VMware Horizon TrueSSO – Configuration for High Availability and Redundancy

In this post I will demonstrate the configuration that are required to deploy the VMware Enrollment Servers for High availability and redundancy. This includes two Certificate Authority CA’s and Enrollment Servers

My colleague Tarique Chowdhury has an excellent post on the TrueSSO Lab Setup. However in that deployment it talks about a single Enrollment Server and Certificate Authority Server.

This post is not a replacement of the Setting Up TrueSSO guide on VMware Pubs. However the below mentioned two sections complement during the configurations for everything else follow the setup guide/blogs:

Certificate deployment – Enrollment Agent (Computer).

Deploying the Enrollment Agent (Computer) certificate onto this server, we are authorizing this ES to act as an Enrollment Agent and generate Certificates on behalf of users.

Both the Certificate Authority Server Enrollment Agent (Computer) certificate needs to be added. They are added one-by-one. The Personal –> Certificate store should look like below on the ES:

Configure TrueSSO on the Horizon Connection Servers:

Step1: Adding both the Enrollment Server (ES) – Adding the ES to the environment, we are able to query the ES about the domain and relevant True SSO info.

vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --environment --add –enrollmentServer tsso1.askaresh.com,tsso2.askaresh.com

Step2 – List both the newly deployed Enrollment Server – We will get info about various components of the environment which will be useful for configuring True SSO.

vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso1.askaresh.com  --domain askaresh.com vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso2.askaresh.com  --domain askaresh.com

Step3 – Adding the Connector for TrueSSO – A True SSO Connector is a configuration set where we specify details like ES(s), CA(s) and a Certificate Template to use for a certain Domain. When a Horizon CS gets a request to launch a desktop for an AD user, it will look up True SSO Connector for the domain the user belongs to and will use the components as specified to obtain a Certificate on behalf of the user.

vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --create --connector --domain askaresh.com --template TrueSSO --primaryEnrollmentServer tsso1.askaresh.com –secondaryEnrollmentServer tsso2.askaresh.com --certificateServer MSSUBCA01-CA,MSSUBCA02-CA --mode enabled

Step4 – List the SAML Authenticator available in Horizon environment – A SAML Authenticator contains the trust and metadata exchange between Horizon View and vIDM. To use True SSO, we need to identify the correct SAML Authenticator and enable True SSO.

vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --list --authenticator

Step5 – Enable TrueSSO for the SAML Authenticator

vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --authenticator --edit --name VIDM-PROD --truessoMode ENABLED

Step6 – Check the status on the Horizon Administrator Dashboard

I hope you find these steps useful during the TrueSSO Availability and Redundancy configurations.

Thanks,
Aresh