To set up single sign-on (SSO) and smart card redirection, you must perform some configuration steps.

Single Sign-on

The Horizon View single sign-on module talks to PAM (pluggable authentication modules) in Linux and does not depend on the method that you use to integrate Linux with Active Directory (AD). Horizon View SSO is known to work with the OpenLDAP and Winbind solutions that integrate Linux with AD.

By default, SSO assumes that AD's sAMAccountName attribute is the login ID. To ensure that the correct login ID is used for SSO, you must perform the following configuration steps if you use the OpenLDAP or Winbind solution:

  • For OpenLDAP, set sAMAccountName to uid.

  • For Winbind, add the following statement to the configuration file /etc/samba/smb.conf.

    winbind use default domain = true

If users must specify the domain name to log in, you must set the SSOUserFormat option on the Linux desktop. For more information, see Setting Options in Configuration Files on a Linux Desktop. Be aware that SSO always uses the short domain name in upper case. For example, if the domain is mydomain.com, SSO will use MYDOMAIN as the domain name. Therefore, you must specify MYDOMAIN when setting the SSOUserFormat option. Regarding short and long domain names, the following rules apply:

  • For OpenLDAP, you must use short domain names in upper case.

  • Winbind supports both long and short domain names.

AD supports special characters in login names but Linux does not. Therefore, do not use special characters in login names when setting up SSO.

In AD, if a user's UserPrincipalName (UPN) attribute and sAMAccount attribute do not match and the user logs in with the UPN, SSO will fail. The workaround is for the user to log in using the name that is stored in sAMAccount.

View does not require the user name to be case-sensitive. You must ensure that the Linux operating system can handle case-insensitive user names.

  • For Winbind, the user name is case-insensitive by default.

  • For OpenLDAP, Ubuntu uses NSCD to authenticate users and is case-insensitive by default. RHEL and CentOS use SSSD to authenticate users and the default is case-sensitive. To change the setting, edit the file /etc/sssd/sssd.conf and add the following line in the [domain/default] section:

    case_sensitive = false

For Ubuntu 16.04 or 14.04, configure UseGnomeFlashback=TRUE in the /etc/vmware/viewagent-custom.conf file to use the GNOME Flashback (Metacity) desktop environment.

Smart Card Redirection

To set up smart card redirection, first follow the instructions from the Linux distributor and from the smart card vendor. Then update the pcsc-lite package to 1.7.4. For example, run the following commands:

#yum groupinstall "Development tools"
#yum install libudev-devel
#service pcscd stop
#wget https://alioth.debian.org/frs/download.php/file/3598/pcsc-lite-1.7.4.tar.bz2
#tar -xjvf pcsc-lite-1.7.4.tar.bz2
#cd ./pcsc-lite-1.7.4
#./configure --prefix=/usr/ --libdir=/usr/lib64/ --enable-usbdropdir=/usr/lib64/pcsc/drivers
 --enable-confdir=/etc --enable-ipcdir=/var/run  --disable-libusb --disable-serial --disable-usb
 --disable-libudev
#make
#make install
#service pcscd start

For Winbind, add the following statement to the configuration file /etc/samba/smb.conf.

winbind use default domain = true

When you install the Horizon Agent, you must first disable SELinux or enable permissive mode for SELinux. You must also specifically select the smart card redirection component because the component is not selected by default. For more information, see install_viewagent.sh Command-Line Options.

Smartcard SSO is enabled in Horizon View 7.0.1 or later. In addition, if the smart card redirection feature is installed on a virtual machine, vSphere Client's USB redirection does not work with the smart card.

Smart card redirection supports only one smart card reader. This feature does not work if two or more readers are connected to the client device.

Smart card redirection supports only one certificate on the card. If more than one certificate is on the card, the one in the first slot is used and the others are ignored. This is a Linux limitation.

Note:
  • Smartcard supports the following winbind value. Else the smartcard SSO and manual login fails.

    winbind use default domain=true
  • When you use Linux client to authenticate the broker with PIV card, which is supported by Linux desktop smartcard redirection, you must add view.sslProtocolString = "TLSv1.1" configuration for the Linux client at ~/.vmware/view-preferences to avoid SSL error.