This is part of a series of post for setting up VMware Horizon authentication using AzureAD.
- Part 1: Setup sub-CA(s)
- Part 2: Certificate Template
- Part 3: Enrollment Servers
- Part 4: SAML Setup
- Part 5: True SSO Setup
Enrollment server(s)
Repeat all steps in this part on both enrollment/sub-CA servers!
On the enrollment/sub-CA server, open the local machine certificate manager:
certlm.msc
Right-click the Personal node, choose All Tasks > Request New Certificate
Click next on the welcome page. Select “Active Directory Enrollment Policy” and click next
Select “Enrollment Agent (computer)” and click Enroll. If you don’t see the enrollment template, cancel the wizard, force a gpupdate and start the “Request New Certificate” wizard again.
A few seconds later, the enrollment certificate should be issued
When you check the personal certificates, you should now see a sub-CA certificate and an enrollment certificate
Next, we are going to install the Horizon Enrollment Server. Therefore we need the installation file for the Horizon Connection server. Be sure to use the same version as your already installed connection servers.
Click next on the welcome page of the installation wizard and accept the license agreement.
Choose the location where the software will be installed.
On the Installation options page, select “Horizon Enrollment Server” and click next
On the firewall configuration page, choose whether you want to configure Windows Firewall automatically or not. If you don’t, make sure incoming TCP port 32111 is opened from the Horizon connection servers to the enrollment servers.
Click Install on the summary page and wait for the setup to finish.
Next, copy the following contents to a .reg file and import it on both servers
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service]
"PreferLocalCa"="1"
"UseNTLMAuthenticationToCa"="TRUE"
"UseKerberosAuthenticationToCa"="FALSE"
PreferLocalCa: says the enrollment server should try the locally installed CA first to request certificates
The other 2 keys are required in Horizon 2111 (but also work on older versions) if the enrollment server and CA are installed on the same server (thanks @RochNorwa: MiniKB: TrueSSO – Enrollment Server unable to connect to CA: The authentication service is unknown – Roch’s Brain Backup Blog)
Restart the VMware Horizon Enrollment server service after adding the registry keys.
Next, we need to connect to a Horizon Connection server and open the local machine certificates.
Go to VMware Horizon View Certificates\Certificates and export the “vdm.ec” certificate
Right-click the certificate, choose All Tasks > Export…
Don’t export the private key
Leave the default format
Specify a location to save the certificate.
Finish the export wizard.
Copy the certificate to both enrollment servers.
On the enrollment servers, start the local machine certificate console and open the “VMware Horizon Enrollment Server Trusted Roots” node. Right-click and choose All Tasks > Import…
Choose the vdm-ec.cer certificate we just saved
Check the correct location and finish the import
Now our enrollment servers are ready to be used.
Now, continue with the next part: SAML Setup
This is part of a series of post for setting up VMware Horizon authentication using AzureAD.
- Part 1: Setup sub-CA(s)
- Part 2: Certificate Template
- Part 3: Enrollment Servers
- Part 4: SAML Setup
- Part 5: True SSO Setup
Pingback: VMware Horizon authentication using AzureAD (with multifactor) – MickeyByte IT Pro Blog
Pingback: VMware Horizon authentication using AzureAD (with multifactor) – Part 5: TrueSSO Setup – MickeyByte IT Pro Blog