-This Article is written for Lab demonstration purpose and some of the practice are not all recommended for production-
As part of a customer requirement project, I was asked to proof/demo how Okta can help performing passworless experience in order to let their End Users to seemlessly access their Virtual apps and desktops from anywhere.
Before we dive in, it’s important to name out the fundamental steps in order to deliver this outcome. First of all you need to have an Horizon on prem infrastructure exposed to the internet using the VMware Universal Access Gateway (UAG).
Next step and I must say the Okta Integration with VMware Horizon was the easiest part.
The last very important part is to get Horizon True SSO working and this can be quiet challenging hence I will share with you today some tips in order to get it going.
1.) Setting up your Horizon Infrastructure for Lab purpose:
I really recommend to follow this Article from VMware Tech Znone which will get you up and running with Horizon On prem.
I also recommend using this blog from Darryl Miles for more grounded real life tips.
2.) VMware Horizon integration with Okta
VMware Tech Zone has a great article which really helps step by step from a brand new Okta Org to the integration with UAG. I would only ignore the true SSO section and jump on the next section of this article.
3.) Setting up True SSO for Horizon
What is True SSO?
True SSO provides a way to authenticate to Microsoft Windows, retaining all of the users’ normal domain privileges, without requiring them to provide AD credentials! True SSO is a VMware Horizon technology that integrates VMware Identity Manager 2.6 with Horizon 7. VMware Identity Manager Standard is included in VMware Horizon 7 Advanced and Enterprise Editions.
With True SSO, a user can log into Identity Manager using any non-AD method (for example, RSA SecurID credentials) and once authenticated, the user is able to launch any entitled desktop or app (hosted from any domain) without ever being prompted for a password again!
True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, jdoe@example.com) to the identity provider’s authentication system to access AD credentials. Horizon 7 then generates a unique, short-lived certificate for the Windows login process.
Getting started:
The best blog I have found out there in order to make True SSO working was the blog from Carl Stalhood who is a very active blogger in our community. Please follow his steps at this link.
As you go through this setup, what has worked for me was to have a dedicated Windows Server for Horizon Enrollment Server and a subordinate Certificate Authority on the same machine.
I also recommend using the True SSO Fling to help you diagnostic any issues you may have. Here the link.
One of the issue I ended up having was this below auth error and the reason for it was that the attempted logon is invalid. The revocation status of the certificate used for authentication could not be determined.
The workaround which has worked for me was to follow the setps below and apply it to your master VM on Horizon then publish that master VM and your are good to go for True SSO experience.
By default, the VDIs will verify the certificates aren’t revoked by downloading the Certificate Revocation List. You can
disable CRL checking by configuring the following registry data:
HKEY_Local_Machine/System/CurrentControlSet/Control/LSA/Kerberos/Parameters
Value Name: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
Value Type: DWORD
Value Data: 1
And here the final outcome:
