A while back I posted a blog post describing how to setup Kerberos single sign-on in Horizon Workspace 1.5, link: http://blogs.vmware.com/horizontech/2014/01/setting-up-kerberos-single-sign-in-sso-access-in-horizon-workspace-1-5.html. With the release of Horizon Workspace 1.8 we have changed the procedure and logic quite a bit.
This blog post will walk you through the process of setting up Kerberos SSO and hopefully explain some of the new concepts in Horizon Workspace 1.8 while doing so.
With Horizon Workspace 1.8 we introduced the concept of access policies. Workspace supports two different access policies. First we have the overall portal access policy (policy name: default_access_policy_set). The second policy type we offer is a per application policy. In Horizon Workspace 1.8 the application policies can only be applied to SAML and WS-Fed based Web application.
The portal access policy might allow you access to the portal via Internet. Using the application policy an administrator can restrict access to a SaaS based application so for example you might only be allowed to launch the Web application if you connect from inside your firewall.
Why is this important? Well, in order to setup Kerberos SSO we need to edit the portal access policy. We must specify for which network ranges Kerberos is to be used. But, first let’s create a network range.
1. Create a network range
We need to decide which network segments our Kerberos enabled clients are using. Normally this is your LAN segment/segments.
1.1 Login to the Horizon Workspace admin portal (https://gateway_FQDN/admin)
1.2 Access Settings – Network Ranges and click the button labeled: + Network Range
1.3 Now specify your network range, give the range a name and press Save.
In my case my LAN is network segment 10.11.11.0/24 so my range will be specified as: 10.11.11.0 – 10.11.11.255.
1.4 You should now have two network ranges listed.
2. Enable Kerberos on your Connector
With Horizon Workspace 1.8 all Connectors can provide all the different supported authentication methods. This greatly simplifies your setup. In version 1.5 you had to deploy a second Connector to offer Kerberos SSO. This is no longer required.
It is still required that the Connector is in the same namespace as your Active Directory. In my case my AD domain is pinata.local. Therefore my connector is: connector-va.pinata.local.
2.1 Access your connector’s admin interface, (https://connector-va.domain.local:8443)
2.2 Make sure your Connector is joined to the domain
2.3 Activate Windows Authentication and make sure to activate Enable Redirection.
3. Configure certificate on Connector
You must still have a trusted certificate on your Connector. The process of adding a trusted certificate is already described in great details throughout step 2 and 3 in my previous blog post on how to enable Kerberos SSO in Horizon Workspace 1.5 link: http://blogs.vmware.com/horizontech/2014/01/setting-up-kerberos-single-sign-in-sso-access-in-horizon-workspace-1-5.html. Please follow those steps and then return to this blog post.
4. Change Authentication Score
Next task is to edit the authentication scores of Password and Kerberos authentication methods.
4.1 Go back to the Horizon Workspace admin interface (https://gateway_FQDN/admin)
4.2 Access Settings – Authentication Methods
4.3 Change the Authentication score of Password from 1 to 2 and change Kerberos from 2 to 1.
4.4. Rearrange (by simply drag and drop) Kerberos so Kerberos becomes the first in order.
Your Authentication Methods settings should now look like this:
5. Edit your Identity Provider
5.1 Still in Horizon Workspace admin interface; access Settings – Identity Providers
5.2 Click Edit on your identity provider
5.3 Make sure both Kerberos and Password are activated as Authentication Methods
5.4 Make sure your identity provider servers ALL RANGES and the newly created LAN network range
6. Configure your end-points
In order for Kerberos SSO to work your end-points must trust the certificate of the Connector (covered in step 3), Internet Explorer must be configured to allow passing of Windows credentials to Web pages and the Connector FQDN must be listed in Local intranet sites.
You can manually add the Connector to Local intranet sites but in my home lab I added it to a GPO for easier management.
7. Test your setup
Launch a Web browser on a LAN connected and domain joined end-point and access your Gateway’s FQDN. You should see that you are immediately redirected to your Connector..
..once the Kerberos authentication is completed you are redirected to the Gateway FQDN again.