VMware Horizon – Setup Certificate for the Connection Server

Welcome to my VMware Horizon series. In this session I will describe how I added a Windows Domain CA Certificate to my connection servers. For this I will be using the Windows Domain CA i setup previously, posted here: Microsoft Windows Server 2016 CA – Setup A pre-requisite for this connection-server certificate to work is that the Root CA Certificate is present in the Trusted Root Authorities store on the servers. In my domain this is done via a GPO as described in the Microsoft Windows Server 2016 CA – Setup-session.

In production environments, I usually use a public certificate, and do recommend this to my customers. But in some production environments, closed isolated zones, this approach with Windows Domain CA will work perfectly, as these zones normally have no internet access and no way of contacting a public CA-provider to verify the certificate’s authenticity, without special configurations on the clients.

Another option is to setup Easy SSL Certficates for Lab, as layed out by Brandon Lee here: https://www.virtualizationhowto.com/2017/11/easy-ssl-certificates-lab-environment/

 

The first thing I need to do is to create a global security group for my connection servers, I name it “View Servers”

SetupCert4ConnServ-01

 

I add my connection-servers to my new group

SetupCert4ConnServ-02

I reboot my connection-servers to activate group-membership

 

First I will need to create a certificate template. I login in on my CA-server, open Server Manager Dashboard, from the Tools Menu, I open Certification Authority.

SetupCert4ConnServ-02_5

 

I right-click Certificate Templates and click “Manage”

SetupCert4ConnServ-03

SetupCert4ConnServ-04

 

I right-click Web Server and choose «Duplicate Template»

SetupCert4ConnServ-05

 

I leave the Compatibility options as is

SetupCert4ConnServ-05_5

 

I give my new template an appropriate name: View Connection Server, and set «Validity period» to 10 years. In my Lab it wasn’t necessary to check the “Publish certificate in Active Directory” box in order to publish, but I have seen this to be neccasary in other environments, please note.

SetupCert4ConnServ-06

 

I tick «Allow private key to be exported»

SetupCert4ConnServ-07

 

I change minimum key size to 4096

SetupCert4ConnServ-08

 

I add in the AD-group I created for my Connection-servers and give them Read, Write and Enroll permissions

SetupCert4ConnServ-09

 

I click Edit on Application Policies

SetupCert4ConnServ-10

 

I click Add

SetupCert4ConnServ-11

 

I Choose Client authentication, OK

SetupCert4ConnServ-12

 

OK

SetupCert4ConnServ-13

 

OK

SetupCert4ConnServ-14

I close the Certificate Template Console

 

Next, I right-click Certificate Templates – New –Certificate Template to Issue…

SetupCert4ConnServ-15

 

As we can see here, the template is missing…and I don’t know why….

SetupCert4ConnServ-16

 

To resolve this, I run the following command from an administrative cmd-prompt

certutil -SetCAtemplates +ViewConnectionServes

 

As we can see, the View Connection Server Template is now present

SetupCert4ConnServ-17

 

I can now login in on the first connection server and start the certificate-mmc. I give the existing self-signed certificate a new friendly name

SetupCert4ConnServ-18

 

I right-click Personal – Certificates, All Tasks – Request New Certificate

SetupCert4ConnServ-19

 

The Certificate Enrollment Wizard start, Next

SetupCert4ConnServ-20

 

I’ll be using Active Directory Enrollment Policy, Next

SetupCert4ConnServ-21

 

I click the line «More Information is required…..» below my View Connection Servers Enrollment Policy

SetupCert4ConnServ-22

 

I add the common name of my server

SetupCert4ConnServ-23

 

Change the friendly name to «vdm», OK

SetupCert4ConnServ-24

I restart the server to update the certificate-change. When my first connection server comes up, I perform the same procedure for my second connection-server, only with a different appropriate common name

 

After having done this procedure, I can see in Horizon View Administrator GUI that both my connections-servers are green and happy.

SetupCert4ConnServ-25

 

When I now open the VMware Horizon Portal Login, I can verify that the certificate is correct

SetupCert4ConnServ-26.png

 

 

VMware Horizon planning, deployment etc.

 

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.