To use True SSO, you must have or add a certificate authority and create an enrollment server. These two servers communicate to create the short-lived Horizon virtual certificate that enables a password-free Windows logon. You can use True SSO in a single domain, in a single-forest with multiple domains, and in a multiple-forest, multiple-domain setup.

VMware recommends to have two CAs and two ESs deployed to use True SSO. The following examples illustrate True SSO in different architectures.

The following figure illustrates a simple True SSO architecture.

The following figure illustrates True SSO in a single domain architecture.

The following figure illustrates True SSO in a single-forest with multiple domains architecture.

The following figure illustrates True SSO in a multiple-forest architecture.