

When you check the personal certificates, you should now see a sub-CA certificate and an enrollment certificate

Next, we are going to install the Horizon Enrollment Server. Therefore we need the installation file for the Horizon Connection server. Be sure to use the same version as your already installed connection servers.

Click next on the welcome page of the installation wizard and accept the license agreement.
Choose the location where the software will be installed.
On the Installation options page, select “Horizon Enrollment Server” and click next

On the firewall configuration page, choose whether you want to configure Windows Firewall automatically or not. If you don’t, make sure incoming TCP port 32111 is opened from the Horizon connection servers to the enrollment servers.

Click Install on the summary page and wait for the setup to finish.

Next, copy the following contents to a .reg file and import it on both servers

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service]
"PreferLocalCa"="1"
"UseNTLMAuthenticationToCa"="TRUE"
"UseKerberosAuthenticationToCa"="FALSE"

PreferLocalCa: says the enrollment server should try the locally installed CA first to request certificates
The other 2 keys are required in Horizon 2111 (but also work on older versions) if the enrollment server and CA are installed on the same server (thanks @RochNorwa: MiniKB: TrueSSO – Enrollment Server unable to connect to CA: The authentication service is unknown – Roch’s Brain Backup Blog)

Restart the VMware Horizon Enrollment server service after adding the registry keys.

Next, we need to connect to a Horizon Connection server and open the local machine certificates.
Go to VMware Horizon View Certificates\Certificates and export the “vdm.ec” certificate

Right-click the certificate, choose All Tasks > Export…
Don’t export the private key

Leave the default format

Specify a location to save the certificate.

Finish the export wizard.

Copy the certificate to both enrollment servers.

On the enrollment servers, start the local machine certificate console and open the “VMware Horizon Enrollment Server Trusted Roots” node. Right-click and choose All Tasks > Import…

Choose the vdm-ec.cer certificate we just saved

Check the correct location and finish the import

Now our enrollment servers are ready to be used.

Now, continue with the next part: SAML Setup


This is part of a series of post for setting up VMware Horizon authentication using AzureAD.


2 thoughts on “VMware Horizon authentication using AzureAD (with multifactor) – Part 3: Enrollment Servers”

  1. Pingback: VMware Horizon authentication using AzureAD (with multifactor) – MickeyByte IT Pro Blog

  2. Pingback: VMware Horizon authentication using AzureAD (with multifactor) – Part 5: TrueSSO Setup – MickeyByte IT Pro Blog

Leave a Reply

Your email address will not be published.