About Me

My photo
This blog has been created to share technical information, interesting innovations that I notice on daily basis and Architectural/Consulting overview of various technologies. My areas of interest, on which I would be blogging, are VMware, Microsoft and Citrix Technologies. I hope you will enjoy this blog and share your experience with me.

VMware Horizon TrueSSO - Configuration for High Availability and Redundancy

In this post I will demonstrate the configuration that are required to deploy the VMware Enrollment Servers for High availability and redundancy. This includes two Certificate Authority CA’s and Enrollment Servers

TrueSSO Availability and Redundancy


My colleague Tarique Chowdhury has an excellent post on the TrueSSO Lab Setup. However in that deployment it talks about a single Enrollment Server and Certificate Authority Server.

This post is not a replacement of the Setting Up TrueSSO guide on VMware Pubs. However the below mentioned two sections complement during the configurations for everything else follow the setup guide/blogs:

Certificate deployment – Enrollment Agent (Computer).

Deploying the Enrollment Agent (Computer) certificate onto this server, we are authorizing this ES to act as an Enrollment Agent and generate Certificates on behalf of users.

    Both the Certificate Authority Server Enrollment Agent (Computer) certificate needs to be added. They are added one-by-one. The Personal –> Certificate store should look like below on the ES:

    Enrollment Agent (Computer)

    Configure TrueSSO on the Horizon Connection Servers:

    Step1: Adding both the Enrollment Server (ES) - Adding the ES to the environment, we are able to query the ES about the domain and relevant True SSO info.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --environment --add –enrollmentServer tsso1.askaresh.com,tsso2.askaresh.com

    Adding ES

    Step2 - List both the newly deployed Enrollment Server - We will get info about various components of the environment which will be useful for configuring True SSO.

    vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso1.askaresh.com  --domain askaresh.com

    vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso2.askaresh.com  --domain askaresh.com

    Listing ES

    Step3 - Adding the Connector for TrueSSO - A True SSO Connector is a configuration set where we specify details like ES(s), CA(s) and a Certificate Template to use for a certain Domain. When a Horizon CS gets a request to launch a desktop for an AD user, it will look up True SSO Connector for the domain the user belongs to and will use the components as specified to obtain a Certificate on behalf of the user.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --create --connector --domain askaresh.com --template TrueSSO --primaryEnrollmentServer tsso1.askaresh.com –secondaryEnrollmentServer tsso2.askaresh.com --certificateServer MSSUBCA01-CA,MSSUBCA02-CA --mode enabled

    TrueSSO Connector

    Step4 - List the SAML Authenticator available in Horizon environment - A SAML Authenticator contains the trust and metadata exchange between Horizon View and vIDM. To use True SSO, we need to identify the correct SAML Authenticator and enable True SSO.

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --list --authenticator

    Listing SAML

    Step5 - Enable TrueSSO for the SAML Authenticator

    vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --authenticator --edit --name VIDM-PROD --truessoMode ENABLED

    Enable TrueSSO

    Step6 - Check the status on the Horizon Administrator Dashboard

    TrueSSO Dashboard

    I hope you find these steps useful during the TrueSSO Availability and Redundancy configurations.

    Thanks,
    Aresh

    1 comment:

    Ho Shawn said...

    Hi, I hoped to check with you. If my customer only has 1 enrollment server with 1 connection server to begin with, then a replicate server is added, how could we add the newly added replicate server onto the existing enrollment server?

    vdmutil reports error when we create connector. It complains the connector has been created.

    My Blog List