Release date: March 14th 2019
Welcome to my VMware Horizon series. In this session I will describe how I added a Windows Domain CA Certificate to my connection servers. For this I will be using the Windows Domain CA i setup previously, posted here: Microsoft Windows Server 2016 CA – Setup
A pre-requisite for this connection-server certificate to work, is that the Root CA Certificate is present in the Trusted Root Authorities store on the servers. In my domain this is done via a GPO as described in the Microsoft Windows Server 2016 CA – Setup-session.
In production environments, I usually use a public certificate, and do recommend this to my customers. But in some production environments, closed isolated zones, this approach with Windows Domain CA will work perfectly, as these zones normally have no internet access and no way of contacting a public CA-provider to verify the certificate’s authenticity, without special configurations on the clients.
Another option is to setup Easy SSL Certficates for Lab, as layed out by Brandon Lee here: https://www.virtualizationhowto.com/2017/11/easy-ssl-certificates-lab-environment/
The first thing I need to do is to create a global security group for my connection servers, I name it “View Servers”
I add my connection-servers to my new group
I reboot my connection-servers to activate group-membership
First I will need to create a certificate template. I login in on my CA-server, open Server Manager Dashboard, from the Tools Menu, I open Certification Authority.
I right-click Certificate Templates and click “Manage”
I right-click Web Server and choose «Duplicate Template»
I leave the Compatibility options as is
I give my new template an appropriate name: View Connection Server, and set «Validity period» to 10 years. In my Lab it wasn’t necessary to check the “Publish certificate in Active Directory” box in order to publish, but I have seen this to be neccasary in other environments, please note.
I tick «Allow private key to be exported»
I change minimum key size to 4096
I add in the AD-group I created for my Connection-servers and give them Read, Write and Enroll permissions
I click Edit on Application Policies
I click Add
I Choose Client authentication, OK
OK
OK
I close the Certificate Template Console
Next, I right-click Certificate Templates – New –Certificate Template to Issue…
As we can see here, the template is missing…and I don’t know why….
To resolve this, I run the following command from an administrative cmd-prompt:
certutil -SetCAtemplates +ViewConnectionServesAs we can see, the View Connection Server Template is now present
I can now login in on the first connection server and start the certificate-mmc. I give the existing self-signed certificate a new friendly name
I right-click Personal – Certificates, All Tasks – Request New Certificate
The Certificate Enrollment Wizard start, Next
I’ll be using Active Directory Enrollment Policy, Next
I click the line «More Information is required…..» below my View Connection Servers Enrollment Policy
I add the common name of my server
Change the friendly name to «vdm», OK
I restart the server to update the certificate-change. When my first connection server comes up, I perform the same procedure for my second connection-server, only with a different appropriate common name
After having done this procedure, I can see in Horizon View Administrator GUI that both my connections-servers are green and happy.
When I now open the VMware Horizon Portal Login, I can verify that the certificate is correct
VMware Horizon planning, deployment etc.
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.
bjosoren's IT-Tech blog 