September 30, 2024

Deploying Horizon 8 and True SSO in Multi-Forest Environments

This blog aims to expand upon the current Horizon and True SSO resources, specifically on deploying True SSO in complex domain environments with multiple forests.

Deploying True SSO for Horizon in Multi-Forest Environments

True SSO enables a single sign-on feature in Horizon 8 environments using SAML (Security Assertion Markup Language) authentication via Workspace ONE Access or 3rd party IdPs (Identity Provider). True SSO provides a seamless login experience by converting SAML Insertions to certificate-based authentication supported in traditional Active Directory. The Enrollment Server requests client certificates on behalf of the user and uses this certificate during login, where the Horizon Agent is installed.

Deploying True SSO is a straightforward process, with much content available on the web that provides step-by-step walk-throughs. Nevertheless, a gap exists in showing configuration details on Microsoft AD (Active Directory) and Certificate Services essential to activating True SSO in multi-forest environments. With that, the goal of this blog is to share more information and nuggets of knowledge based on my field experience in Professional Services. While this content is based on Horizon 8, these fundamental principles can also be applied to Horizon Cloud Services. In either case, please engage with your Horizon and Microsoft AD CS SMEs (Subject Matter Expert), as additional considerations could be unique to your environment.

As we continue to see an uptick of requests from customers who have engaged us to migrate to Horizon, I spent much of the latter half of 2023 working with a customer in the healthcare segment that hosts virtual apps/desktops for many clinics and hospitals nationwide. We completed the engagement to replace 45+ Citrix environments with Horizon that aligns with the customer's operations, minimize disruptions on their end-users, and use the opportunity to strengthen security and end-user experiences in these environments.

True SSO in Cross-Forest Scenarios

This blog aims to extend existing Horizon and True SSO content, specifically on deploying True SSO in complex domain environments with multiple forests. True SSO is heavily PKI-driven through traditional Active Directory services. The Enrollment Server component relies on Enterprise CA to issue client certificates and then authenticates the end-user via Kerberos against the domain controller (KDC). Thus, ensuring these components are working together and understanding these interconnected pieces becomes more critical in a multi-forest environment. 

Horizon is designed to solve a broad set of use cases in unique environments. Omnissa has many excellent resources for deploying Horizon and True SSO. I recommend reviewing the Horizon Installation & Configuration [Tech Zone] first to understand the solution if you are new to this subject.

 

The following two scenarios show that the True SSO components and user accounts are in separate forests. Additionally, Account Forest may require PKI (Public Key Infrastructure) resources.

Scenario 1: Cross-Forest True SSO with PKI Resources – Enterprise CA is present in the Account Forest
 

A diagram of a forest

Description automatically generated
 

Scenario 2: Cross-Forest True SSO without PKI Resources – Enterprise CA is not deployed in the Account Forest, and deploying PKI resources is not an option due to cost, resource, or other constraints


A diagram of a forest

Description automatically generated 

The fundamental requirements for True SSO remain the same under each scenario. Both forests must be made aware and trust the interacting PKI objects when using True SSO across forests.

  • Horizon.AD must identify and validate the Account.AD domain before it can Issue client-certificate on the user's behalf.
  • Account.AD must identify and validate the True SSO client certificate from Horizon.AD to authenticate the user.

Implement True SSO in Cross-Forest Environments

The following steps provide an overview for setting up True SSO in cross-forest environments.

Step 1 – Validate True SSO Readiness in Horizon 8

  1. Set up and configure True SSO as described in  the  Product Documentation.
  2. Check the status of True SSO via Health Dashboard in the Horizon Admin Console and validate functionality - This covers True SSO under the Resource Domain and establishes a baseline - A screenshot taken from my lab environment.

A screenshot of a computer

Description automatically generated

Step 2 – Validate Microsoft Services for True SSO

The following are referenced from Microsoft’s AD CS: Deploying Cross-forest Certificate Enrollment. 

**Disclaimer: Please validate these steps in test environments before applying in production settings, or reach out to your Microsoft AD CS SME (Subject Matter Expert) to ensure these steps meet your organization’s practice standards **

Active Directory

  1. Verify that the Two-way Forest Transitive Trust exists between the Resource and Account Forest.
  2. Confirm Domain or Enterprise Administrator permissions to access Enterprise CAs on Resource and Account Forest.

PKI Objects

  1. If Enterprise CA exists In the Account Forest, verify that it is reachable from the Resource Domain.
  2. Enable LDAP Referral on Enterprise CA in the Resource Forest via certutil command - certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
  3. Verify Enterprise CA computer accounts in the Resource Forest are members of the CA Publisher Group in the Account Forest.
  4. Verify the Domain Controller security group has permission to enroll in the Domain Controller Authentication Template – (Also referenced in KB59953)
  5. Run the certutil commands referenced in #8 and #9 from Microsoft’s Deploying AD CS for cross-forest certificate enrollment to export the Root and Enterprise CA certs from the Resource Forest, then publish these exported certs to their respective containers (RootCA, AIA, NTAuthCA, and SubCA) in the Account Forest.
    1. certutil -config <Computer-Name>\<Root-CA-Name> -ca.cert <root-ca-cert-filename.cer>
    2. certutil -dspublish -f <root-ca-cert-filename.cer> RootCA
    3. certutil -config <Computer-Name>\<Enterprise-CA-Name> -ca.cert <enterprise-ca-cert-filename.cer>
    4. certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA
    5. certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA
  6. Use Microsoft’s PKISync.ps1 script to copy the following certificate templates to the Account Forest referenced in Copying PKI objects to account forests
    1. True SSO Certificate Template
    2. *Scenario 2 only* Domain Controller Authentication Certificate Template

Step 3 - Verify CertState of the Enrollment Server

  1. Run the following vdmutil command on a Horizon Connection Server
    1. vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
  2. The domain in the Account Forest should now appear as 'VALID' for Enrollment Certstate - below is a screenshot of True SSO across 3 AD forests taken from my lab environment.

    A computer screen shot of a black screen

Description automatically generated 

Step 4 - Create a True SSO connector for the Account Forest

  • Use the same command for creating True SSO connectors as you did during the initial setup, except for using the domain in Account Forest instead. 

vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --True SSO --create --connector --domain domain-fqdn --template template-name --primaryEnrollmentServer enroll-server1-fqdn [--secondaryEnrollmentServer enroll-server2-fqdn] --certificateServer CA-common-name --mode {enabled |disabled}

Step 5 - Verify True SSO Health Status

  • Check the status of True SSO via the Health Dashboard in the Horizon Admin Console and validate functionality. The screenshot below was taken from my lab environment. 
    A screenshot of a computer

Description automatically generated 

Troubleshooting Common True SSO issues

The following Omnissa KBs have helped me to resolve common problems.

Summary

Deploying True SSO across AD forests can be a sizable undertaking due to the meticulous and concerted effort it requires on the necessary components working together. With much of the heavy lifting happening outside the Horizon stack, it often becomes a bit of an unknown to the respective teams managing these technologies. I hope that sharing the needed pieces will bring a clearer understanding when deploying True SSO in multi-forest environments. 

For more information, check out these resources:

Filter Tags

Horizon Horizon Blog Announcement Intermediate Deploy