You can enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Console.


Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.

  • For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.
  • For RADIUS authentication, follow the vendor's configuration documentation. Make a note of the RADIUS server's host name or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2) and the shared secret. You enter these values in Horizon Console. You can enter values for a primary and a secondary RADIUS authenticator.


  1. In Horizon Console, navigate to Settings > Servers.
  2. On the Connection Servers tab, select the Connection Server instance and click Edit.
  3. On the Authentication tab, from the 2-factor authentication drop-down menu in the Advanced Authentication section, select RSA SecureID or RADIUS.
  4. To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching.
    If you select this option, users must use the same RSA SecurID or RADIUS user name for Active Directory authentication. If you do not select this option, the names can be different.
  5. For RSA SecurID, click Upload File, type the location of the sdconf.rec file, or click Browse to search for the file.
  6. For RADIUS authentication, complete the rest of the fields:
    1. Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
      If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
    2. From the Authenticator drop-down menu, select Create New Authenticator and complete the page.
      • To enable custom user name and passcode labels to appear in the RADIUS authentication dialog for end users, enter custom labels in the Username Label and Passcode Label fields.
      • Set Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages and you set this port to a nonzero number, the messages are sent and ignored and retried a number of times, resulting in a delay in authentication.

        Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.

      • If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in Horizon Client is jdoe and the realm prefix DOMAIN-A\ is specified, the username DOMAIN-A\jdoe is sent to the RADIUS server. Similarly if you use the realm suffix, or postfix, string, the username [email protected] is sent to the RADIUS server.
  7. Click OK to save your changes.
    You do not need to restart the Connection Server service. The necessary configuration files are distributed automatically and the configuration settings take effect immediately.


When users open Horizon Client and authenticate to Connection Server, they are prompted for two-factor authentication. For RADIUS authentication, the login dialog box displays text prompts that contain the token label you specified.

Changes to RADIUS authentication settings affect remote desktop and application sessions that are started after the configuration is changed. Current sessions are not affected by changes to RADIUS authentication settings.

What to do next

If you have a replicated group of Connection Server instances and you want to also set up RADIUS authentication on them, you can re-use an existing RADIUS authenticator configuration.