Archives

SSO

SSON Configuration Checker for Citrix Receiver for Windows

Hey Domain Administrators! Do you know how SSON Configuration Checker has eased domain-pass through configuration? Well, if you don’t then this is the right place.

Maybe domain pass-through authentication is a simple concept, but at times it doesn’t work well, …


  

Related Stories

Continue reading..

Driving Toward a Digital Workspace? 6 Reasons to Attend vForum Online Summer 2017 (With 2 Bonuses)

Thanks to the modern workforce, Software-as-a-Service (SaaS) apps and mobile workflows, traditional ways of managing and securing users, apps and devices (and all that associated data) are starting to show some cracks in effectiveness. While this presents a challenge for IT, it also presents an opportunity—out with the old, in with the new.

For many IT departments, now is the time to progress toward a digital workspace. With an ideal digital workspace solution in place, IT gains the simple, secure infrastructure needed to deliver the apps and data teams need across any work device—as well as an application delivery platform that handles both native and cloud applications.

To learn how, register to join vForum Online on June 28. In this free, half-day event—our largest online conference—you&#rsquo;ll get what you need to take the first steps on the path to a modern, digital workspace, right from the convenience of your desk.

If you&#rsquo;ve attended previous vForum Online conferences, you&#rsquo;ll see this one is a little different. We&#rsquo;ve broken it down into specific, goal-oriented tracks so you can more easily pursue a specific aim. But whether you&#rsquo;re returning or just starting out at vForum, you simply cannot miss this opportunity to enhance your IT expertise.

Need a reason to register? Here are six—with two special bonus reasons:

  1. Discover ThreeWays to Start Your Transformation:What does it take to migrate to a new workspace that actually works? In our breakout session, &#rsquo;Empowering the Digital Workspace: ThreeKey Initiatives for Moving to a Digital Workspace,&#rdquo; you&#rsquo;ll see how the four pieces of the workspace puzzle fit together. One of them is to virtualize desktops and apps. Know what the other three are?
  1. Then, Have Your Big Questions Answered:Questions, comments or high-level concerns you have about moving to a digital workspace? Ask a VMware pro. In one of our Chats with Experts on the digital workspace, you&#rsquo;ll talk live and get your issues resolved right on the spot.
  1. See How to Simplify App and Access Management:If you&#rsquo;re looking to give your teams a smarter, more reliable way to do mobile work—without compromising on security—the &#rsquo;Putting the User First: Simplify App and Access Management&#rdquo; breakout session is one vForum Online talk you need to hear.
  1. Take the Mystery out of Managing Mobile Devices:Just beginning to manage mobile devices? Without a helpful, interactive guide, enterprise mobility management (EMM) and mobile device management (MDM) can seem a little confusing. In our &#rsquo;Introduction to VMware AirWatch&#rdquo; Hands-on Lab, you&#rsquo;ll log in to the AirWatchconsole as an admin to write a policy, then enroll a device into your newly configured environment.
  1. Gain a Guide to Windows Endpoint Management:Know how the VMware digital workspace platform allows IT teams to manage Windows 10 PCs—wherever they are, and however they&#rsquo;re owned? You will. Start in the breakout session, &#rsquo;Modernizing Windows Endpoint Management: Leveraging Windows 10 and Cloud-Based Management,&#rdquo; and then head to related Chat, where you&#rsquo;ll be able to discuss things in more detail with a VMware expert.
  1. Do a Deep Dive on the Digital Workspace:In the demo, &#rsquo;VMware AirWatch: Workspace ONE, Single Sign-on and VMware Identity Manager,&#rdquo; you&#rsquo;ll walk through the latest on the VMware Workspace ONE solution. Then, you&#rsquo;ll configure its integration with AirWatch to enable single sign-on (SSO) from any device to any application, thanks to VMware vCenterSSO.
  1. BONUS #1: Hear From Our CEO:Ever wonder what&#rsquo;s on the mind of our distinguished CEO Pat Gelsinger? Now, you have a special chance to find out for yourself. vForum Online Summer 2017 kicks off with his keynote, entitled &#rsquo;5 Myths of IT.&#rdquo; In it, Pat will challenge some conventional (but questionable) IT wisdom as he shares hispersonal perspective. You won&#rsquo;t want to miss this.
  1. BONUS #2: Win a Cool Prize:Learn something new; win something new. We&#rsquo;re handing out some awesome prizes to several lucky attendees of vForum Online, like an Oculus Rift VR headset, a voice-controlled Amazon Echo speaker and so much more. Will you win a prize?

The big day is quicklyapproaching, and we hope to see you there. But first things first:Register for the June 28 vForum Online today.

The post Driving Toward a Digital Workspace? 6 Reasons to Attend vForum Online Summer 2017 (With 2 Bonuses) appeared first on VMware End-User Computing Blog.

Read more..

Unified Gateway: Single Sign-On to VDI, Web, Enterprise & SaaS Applications

Enterprise customers are transitioning to the cloud and are looking to consolidate their datacenter footprints and provide single sign-on to all applications deployed in a datacenter, cloud, or delivered as SaaS. Implementing Single Sign-On (SSO) for cloud and SaaS applications …


  

Related Stories

Continue reading..

VMware Horizon 7 True SSO: Advanced Features

In a previous blog, we saw how to deploy VMware Horizon 7 True SSO in a lab environment. The diagram below is a recap of the deployment:

Now, let us discuss what to consider for deploying True SSO in a production environment. The discussion will only focus on the VMware Horizon Environment aspect of the above diagram.

VMware recommends deploying two VMware Enrollment Servers and two Microsoft Certificate Authorities (CA) for True SSO in a production environment. Configure these so that the Horizon Connection Server uses both VMware Enrollment Servers, and each VMware Enrollment Server uses both CAs.

Enrollment Server Deployment Scenarios

For each domain, we can configure two Enrollment Servers (primary and secondary) in a Horizon 7 environment. The 2 Enrollment Servers add redundancy which allows IT to conduct maintenance, upgrades etc. without any disruptions for end users.

By default, the Connection Server always prefers the primary Enrollment Server for generating certificates. The secondary Enrollment Server is used when the primary Enrollment Server is unresponsive or is in erroneous state. The Connection Server uses the primary Enrollment Server as soon as it recovers.

True SSO can also be configured for high availability. When configured, Connection Server distributes the load of generating Certificates by alternating between the two Enrollment Servers. If an Enrollment Server becomes unresponsive, the Connection Server routes all requests via the other one until it recovers.

For high availability, VMware recommends:

  • Co-host Enrollment Server with a CA on the same machine.
  • Configure Enrollment Server to prefer the local CA.
  • Configure Connection Server for load balance between the configured Enrollment Servers.

Configuration settings:

1. Configure Connection Server to load balance between two Enrollment Servers (requires editing LDAP).

  • Login to the console of a Connection Server on the POD and launch &#rsquo;ADSI Edit&#rdquo; from &#rsquo;Control Panel > Administrative Tools&#rdquo;
  • From menu, select &#rsquo;Action > Connect to&#rdquo;
  • Connection Settings:
    1. Connection Point: dc=vdi,dc=vmware,dc=int
    2. Computer: localhost:389
  • Expand the connection tree to &#rsquo;OU=Properties > OU=Global&#rdquo; and double click on the object named &#rsquo;CN=Common&#rdquo; on the right pane
  • From the properties window, find and double click the attribute named &#rsquo;pae-NameValuePair&#rdquo;
  • In the Multi-valued string editor window, add : &#rsquo;cs-view-certsso-enable-es-loadbalance=true&#rdquo;

2. Configure the Enrollment Server to prefer the local CA when co-hosted (requires editing registry).

  • Login to the console of an Enrollment Server
  • Registry location: HKLMSOFTWAREVMware, Inc.VMware VDMEnrollment Service
  • Add Value Name: &#rsquo;PreferLocalCa&#rdquo;, Value data: &#rsquo;1&#rdquo;
  • Needs to be repeated for each Enrollment Server individually

True SSO in a Complex Domain Environment

VMware supports deploying True SSO in multi-domain environment provided they have two-way trust.

Let us take an example where we have two Domain trees (A & X) in the same forest.

Here we see two domain trees, Domain A and Domain X. Each of the domain trees has transitive trusts between all domains. Moreover, Domain A tree and Domain X tree have two-way, transitive trust relationship between each other.

VMware supports True SSO in this scenario, and the two Enrollment Servers can be placed at any domain.

Let us consider another example:

Here, we see two forests each containing its own domain trees. Moreover, the two forests have two-way, forest-level trust set up, as well.

VMware supports True SSO in this scenario, as well. Like before, the two Enrollment Servers can be placed within any domain of any forest.

More about domain and forest trusts can be found at technet.microsoft.com/en-us/library/cc770299.aspx.

Deployment Considerations

For best performance, it is important to plan the deployment of the CAs and the Enrollment Servers. For generating certificates, the Enrollment Server needs to communicate with the CA and the CA needs to communicate with the Domain Controller. Therefore, it is always a good idea to place the CA as close as possible to the Domain Controller. Likewise, place the Enrollment Server as close as possible to the CA. By placing them in close vicinity, we aim to reduce the network hops. As such, we will get optimal performance by co-hosting the CA and the Enrollment Server on the same VM.

When deploying Enrollment Servers and CAs, we would also need to consider administrational roles. If &#rsquo;Domain admin&#rdquo; or &#rsquo;CA admin&#rdquo; is responsible for managing the CAs and &#rsquo;View admin&#rdquo; is a separate role responsible for managing the View deployment, then we need to consider setting up CA and Enrollment Server on separate VMs, so each component is managed by the assigned roles.

Advanced Settings

Out-of-the-box settings will suit most users. If required, there are some advanced settings provided for admins.

  • Settings for Virtual Desktop: All the required settings are provided via VMware Horizon View Agent admin GPO template (vdm_agent.adm).
  • Settings for Enrollment Server: All the required registry are provided via registry and is created under: &#rsquo;HKLMSOFTWAREVMware, Inc.VMware VDMEnrollment Service&#rdquo;.
  • Settings for Connection Server: All the required settings are provided via LDAP under attribute &#rsquo;pae-NameValuePair&#rdquo; as discussed in earlier section.
Description Settings
This combination of settings adjusts the maximum time for generating a certificate on behalf of a user (includes retrying once on failure).

Typically, admins would want to tweak these settings when they find certificates arriving after SSO has timed out waiting for one.

All three settings need to be adjusted accordingly.

Typically, the values would be:

Enrollment Server < Connection Server < Virtual Desktop.

Certificate wait timeout

Default: 40 sec

Range: 10 secs – 120 secs

Virtual Desktop

(via GPO)

cs-view-certsso-certgen-timeout-sec

Default: 35 sec

Range: 10 sec – 60 sec

Connection Server

(via LDAP)

MaxSubmitRetryTime

Default: 25000 millisecond

Range: 9500 milliseconds – 59000 milliseconds

Enrollment Server

(via Registry)

The Enrollment Server caches details, like AD info, CAs, Templates, etc., about the Windows environment. By default, the Enrollment Server will attempt to access all domains. In a complex environment, you may want to limit the domains that the Enrollment Server monitors.

Below settings can be set as required

A. Automatically monitor the domains specified.

B. Do not automatically monitor the domains specified.

If a Connection Server references any of the listed domains via configuration, the Enrollment Server will try to connect to it and monitor.

C. Automatically monitor all domains in the forest.

D. Automatically monitor all explicitly trusting domains or domains with incoming trusts.

 

 

 

 

 

 

 

 

 

 

A. ConnectToDomains

Example: truesso.dom.int

 

B. ExcludeDomains

Example: truesso.dom.int

 

 

 

 

 

C. ConnectToDomainsInForest

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

D. ConnectToTrustingDomains

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

Enrollment Server

(via Registry)

At times, CAs may take an unusually long time while generating certificates. It is marked as &#rsquo;Degraded&#rdquo; by the Enrollment Server when that happens.

The Enrollment Server measures how long a CA takes to generate a certificate, and it is marked Degraded if it takes more than 1,500 milliseconds by default.

SubmitLatencyWarningTime

Default: 1500 milliseconds

Range: 500 milliseconds – 5000 milliseconds

Enrollment Server

(via Registry)

This setting allows admins to disable True SSO on any specific desktop.

Disable True SSO

 

Default: 0 (False)

 

Virtual Desktop

(via GPO)

This setting defines the minimum key size to be used for True SSO.

The generated Certificate is protected via public/private RSA key pair, which is securely stored on the Virtual Desktop.

This defines the minimum bar for the key size. For example, keys will have to be at least of the size defined by this value.

Minimum key size

 

Default: 1024

Range: 1024 – 8192

Virtual Desktop

(via GPO)

This setting specifies a list of key sizes.

When generating RSA key pair, the size must be defined in the list.

The list can hold a maximum of five sizes.

All sizes of keys that can be used.

 

Default: 2048

Example: 1024,2048,3072,4096,8192

Virtual Desktop

(via GPO)

This setting specifies the number of RSA key pairs that will be pre-created.

Generating RSA key pairs can be time consuming. Not to add to the logon time, we pre-create a number of key pairs and pick one from the cache when required for True SSO.

This setting is only valid on Remote Desktop Session Host (RDSH) environments.

Number of keys to pre-create

 

Default: 5

Range: 1 - 100

Virtual Desktop

(via GPO)

This setting specifies the duration a certificate needs to be valid to be considered to be re-used for True SSO.

A user may be disconnected from his or her session. If the user tries to connect back while the session is still active, he/she will reconnect to the session. While reconnecting, True SSO will log the user back into the desktop. Since a session already exists, True SSO will try to reuse the Certificate associated with the session provided it is still valid. The validity will be determined by determining if the certificate is at least valid for a duration defined by this setting ie. the expiration period is less than what is specified via this setting.

Minimum validity period required for a certificate.

 

Default: 10 minutes

Range: Minimum 5 minutes

Virtual Desktop

(via GPO)

Common Troubleshooting

We observe the following log lines in the Horizon Connection Server logs:

  • 2016-03-17T17:07:43.359Z WARN (0484-009C) [MessageFrameWork] AuthCERTSSL: incoming issuer ‘4b81f0b2-baab-4273-bbff-48ac36f8bcaa.certsso.vdi.vmware.com’ cert is self signed but not in our store.
  • 2016-03-17T17:07:43.359Z WARN (0484-009C) [MessageFrameWork] Unable to accept connection, authentication failed, reason=authCertSsl

Cause: This indicates that the &#rsquo;Enrollment Service Client Certificate&#rdquo; has not been copied from the Connection Server to Enrollment Server.

Resolution: Please deploy the &#rsquo;Enrollment Service Client Certificate&#rdquo; from the Connection Server to the Enrollment Server, so that the Enrollment Server can establish a secure connection between the two.

After setting up True SSO, it is advisable to check its status on the Horizon Connection Server administrator dashboard.

If everything is configured correctly and all components are working well, we would observer True SSO status as below on the Dashboard:

  • The domain for which True SSO is configured will be displayed under &#rsquo;True SSO,&#rdquo; and it will be green.
  • The trust relationship will be green under &#rsquo;Domains.&#rdquo;

Below is a list of issues that may disrupt True SSO:

1. Issue: The domain name is not displayed in the dashboard.

Cause: True SSO configuration information for that domain is missing or not setup correctly.

Resolution: Please verify that True SSO was configured correctly using the &#rsquo;vdmUtil&#rdquo; tool and/or reconfigure.

2. Issue: The domain name displayed in the dashboard under &#rsquo;True SSO&#rdquo; is not green.

Cause: True SSO configuration information may not be accurate, or some component required for True SSO to work is not working or setup correctly.

Resolution: True SSO status for a domain may indicate okay (green), error (red) or warning (amber) on the dashboard.

To diagnose a problem, admins can click on the domain name, which will pop up a dialog displaying a warning or error message relating to the issue.

The table below describes the meaning of various error/warning messages that can be displayed via the pop-up dialog:

Message Description Category
Failed to fetch True SSO health information. This message is displayed when no health information is available for the dashboard to display.

 

The most likely cause is Enrollment Server has not reported back any status updates as yet.

 

If this message lasts more than a minute, please verify the Enrollment Server is turned on and is reachable from the Connection Server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Server to Enrollment Server Connection Status

The <FQDN> enrollment server cannot be contacted by the True SSO configuration service. This message is displayed if True SSO configuration information is not refreshed by the Connection Server for a long time.

 

In a Horizon POD environment, all Enrollment Servers receive True SSO configuration information from a single Connection Server and are also responsible to refresh it every minute.

 

This could happen if the specific connection server responsible for updating the configuration information lost connectivity to the reported Enrollment Server.

 

The <FQDN> enrollment server cannot be contacted to manage sessions on this connection server. This message is displayed if a Connection Server cannot connect to the Enrollment Server.

 

There is a known limitation in Horizon 7. Instead of being displayed for all Connection Servers in the POD, this info is only displayed for the Connection Server the admin has logged into.

 

To check connection status of all Connection Servers and Enrollment Servers, an admin would need to individually login to each connection server and check the status on the Dashboard.

 

This domain <Domain Name> does not exist on the <FQDN> enrollment server. This message is displayed if True SSO is configured for a domain but the Enrollment Server has not received any configuration information from the Connection Server as yet.

 

If this message lasts for more than a minute, please check all the Connection Servers in the POD are working as expected and supports True SSO.

 

 

 

 

 

 

 

 

 

 

Enrollment Server to Active Directory Connection Status

The <FQDN> enrollment server’s connection to the domain <Domain Name> is still being established. This message is displayed if True SSO is configured for the Domain, but the Enrollment Server is yet to connect to the Domain Controller.

 

If the message lasts for more than a minute, please verify the Enrollment Server has network connectivity, can resolve the name of the Domain and can reach the Domain Controller.

 

The <FQDN> enrollment server’s connection to the domain <Domain Name> is stopping or in a problematic state. This message is displayed if the Enrollment Server encounters problem reading PKI information from the Domain Controller.

 

Please check the specific Enrollment Server&#rsquo;s log file which will provide more info related to the specific Domain Controller.

 

It might be caused by:

a. Some issue with the Domain Controller itself.

b. DNS not being configured properly.

 

The <FQDN> enrollment server has not yet read the enrollment properties from a domain controller. This message could be displayed because

a. The Enrollment Server has not connected to the Domain Controller yet, as it is most likely just starting up.

b. It is a new domain and was just added to the environment. Therefore, the Enrollment Server has not connected to the Domain Controller, yet.

 

If this message lasts for more than a minute, please check the following:

a. The network connectivity might be extremely slow.

b. The Enrollment Server is having difficulties accessing the Domain Controller.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time. This message is displayed when the Enrollment Server cannot poll the Domain Controller for PKI-related environment changes.

 

An Enrollment Server reads the full PKI configuration from the Domain Controller when it connects to it for the first time and polls for incremental changes every two minutes.

 

This message may not indicate True SSO failure.

 

As longas the Certificate Authority servers are able to access the Domain Controller, the Enrollment Server will be able to issue Certificates for True SSO.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but either has not been able to reach a domain controller for an extended time or another issue exists. This message is displayed if the Enrollment Server is not able to reach the Domain Controller for an extended period of time. During this time, the Enrollment Server will try to discover an alternative Domain Controller for that domain.

 

If a CA Server is able to access a Domain Controller, the Enrollment Server will still issue certificates for True SSO, else it will result in Enrollment Server failing to issue Certificates for True SSO.

 

A valid enrollment certificate for this domain’s<Domain Name> forest is not installed on the <FQDN> enrollment server, or it may have expired. This message is displayed when a valid Enrollment Certificate is missing for the domain from the Enrollment Server.

 

Most likely, the Enrollment Certificate is:

a. Not installed on the Enrollment Server.

b. Invalid or expired.

 

The Enrollment Certificate is issued by an Enterprise CA of the domain. On the Enrollment Server, the Certificate can be verified by:

a. Opening Certificate Management snap-in for the local computer store in MMC.

b. The Enrollment Certificate can be found in the &#rsquo;Personal&#rdquo; certificate container and can be verified it exists and is valid.

 

Alternatively, the Enrollment Server&#rsquo;s log file can provide additional information regarding the state of all the certificates that were located.

 

To resolve the issue, please follow the View Admin Guide and re-deploy the Enrollment Certificate on the Enrollment Server.

 

 

 

 

 

 

 

 

 

 

 

Enrollment Certificate Status

The template <Name> does not exist on the <FQDN> enrollment server domain.

This message is displayed if the Certificate Template configured to be used for True SSO is not setup correctly or the Template name was misspelled during True SSO configuration.

 

To resolve the issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA and check the configuration of True SSO using the &#rsquo;vdmUtil&#rdquo; tool

 

Certificate TemplateStatus
Certificates generated by this template can NOT be used to log on to Windows This message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The template <Name> is smartcard logon enabled, but cannot be used. This message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The certificate server <CN> of <CA> does not exist in the domain.

This message is displayed if the Common Name for the CA is not configured correctly.

 

Please verify that the Common Name (CN) specified for the CA in the True SSO configuration is accurate and is spelled correctly.

 

 

 

 

 

Certificate Server ConfigurationStatus

The certificate is not in the NTAuth (Enterprise) store. This message is displayed if the CA is not a member of the forest.

 

To resolve the issue, please manually add the CA Certificate to the NTAuth store of the forest in question.

 

The <FQDN> enrollment server is not connected to the certificate server <CN> of <CA>. This message is displayed if the Enrollment Server is not connected to the CA.

 

This might be a transitional state and may occur when the Enrollment Server has just started or the CA was recently added/configured for True SSO.

 

If the message lasts for more than a minute, it indicates that the Enrollment Server failed to connect to the CA.

 

To resolve the issue, please verify the Enrollment Server can resolve the name of the CA, check the network connectivity between the Enrollment Server and the CA and the system account for the Enrollment Server has permissions to access the CA.

 

Certificate Server ConnectionStatus
The <FQDN> enrollment server has connected to the certificate server <CN> of <CA>, but the certificate server is in a degraded state. This message is displayed if the CA has dramatically slowed down while issuing certificates.

 

If this message persists for extended time, please check if the CA or the Domain Controller(s) is overworked. Once the issue is resolved and the CA resumes as normal, this message will not be displayed.

 

The <FQDN> enrollment server can connect to the certificate server .<CN> of <CA>, but the service is unavailable. This message is displayed if the Enrollment Server is connected to the CA, but unable to issue any certificates for True SSO.

 

This is a transitional state and will update rapidly. If the CA does not recover or does not become able to issue certificates, the state will be updated to &#rsquo;Disconnected.&#rdquo;

 

To resolve the issue, please check the CA is up, the Enrollment Server can reach it and the CA is properly configured for True SSO.

 

3. After successfully setting up True SSO, we see logon attempts failing, and the following error is reported in the logs:

LogonUI] cred::ReportResult(): Reported authentication failure. Status=0xC00000BB (WinErr=50) and subStatus=0x00000000 (WinErr=0).

This is PKI environmental issue, preventing smartcard logon to be successful using
the certificates generated by the CA. The following steps should fix the issue. VMware recommends following one step at a time and then testing to see if the issue is fixed. If not, then proceed to the next.

1. In the majority of cases, this is due to a problem with the Domain Controller certificate and the resolution is to refresh it, or to install if not already present. The Domain Controller certificate must be generated using one of these templates: &#lsquo;Domain Controller&#rsquo;, &#lsquo;Domain Controller Authentication&#rsquo; or &#lsquo;Kerberos Authentication.&#rsquo; Only one of these should be present, we will refer to it as ‘Domain Controller certificate’ below. To refresh:

  1. Load the Certificates MMC and then target it at the computer account: &#lsquo;Start&#rsquo; -> &#lsquo;Run&#rsquo; -> &#lsquo;MMC&#rsquo; -> &#lsquo;File&#rsquo; -> &#lsquo;Add/Remove Snap-in&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Certificates&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Computer Account&#rsquo; -> &#lsquo;Next&#rsquo; -> &#lsquo;Finish&#rsquo; -> &#lsquo;Close&#rsquo; -> &#lsquo;OK&#rsquo;
  2. Expand: &#lsquo;Certificates (Local Computer)&#rsquo; -> &#lsquo;Personal&#rsquo; -> &#lsquo;Certificates&#rsquo;
  • Right click on the &#lsquo;Domain Controller certificate&#rsquo; -> &#lsquo;All tasks&#rsquo; ->&#lsquo;Renew/Request Certificate with New Key&#rsquo;
  • Restart Domain Controller.

2. Deploy the CA root certificate via the domain GPO to Trusted Root Certification Authorities. Perform this step on all domain that users may be logging on to using True SSO. Refer to microsoft.com/en-us/library/cc772491(v=ws.11).aspx.

3. Make sure the template used by True SSO does not have “Do not include revocation information in issued certificate” selected. Refer to vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html section: Adjust the settings of various properties of the new template as marked in screenshot.

Conclusion

This concludes our blog post on what to consider for setting up True SSO in a production environment, as well as various configuration options. We also talked about domain/forest trust scenarios where VMware supports True SSO. Finally, we reviewed some advanced settings that might allow admins to tweak True SSO if it does not work as expected out of the box. We also reviewed troubleshooting guidelines for some common issues related to True SSO and discussed the various warning/error messages that can be displayed on the Dashboard for True SSO.

Because you liked this blog:

  • VMware Horizon 7 True SSO: Setting Up In a Lab
  • Automating Horizon 7 with VMware PowerCLI 6.5
  • Announcing the VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture Paper

The post VMware Horizon 7 True SSO: Advanced Features appeared first on VMware End-User Computing Blog.

Read more..

Webinar: Conditional Access with Microsoft Intune and Citrix NetScaler Gateway

Anywhere, any-device productivity is more important than ever—but the threat landscape in our mobile-first world grows more complex and sophisticated every day.

Data protection and a modern user experience are both critical enterprise requirements—you shouldn’t have to choose between them.


  

Related Stories

Continue reading..

[Video] Make Legacy Application Access Simple with VMware & F5

Your end users leverage consumer apps every day that deliver just what they want, just when they need it. These consumer apps and app delivery platforms—the App Store, Google Play—have raised expectations for users: all important apps should be available anywhere.

For your IT organization, this presents an opportunity to delight end users with apps and digital workspaces that are exactly that—simple and accessible wherever users need them. For conceptual simplicity, the ideal digital workspace should centralize all the apps users need. It should also make it easy for users to add applications to their workspace without extra IT involvement. For accessibility anywhere, your workspace needs to give users access to mobile, cloud, desktop and on-premises applications they need.

Unfortunately, legacy applications can stand in the way of your digital workspace vision. These applications usually run on-premises. They are often protected by old authentication methods, and they usually cannot be exposed safely to the internet. End users find these limitations frustrating, especially when they have to use a VPN or cannot access the legacy apps on their mobile devices.

To solve this problem, VMware and F5 Networks partner to help your IT org provide convenient single sign-on (SSO) to your legacy Kerberos Constrained Delegation (KCD) applications. As described in this video by Peter Silva, senior solution developer for F5, you can set up SSO to your legacy KCD app for happier, more productive end users. At the same time, you can rest easy knowing that F5 BIG-IP Access Policy Manager (APM) is providing a secure gateway and app protection for your app.

See this blog postfor more details on providing SSO to legacy apps with our digital workspace solution, VMware Workspace ONE, and BIG-IP AMP.

Read More:

  • Single Sign-On (SSO) to Legacy Apps Using BIG-IP & VMware Workspace ONE
  • Load Balancing VMware Identity Manager with F5 BIG-IP Local Traffic Manager
  • VMware Horizon and F5 BIG-IP Win Big

The post [Video] Make Legacy Application Access Simple with VMware & F5 appeared first on VMware End-User Computing Blog.

Read more..

Announcing the VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture Paper

Organizations want to keep the business operating during an extended or catastrophic technology outage, providing continuity of service and allowing staff to carry out their day-to-day responsibilities. VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture provides best practices and architectural blueprints for building a deployment that addresses these issues.

This reference architecture describes a typical configuration and requirements for a two-data-center strategy, which can easily be adapted and scaled to larger environments. All Horizon 7 Enterprise Edition components are included in this solution to deliver business continuity and mitigate against component failure:

  • Virtual desktops and published applications (RDSH)
  • Applications delivered through VMware App Volumes AppStacks and writable volumes
  • Profile data with VMware User Environment Manager
  • Secure external access by using VMware Access Point
  • Single sign-on workspace with VMware Identity Manager

Design begins by defining business requirements and drivers, which can be mapped to basic use cases and adapted to most scenarios. For a detailed description of this process, also see the VMware Horizon 7 Enterprise Edition Reference Architecture.

Figure 1: Example Service Blueprint for a Horizon 7 Enterprise Multi-Site Reference Architecture

To keep the business running with the shortest possible time to recovery and with the minimum amount of disruption, architecture designs in this paper have specific targets for the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). RTO is the time it takes to recover a given service. RPO is the maximum period during which data might be lost. Low targets are defined as 30–60 second estimates. Medium targets are estimated at 45–60 minutes.

For low RTO and RPO targets, recovery services are designed to operate in active/active mode, in which service is available from multiple data centers without manual intervention. For medium RTO and RPO targets, recovery services are designed to operate in active/passive mode, which means the loss of an active Horizon pod or data center instance requires that the secondary site be enabled to accommodate impacted users, and their data and applications.

Note: A Horizon pod contains one block of management servers and one or more resource blocks for hosting virtual desktop or RDS hosts. Each pod supports up to 10,000 users or sessions.

The recovery services and availability are from a user&#rsquo;s perspective.

  • With an active/active service, the loss of a Horizon pod or data center instance does not impact service availability to the user because the remaining instances continue to operate independently. Active/active architecture uses one or more Horizon pods located in each data center. The pods are joined using Cloud Pod Architecture configured with global entitlements that allow named users to access either site at any given point in time.
  • With an active/passive service, services are run from both data centers, but in the event of an outage, manual steps are required to enable an available data center to accommodate users impacted by the data center that had the outage. The example in this paper uses Pure Storage arrays to provide data replication. This type of active/passive architectureis the same architecture as active/active, but global entitlements are configured to align a named user to only one site at a time.
  • Another strategy for an active/passive service uses an architecture that relies on VMware vSAN Stretched Cluster technology. This architecture is truly active/passive in that the services are run only from a single data center. In the event of an outage, the entire Horizon 7 Enterprise Edition management and desktop infrastructure is migrated to the passive site. VMware vSAN Stretched Cluster technology relies on certain networking requirements that might not suit customers with geographically dispersed data centers.

VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture shows how to build a resilient environment that is capable of delivering disaster recovery of Horizon 7 workloads. Appendixes include information such as detailed test plans for each use case and tables listing recommended settings for vSAN, VMware vSphere, distributed switches, and storage.

The post Announcing the VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture Paper appeared first on VMware End-User Computing Blog.

Read more..

Your Problem’s Solved: Enable Secure Native Mobile App SSO on Any Device

The advent of mobile phones put enormous amounts of computing power in the hands—quite literally—of end users. &#rsquo;Anyness&#rdquo; (any app, any device, anywhere) is now expectation, but it needs to happen in a secure way.

Several recent technological advances have made this possible, including mobile device management (MDM, aka freedom from being domain joined). And now with the digital workspace, employees can work conveniently, securely and with more freedom than ever possible before.

The Single Sign-On Advantage

Enter one-touch single sign-on (SSO). As the name suggests, SSO gives users instant access to multiple web, native mobile, virtual and Windows applications in just one touch. With SSO, users provide credentials (or prove their identity) on fewer occasions, creating more convenient, efficient end-user experiences.

SSO also offers a big, often overlooked security advantage: cryptography. Done right, with digital certificates and modern security standards, SSO is actually a more secure mechanism than challenging the user for credentials!

Done right, with digital certificates and modern security standards, SSO is actually a more secure mechanism than challenging the user for credentials!

SSO for Native Mobile Apps

Many vendors have struggled to provide SSO on native mobile apps. Apps are written by very large vendors you hardly know, and you are only one of their zillion customers.

In the brave new world of apps and cloud services, companies are looking to vendors to help solve the problem. It is technically possible with wrapped apps, and today it is almost trivial for browser-based apps thanks to SAML, WS-Fed and browser redirects. However, native mobile apps continue to be a challenge.

Access native mobile apps in one touch with VMware Workspace ONE.

VMware Workspace ONE, powered by VMware AirWatch, has stepped up to the challenge. In an industry-first innovation, Workspace ONE is helping our customers get a seamless SSO experience for native mobile apps, including Office 365, Workday, ServiceNow, Salesforce1 and more.

How do we do it?

VMware is the first vendor to support one-touch mobile SSO for native mobile apps with Workspace ONE.

Workspace ONE leverages native features available on the three major mobile platforms: iOS, Android and Windows 10. All the niceties offered by Workspace ONE around SSO for native apps are based on APIs offered by the respective operating systems (OSs).

More importantly, VMware offers a single pane of glass for administration that does not require the IT department to know or understand how the various OSs differ from each other. VMware also &#rsquo;compensates&#rdquo; for missing functionality in some cases (e.g. Android), bridges &#rsquo;old&#rdquo; functionality in some cases (e.g. iOS and Kerberos) and simply provides support in some cases (e.g. Windows 10).

All three schemes, with minor differences, rely upon three things:

  1. The registration process, when an end user authenticates and enrolls the device in MDM. At the end of the registration process, a certificate—signed by a company-approved certificate authority—is provisioned on the device, which ties the device to the user. This certificate can be internal or public and can be revoked at any time.
  2. The ability to intercept traffic between an app and its cloud-based resources. Unbeknownst to the end user, VMware technology helps the device and the user prove their identity to cloud-based resources, thus ensuring that we challenge the user only when absolutely necessary (e.g. when the certificate expires and the user needs to obtain a new one).
  3. The ability to translate individual platform behavior (across various OSs) to &#rsquo;standard&#rdquo; behavior. This ensures the end-user experience is exactly the same on all platforms, and as a result, IT administrators do not have to worry about the differences between platforms.

VMware is the first vendor to support one-touch mobile SSO for native mobile apps with Workspace ONE. If you are interested in learning more about how we enable this functionality,read our white paper here: Delivering Security & One-Touch SSO for Native Mobile Apps on Any Device with Workspace ONE.

If you&#rsquo;d like to find out more about how Workspace ONE can help you, contact us here to request your own personalized demo.

The post Your Problem&#rsquo;s Solved: Enable Secure Native Mobile App SSO on Any Device appeared first on VMware End-User Computing Blog.

Read more..

Your Problem’s Solved: Enable Secure Native Mobile App SSO on Any Device

Read full post . . . or http://www.go-que.com/your-problems-solved-enable-secure-native-mobile-app-sso-on-any-device

The advent of mobile phones put enormous amounts of computing power in the hands—quite literally—of end users. &#rsquo;Anyness&#rdquo; (any app, any device, anywhere) is now expectation, but it needs to happen in a secure way.

Several recent technological advances have made this possible, including mobile device management (MDM, aka freedom from being domain joined). And now with the digital workspace, employees can work conveniently, securely and with more freedom than ever possible before.

The Single Sign-On Advantage

Enter one-touch single sign-on (SSO). As the name suggests, SSO gives users instant access to multiple web, native mobile, virtual and Windows applications in just one touch. With SSO, users provide credentials (or prove their identity) on fewer occasions, creating more convenient, efficient end-user experiences.

SSO also offers a big, often overlooked security advantage: cryptography. Done right, with digital certificates and modern security standards, SSO is actually a more secure mechanism than challenging the user for credentials!

Done right, with digital certificates and modern security standards, SSO is actually a more secure mechanism than challenging the user for credentials!

SSO for Native Mobile Apps

Many vendors have struggled to provide SSO on native mobile apps. Apps are written by very large vendors you hardly know, and you are only one of their zillion customers.

In the brave new world of apps and cloud services, companies are looking to vendors to help solve the problem. It is technically possible with wrapped apps, and today it is almost trivial for browser-based apps thanks to SAML, WS-Fed and browser redirects. However, native mobile apps continue to be a challenge.

Access native mobile apps in one touch with VMware Workspace ONE.

VMware Workspace ONE, powered by VMware AirWatch, has stepped up to the challenge. In an industry-first innovation, Workspace ONE is helping our customers get a seamless SSO experience for native mobile apps, including Office 365, Workday, ServiceNow, Salesforce1 and more.

How do we do it?

VMware is the first vendor to support one-touch mobile SSO for native mobile apps with Workspace ONE.

Workspace ONE leverages native features available on the three major mobile platforms: iOS, Android and Windows 10. All the niceties offered by Workspace ONE around SSO for native apps are based on APIs offered by the respective operating systems (OSs).

More importantly, VMware offers a single pane of glass for administration that does not require the IT department to know or understand how the various OSs differ from each other. VMware also &#rsquo;compensates&#rdquo; for missing functionality in some cases (e.g. Android), bridges &#rsquo;old&#rdquo; functionality in some cases (e.g. iOS and Kerberos) and simply provides support in some cases (e.g. Windows 10).

All three schemes, with minor differences, rely upon three things:

  1. The registration process, when an end user authenticates and enrolls the device in MDM. At the end of the registration process, a certificate—signed by a company-approved certificate authority—is provisioned on the device, which ties the device to the user. This certificate can be internal or public and can be revoked at any time.
  2. The ability to intercept traffic between an app and its cloud-based resources. Unbeknownst to the end user, VMware technology helps the device and the user prove their identity to cloud-based resources, thus ensuring that we challenge the user only when absolutely necessary (e.g. when the certificate expires and the user needs to obtain a new one).
  3. The ability to translate individual platform behavior (across various OSs) to &#rsquo;standard&#rdquo; behavior. This ensures the end-user experience is exactly the same on all platforms, and as a result, IT administrators do not have to worry about the differences between platforms.

VMware is the first vendor to support one-touch mobile SSO for native mobile apps with Workspace ONE. If you are interested in learning more about how we enable this functionality,read our white paper here: Delivering Security & One-Touch SSO for Native Mobile Apps on Any Device with Workspace ONE.

If you&#rsquo;d like to find out more about how Workspace ONE can help you, contact us here to request your own personalized demo.

The post Your Problem&#rsquo;s Solved: Enable Secure Native Mobile App SSO on Any Device appeared first on VMware End-User Computing Blog.

Read more..

Go Que Newsroom Categories

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 53 bytes) in /home/content/36/8658336/html/goquecom/wp-includes/wp-db.php on line 1889