Configure True SSO on SLED/SLES Desktops

To enable the True SSO feature on a SLED/SLES desktop, install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on SLED/SLES desktops.

Prerequisites

Configure True SSO for VMware Identity Manager and Horizon Connection Server.
Integrate a SLED/SLES Desktop with Active Directory for True SSO
Obtain a root Certificate Authority certificate and save it to /tmp/certificate.cer on your desktop. See How to Export Root Certification Authority Certificate.

Procedure

For SLES 12.x SP3/SP5, install the necessary packages by running the following command.
```
zypper install mozilla-nss-tools pam_krb5 krb5-client krb5-plugin-preauth-pkinit
```
For SLED 12.x SP3, install the necessary packages by performing the following steps.
1. Download a SLES .iso file to the local disk of your SLED desktop (for example, /tmp/SLE-12-SP3-Server-DVD-x86_64-GM-DVD1.iso).
  You must add the SLES .iso file as a package source for your SLED desktop because the necessary krb5-plugin-preauth-pkinit package is available only for SLES systems.
2. Mount the SLES .iso file on your SLED desktop, and install the necessary packages.
```
sudo mkdir -p /mnt/sles
sudo mount -t iso9660 /tmp/SLE-12-SP3-Server-DVD-x86_64-GM-DVD1.iso /mnt/sles
sudo zypper ar -f /mnt/sles sles
zypper install mozilla-nss-tools pam_krb5 krb5-client krb5-plugin-preauth-pkinit
```
3. When the installation is complete, unmount the SLES .iso file.
```
sudo unmount /mnt/sles
```
Install a Root Certification Authority (CA) certificate.
1. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
```
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
```
2. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
```
certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
```
3. Add the root CA certificate to pam_pkcs11.
```
cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
```

Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.

[libdefaults]
      default_realm = MYDOMAIN.COM
      dns_lookup_realm = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      default_ccache_name = KEYRING:persistent:%{uid}

[realms]
      MYDOMAIN.COM = {
            kdc = ads-hostname
            admin_server = ads-hostname 
            pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
            pkinit_kdc_hostname = ads-hostname
            pkinit_eku_checking = kpServerAuth
      }

[domain_realm]
      .mydomain.com = MYDOMAIN.COM
      mydomain.com = MYDOMAIN.COM

Replace the placeholder values in the example with information specific to your network configuration, as described in the following table.


Placeholder Value	Description
mydomain.com	DNS name of your AD domain
MYDOMAIN.COM	DNS name of your AD domain (in all capital letters)
ads-hostname	Host name of your AD server (case-sensitive)

Install the Horizon Agent package, with True SSO enabled.
```
sudo ./install_viewagent.sh -T yes
```
Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
```
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
```
Reboot your system and log back in.