Skip to content

VMware Horizon authentication using AzureAD (with multifactor) – Part 5: TrueSSO Setup

This is part of a series of post for setting up VMware Horizon authentication using AzureAD.


TrueSSO setup

We are almost there! So far we have created our sub-CAs, setup certificate templates, installed the enrollment server and configured the SAML authentication. At this point, Connecting to the UAG will redirect the user to Azure to log in and when successfully authenticated redirect the user back to the UAG which will then allow access to Horizon. However, because in the SAML authentication the password of the user is not included in the SAML response, the UAG only knows the user that is trying to log on and that the logon was successful (or not), but doesn’t know the password to authenticate that user to the local AD for access to the Horizon environment. That’s where TrueSSO comes into play. By configuring TrueSSO, we will request a certificate for the authenticated user that will be used to authenticate against Active Directory and in this way, provide a single sign-on experience for the user.

So let’s connect all our parts together now!

On a connection server, open a command prompt window and navigate to “C:\Program Files\VMware\VMware View\Server\tools\bin\”

First, we will register the enrollment servers in Horizon. Carefully review the following command and adjust where necessary. Remember all parameters are case-sensitive!

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --environment --add --enrollmentServer <server1-fqdn>,<server2-fqdn>

<admin> is your horizon admin username (without domain name before or after!)
<netbios> is the NETBIOS name of your domain (the part you put in front of a username: e.g. COMP\username)
<password> is the password of the Horizon admin user
<server1-fqdn>,<server2-fqdn> is a comma-separated list of servers you want to add as enrollment servers (e.g. TSSO1.company.local,TSSO2.company.local)

To check if the servers are correctly added, you can run the following command (it can take some time before this command gives any results)

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --environment --enrollmentServers --list

To check if both servers are configured correctly, run the following command for each enrollment server

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --environment --list --enrollmentServer <server-fqdn> --domain <domain-fqdn>

The output will show you if the enrollment state is valid, the name of valid certificate templates that were found for TrueSSO, and a list of CAs that can be used.

If everything looks fine, let’s create a TrueSSO connector specifying which enrollment servers, which certificate template, and which CAs we want to use for our domain.

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --create --connector --domain <domain-fqdn> --template <certificate-template-name> --primaryEnrollmentServer <server1-fqdn> --secondaryEnrollmentServer <server2-fqdn> --certificateServer <ca1>,<ca2> --mode ENABLED

<domain-fqdn> is your fully qualified domain name (e.g. company.local)
<certificate-template-name> is the name you gave to the TrueSSO certificate template we have created (e.g. TrueSSOCert). This must be a template that is listed in the previous output under “Template(s):”. If you don’t see your template there, review the part about Certificate Templates again.
<server1-fqdn>/<server2-fqdn> are the fully qualified server names of your enrollment servers. If you only use 1 enrollment server, you can remove the “–secondaryEnrollmentServer <server2-fqdn>” part.
<ca1>,<ca2> is a comma-separated list of your (sub-)CAs you want to use to issue TrueSSO certificates. These must also be in the list of “Certificate Authority(s):” in the previous output.

The last step we now have to do is to enable TrueSSO mode on the SAML authenticator on Horizon.

To show a list of authenticators and their TrueSSO status run the following command

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --list --authenticator

As you can see, by default TrueSSO is disabled on the authenticator. We can enable it using the following command:

vdmUtil --authAs <admin> --authDomain <netbios> --authPassword <password> --truesso --authenticator --edit --name <authenticator> --truessoMode ALWAYS

<authenticator> is the name of the SAML authenticator, as seen in the output of the previous command (e.g. AzureAD).

Once you have done all the above steps, you can view the status of the TrueSSO components on the Horizon Dashboard:

Now all the steps to allow AzureAD authentication to have external access to our VMware Horizon environment are completed!

When you login through the UAG now, you will be redirected to AzureAD to authenticate and once you are successfully authenticated, you will be redirected back to the UAG and complete the TrueSSO process to allow you access to your VMware Horizon environment!




1 thought on “VMware Horizon authentication using AzureAD (with multifactor) – Part 5: TrueSSO Setup”

  1. Pingback: VMware Horizon authentication using AzureAD (with multifactor) – Part 2: Certification Template – MickeyByte IT Pro Blog

Leave a Reply

Your email address will not be published.