To support True SSO on a RHEL/CentOS 8.0 desktop, you must first integrate the system with your Active Directory (AD) domain. Then you must modify certain configurations on the system to support the True SSO feature.

Note: True SSO is not supported on instant-clone RHEL 8.0 desktops.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN Name of your NetBIOS domain

Prerequisites

  • Verify that the Active Directory (AD) server is resolvable by DNS on the RHEL/CentOS 8.0 system.
  • Configure the host name of the system.
  • Configure the Network Time Protocol (NTP) on the system.

Procedure

  1. On the RHEL/CentOS 8.0 system, verify the network connection to Active Directory.
    # realm discover mydomain.com
  2. Install the required dependency packages.
    # yum install oddjob oddjob-mkhomedir sssd adcli samba-common-tools
  3. Join the AD domain.
    # realm join --verbose mydomain.com -U administrator
  4. Download the root CA certificate and copy it to the required directory as a .pem file.
    # openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    
    # cp /tmp/certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
  5. Modify the /etc/sssd/sssd.conf configuration file, as shown in the following example.
    [sssd]
    domains = mydomain.com
    config_file_version = 2
    services = nss, pam
     
    [domain/mydomain.com]
    ad_domain = mydomain.com
    krb5_realm = IMYDOMAIN.COM
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False        <---------------- Use short name for user
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ad_gpo_map_interactive = +gdm-vmwcred    <---------------- Add this line for SSO
     
    [pam]                                    <---------------- Add pam section for certificate logon
    pam_cert_auth = True                     <---------------- Add this line to enable certificate logon for system
    pam_p11_allowed_services = +gdm-vmwcred  <---------------- Add this line to enable certificate logon for VMware Horizon Agent
     
    [certmap/mydomain.com/truesso]          <---------------- Add this section and following lines to set match and map rule for certificate user
    matchrule = <EKU>msScLogin
    maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
    domains = mydomain.com
    priority = 10
  6. Install the Horizon Agent package, with True SSO enabled.
    Note: You must install Horizon Agent 7.11 or later.
    # sudo ./install_viewagent.sh -T yes
  7. Modify the /etc/vmware/viewagent-custom.conf configuration file so that it includes the following line.
    NetbiosDomain = MYDOMAIN
  8. Reboot the system and log back in.