«

»

Horizon View and smart card login

“VMTurbo"
This is a guest blog post created by my former colleague Toni Lindberg who now works for Cygate in Stockholm, Sweden.

Installing VMware Horizon View out of the box is not difficult. However, integrating the Horizon View solution with smart card to increase the security can sometimes cause problems.

This blog post consists of a short guide how to make it right.

Follow the below procedure to successfully implement smart card login for your Horizon View 6.x environment.

  1. Export of certificates
    1. Export the the root certificate for the domain in BASE64 format, you can find it on any active directory (AD) server in your domain
    2. Rename it to something short and simple like <your domain> _root.cer.
    3. Copy the certificate that you just exported to both the Connection Server and the Security Server.
  2. Preparing Horizon servers for smartcard Login
    1. Log on to the Connection server and run the keytool.exe command, it must be run from the folder it is located in (C:\Program Files\VMware\VMware View\jre\bin)
    2. Use the following command and arguments to import the CAC and create a keystore
      C:\Program Files\VMware\VMware View\jre\bin\keytool.exe -import -alias alias -file c:\temp\cert.crt -keystore trust.key
      Note: Argument explanation:
      • import – import the certificate
      • Alias – For certificate separation. You can create several trusts against several certificates with multiple aliases
      • File – The certificate you just copied
      • Keystore – Where all information available on the certificate is stored
    3. When done, copy trust.key from “C:\Program Files\VMware\VMware View\jre\ binto “C:\Program Files \VMware\VMware View\Server\sslgateway\conf”
  3. The Locked.properties file
    1. Under “C:\Program Files\VMware\VMware View\Server\sslgateway\conf”, create the “Locked.properties” file if it does not already exists. It must contain the following three lines:
      trustKeyfile=trust.key
      trustStoretype=JKS
      useCertAuth=trueThis file must be created on all Horizon View Connection Servers and Security Servers that will be used for smart card logons.Restart the whole server for everything to take effect, your documentation from VMware states that it is enough to restart the services but wise from experience I know that it is not always enough.
  4. Enable Horizon View SmartCard logon
    1. Login to Horizon View Admin GUI. (https://”view servens FQDN /admin )
    2. Under the View Configuration / Servers and Server Connection tab, click on the Connection server you want enable card logon and Click EDIT.
    3. A new window will now appear, choose the “Authentication Tab”
    4. Changing the Smart card authentication for users: to required fields
    5. Also, click in the box Disconnect users on smart card removal
      smartcard
    6. Click OK
    7. Restart the Connection Server service
    8. Install the SmartCard software in your Golden Image and on your computers.
    9. Verify that the domain root cert is in the Trusted Root Certificates.

If you made the right so you should now be able to log in with your smart card solution

This conduct the Horizon View smart card blog post, thanks Toni for your time.