VMware Horizon TrueSSO – Configuration for High Availability and Redundancy

13 Apr

In this post I will demonstrate the configuration that are required to deploy the VMware Enrollment Servers for High availability and redundancy. This includes two Certificate Authority CA’s and Enrollment Servers

TrueSSO Availability and Redundancy


My colleague Tarique Chowdhury has an excellent post on the TrueSSO Lab Setup. However in that deployment it talks about a single Enrollment Server and Certificate Authority Server.

This post is not a replacement of the Setting Up TrueSSO guide on VMware Pubs. However the below mentioned two sections complement during the configurations for everything else follow the setup guide/blogs:

Certificate deployment – Enrollment Agent (Computer).

Deploying the Enrollment Agent (Computer) certificate onto this server, we are authorizing this ES to act as an Enrollment Agent and generate Certificates on behalf of users.

    Both the Certificate Authority Server Enrollment Agent (Computer) certificate needs to be added. They are added one-by-one. The Personal –> Certificate store should look like below on the ES:

    Enrollment Agent (Computer)

    Configure TrueSSO on the Horizon Connection Servers:

    Step1: Adding both the Enrollment Server (ES) – Adding the ES to the environment, we are able to query the ES about the domain and relevant True SSO info.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --environment --add –enrollmentServer tsso1.askaresh.com,tsso2.askaresh.com

    Adding ES

    Step2 – List both the newly deployed Enrollment Server – We will get info about various components of the environment which will be useful for configuring True SSO.

    vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso1.askaresh.com  --domain askaresh.com

    vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso2.askaresh.com  --domain askaresh.com

    Listing ES

    Step3 – Adding the Connector for TrueSSO – A True SSO Connector is a configuration set where we specify details like ES(s), CA(s) and a Certificate Template to use for a certain Domain. When a Horizon CS gets a request to launch a desktop for an AD user, it will look up True SSO Connector for the domain the user belongs to and will use the components as specified to obtain a Certificate on behalf of the user.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --create --connector --domain askaresh.com --template TrueSSO --primaryEnrollmentServer tsso1.askaresh.com –secondaryEnrollmentServer tsso2.askaresh.com --certificateServer MSSUBCA01-CA,MSSUBCA02-CA --mode enabled

    TrueSSO Connector

    Step4 – List the SAML Authenticator available in Horizon environment – A SAML Authenticator contains the trust and metadata exchange between Horizon View and vIDM. To use True SSO, we need to identify the correct SAML Authenticator and enable True SSO.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --list --authenticator

    Listing SAML

    Step5 – Enable TrueSSO for the SAML Authenticator

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --authenticator --edit --name VIDM-PROD --truessoMode ENABLED

    Enable TrueSSO

    Step6 – Check the status on the Horizon Administrator Dashboard

    TrueSSO Dashboard

    I hope you find these steps useful during the TrueSSO Availability and Redundancy configurations.

    Thanks,
    Aresh

    9 Responses to “VMware Horizon TrueSSO – Configuration for High Availability and Redundancy”

    1. Ho Shawn August 1, 2018 at 4:05 am #

      Hi, I hoped to check with you. If my customer only has 1 enrollment server with 1 connection server to begin with, then a replicate server is added, how could we add the newly added replicate server onto the existing enrollment server? vdmutil reports error when we create connector. It complains the connector has been created.

    2. Scott E. April 16, 2019 at 8:36 pm #

      Aresh, Cheers this is exactly what I was looking for. If I have any feedback during my build I will post. Thank you for providing this.

    3. Scott E. April 16, 2019 at 8:38 pm #

      This comment has been removed by the author.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: