bjosoren's IT-Tech blog

IT-Tech blog about different tried and tested solutions based on vmware, microsoft, linux and more tips and tricks

VMware True SSO – Create Certificate Templates for True SSO

Release date: December 13th 2020

Welcome to my VMware True SSO (single sign-on) series. In this sub-section I will describe how I created the necassary certificate templates to be used in this set up.

The first thing we need to do is to create Certificate Temples used to issue the short lived certificates that True SSO uses, this I do from my MS CA server. I log into my CA and launch the Certification Authority MMC. I right-click Certificate Templates and select “Manage

Once in the templates-section, I Duplicate “Smartcard Logon” template

I adjust the following Compability Settings:

  • Certification Authority
  • Certificate recipient

Under the General-tab I change the display name to «TrueSSO» and the adjust the Validity and Renewal periods to the normal working hours in Norway.

Under the Request Handling-tab, I change the purpose to “Signature and smartcard logon” and select “For automatic renewal of smart cards, …

From the Cryptography-tab, I adjust “Provider Category” and “Algorithm name” as follows…

Under the Server tab I select «Do not store certificates and requests in the CA database», but make sure to deselect “Do not include revocation information in issued certificates

From the Issuance Requirements-tab, I select “This number of authorized signatures” with the value “1”, adjust the Policy Type and adjust the “Require the following for reenrollment” setting

Finally, from the Security tab, I give my Computer Account group “Horizon Services” Read and Enroll permissions. (I already added the computer-account for my server to this group)

I click OK, close the Certificate Templates Console window and Right-click Certificate Templates, New > Certificate Template to Issue

I select my new template TrueSSO – OK

To configure Enrollment Agent Computer Template, I adjust the security settings on the Enrollment Agent Computer template so that my group “Horizon-Services” get Read and Enroll permissions.

I click OK, close the Certificate Templates Console window and Right-click Certificate Templates, New > Certificate Template to Issue

I select the Enrollment Agent Computer template – OK

I can now log out of my CA server and proceed with installing the VMware Horizon Enrollment Server, this I have documented on the following page: Install and Set Up of the Enrollment Server

My VMware True SSO Lab Set Up

VMware Horizon (2006) documentation: Setting Up True SSO

VMware Workspace ONE and VMware Horizon Reference Architecture

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: