Deploying Horizon 8 and True SSO in Multi-Forest Environments
Deploying True SSO for Horizon in Multi-Forest Environments
True SSO enables a single sign-on feature in Horizon 8 environments using SAML (Security Assertion Markup Language) authentication via Workspace ONE Access or 3rd party IdPs (Identity Provider). True SSO provides a seamless login experience by converting SAML Insertions to certificate-based authentication supported in traditional Active Directory. The Enrollment Server requests client certificates on behalf of the user and uses this certificate during login, where the Horizon Agent is installed.
Deploying True SSO is a straightforward process, with much content available on the web that provides step-by-step walk-throughs. Nevertheless, a gap exists in showing configuration details on Microsoft AD (Active Directory) and Certificate Services essential to activating True SSO in multi-forest environments. With that, the goal of this blog is to share more information and nuggets of knowledge based on my field experience in Professional Services. While this content is based on Horizon 8, these fundamental principles can also be applied to Horizon Cloud Services. In either case, please engage with your Horizon and Microsoft AD CS SMEs (Subject Matter Expert), as additional considerations could be unique to your environment.
As we continue to see an uptick of requests from customers who have engaged us to migrate to Horizon, I spent much of the latter half of 2023 working with a customer in the healthcare segment that hosts virtual apps/desktops for many clinics and hospitals nationwide. We completed the engagement to replace 45+ Citrix environments with Horizon that aligns with the customer's operations, minimize disruptions on their end-users, and use the opportunity to strengthen security and end-user experiences in these environments.
True SSO in Cross-Forest Scenarios
This blog aims to extend existing Horizon and True SSO content, specifically on deploying True SSO in complex domain environments with multiple forests. True SSO is heavily PKI-driven through traditional Active Directory services. The Enrollment Server component relies on Enterprise CA to issue client certificates and then authenticates the end-user via Kerberos against the domain controller (KDC). Thus, ensuring these components are working together and understanding these interconnected pieces becomes more critical in a multi-forest environment.
Horizon is designed to solve a broad set of use cases in unique environments. Omnissa has many excellent resources for deploying Horizon and True SSO. I recommend reviewing the Horizon Installation & Configuration [Tech Zone] first to understand the solution if you are new to this subject.
The following two scenarios show that the True SSO components and user accounts are in separate forests. Additionally, Account Forest may require PKI (Public Key Infrastructure) resources.
Scenario 1: Cross-Forest True SSO with PKI Resources – Enterprise CA is present in the Account Forest
Scenario 2: Cross-Forest True SSO without PKI Resources – Enterprise CA is not deployed in the Account Forest, and deploying PKI resources is not an option due to cost, resource, or other constraints
The fundamental requirements for True SSO remain the same under each scenario. Both forests must be made aware and trust the interacting PKI objects when using True SSO across forests.
- Horizon.AD must identify and validate the Account.AD domain before it can Issue client-certificate on the user's behalf.
- Account.AD must identify and validate the True SSO client certificate from Horizon.AD to authenticate the user.
Implement True SSO in Cross-Forest Environments
The following steps provide an overview for setting up True SSO in cross-forest environments.
Step 1 – Validate True SSO Readiness in Horizon 8
- Set up and configure True SSO as described in the Product Documentation.
- Check the status of True SSO via Health Dashboard in the Horizon Admin Console and validate functionality - This covers True SSO under the Resource Domain and establishes a baseline - A screenshot taken from my lab environment.
Step 2 – Validate Microsoft Services for True SSO
The following are referenced from Microsoft’s AD CS: Deploying Cross-forest Certificate Enrollment.
**Disclaimer: Please validate these steps in test environments before applying in production settings, or reach out to your Microsoft AD CS SME (Subject Matter Expert) to ensure these steps meet your organization’s practice standards **
Active Directory
- Verify that the Two-way Forest Transitive Trust exists between the Resource and Account Forest.
- Confirm Domain or Enterprise Administrator permissions to access Enterprise CAs on Resource and Account Forest.
PKI Objects
- If Enterprise CA exists In the Account Forest, verify that it is reachable from the Resource Domain.
- Enable LDAP Referral on Enterprise CA in the Resource Forest via certutil command - certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
- Verify Enterprise CA computer accounts in the Resource Forest are members of the CA Publisher Group in the Account Forest.
- Verify the Domain Controller security group has permission to enroll in the Domain Controller Authentication Template – (Also referenced in KB59953)
- Run the
certutil
commands referenced in #8 and #9 from Microsoft’s Deploying AD CS for cross-forest certificate enrollment to export the Root and Enterprise CA certs from the Resource Forest, then publish these exported certs to their respective containers (RootCA, AIA, NTAuthCA, and SubCA) in the Account Forest.- certutil -config <Computer-Name>\<Root-CA-Name> -ca.cert <root-ca-cert-filename.cer>
- certutil -dspublish -f <root-ca-cert-filename.cer> RootCA
- certutil -config <Computer-Name>\<Enterprise-CA-Name> -ca.cert <enterprise-ca-cert-filename.cer>
- certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA
- certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA
- Use Microsoft’s PKISync.ps1 script to copy the following certificate templates to the Account Forest referenced in Copying PKI objects to account forests
- True SSO Certificate Template
- *Scenario 2 only* Domain Controller Authentication Certificate Template
Step 3 - Verify CertState of the Enrollment Server
- Run the following vdmutil command on a Horizon Connection Server
- vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
- The domain in the Account Forest should now appear as 'VALID' for Enrollment Certstate - below is a screenshot of True SSO across 3 AD forests taken from my lab environment.
Step 4 - Create a True SSO connector for the Account Forest
- Use the same command for creating True SSO connectors as you did during the initial setup, except for using the domain in Account Forest instead.
vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --True SSO --create --connector --domain
domain-fqdn
--template
template-name
--primaryEnrollmentServer enroll-server1-fqdn [
--secondaryEnrollmentServer
enroll-server2-fqdn]
--certificateServer
CA-common-name
--mode
{enabled |disabled}
Step 5 - Verify True SSO Health Status
- Check the status of True SSO via the Health Dashboard in the Horizon Admin Console and validate functionality. The screenshot below was taken from my lab environment.
Troubleshooting Common True SSO issues
The following Omnissa KBs have helped me to resolve common problems.
- True SSO - Public Key Infrastructure: "The request is not supported" while launching a published Application or Desktop(59953) - Outlines an error message received if the authenticating domain controller is not configured for smartcard logons.
- True SSO - Public Key Infrastructure: Cannot create a True SSO Connector on the enrollment server on a domain with NOT_VALID enrollment certificate status (86228) - Outlines some steps to verify in relation to the enrollment of certificates and your PKI infrastructure when the cert state is reported as ‘Not Valid’.
- True SSO – Enrollment Server unable to connect to CA: The authentication service is unknown (90682) - Outlines a workaround when the Certificate Authority and Enrollment Server are co-installed.
- True SSO - Public Key Infrastructure - Error: "The attempted logon is invalid. This is either due to a bad username or authentication information. An untrusted certificate authority was detected while processing the domain controller certificate" (94971) - Outlines symptoms when a CA certificate is not present, or auto enrollment has been disabled.
- True SSO - Public Key Infrastructure - CRL: Error: "The attempted logon is invalid. The revocation status of the certificate used for authentication could not be determined (89994) - Outlines a scenario where the Certificate Revocation List (CRL) of the Certificate includes a URL that cannot be accessed from the Virtual Desktop or Domain Controllers
- True SSO - Public Key Infrastructure - CRL : Error: "Encountered unexpected error during execution" seen when using vdmutil to reconfigure Horizon True SSO (85571) - Outlines a scenario when editing your True SSO connector results in an Error.
- True SSO - Public Key Infrastructure: Windows 11 Client Error "cannot utilize the smartcard subsystem" with Windows Hello for Business (90720 ) - Outlines an intermittent issue with certificate availability on Windows 11 clients and WHFB.
- True SSO - Public Key Infrastructure: Certificate Distribution Point Location expiration results in a VDI Launch Failure (90491) - Outlines a scenario when a CDL expiration can impact successful login.
Summary
Deploying True SSO across AD forests can be a sizable undertaking due to the meticulous and concerted effort it requires on the necessary components working together. With much of the heavy lifting happening outside the Horizon stack, it often becomes a bit of an unknown to the respective teams managing these technologies. I hope that sharing the needed pieces will bring a clearer understanding when deploying True SSO in multi-forest environments.
For more information, check out these resources:
- Set Up an Enterprise Certificate Authority [Product Docs]
- Common Configuration Issues and Guidelines with True SSO (90037) [KB]
- Advanced Configuration Settings for True SSO [Product Docs]
- AD CS: Deploying Cross-forest Certificate Enrollment [MS Documentation]