To provide end users with single sign-on (SSO) access to their desktops and applications, administer SSO on the corresponding Horizon Edge Gateway instance.

This procedure enables end users to access their desktops and applications after they enter their credentials once.

For background information on configuring the VMware CA, see About Using a VMware CA for SSO with Horizon Cloud Service - next-gen.

See Microsoft documentation as needed to complete this procedure. For example, to install an Enterprise CA, see Install the Certification Authority.


  • Use the Horizon Universal Console to create and download a certificate authority (CA) bundle. See Add an SSO Configuration to Horizon Cloud Service - next-gen for a VMware CA.
  • To run the PowerShell script extracted from the VMware CA bundle, as described in this procedure, confirm that you have the appropriate permissions.

    This procedure requires that you run the VMware PowerShell script. You have a few options available to you to run the VMware PowerShell script, including running the script as a member of the Enterprise Admins group. The guidance that follows suggests that you use less powerful permissions, but running the script as a member of the Enterprise Admins group is available to you. The suggestion here is to confirm that you have the following permissions.

    • Full Control permissions on the "Public Key Services" container in Active Directory.
    • Enroll permissions on the "SubCA" certificate template in Active Directory.


  1. Connect to a domain member machine, upload the CA bundle file to the server, and unzip the file contents.
    As long as you have the proper permissions, you can run the PowerShell script from any domain member machine.
  2. Open PowerShell, run the commands, and respond to the prompts as described in the substeps that follow.
    Important: If your deployment consists of multiple domain controllers or you install the bundle from a remote machine, the propagation of the CA certificate to all domain controllers can take several hours. You can reduce the run time by running 'gpupdate.exe /Target:Computer /Force' on all domain controller instances.
    1. Run the following command.
      Unblock-File -Path Path to ps1 file
    2. Run the ps1 PowerShell script extracted from the CA bundle and respond to the prompts.
      For example, PS C:\ca\VmwAuthEngine-CA_1> .\VmwAuthEngine-CA_1.ps1

      If you added your SSO configuration as an intermediate CA, you are prompted to select a MSFT enterprise CA to sign the VMware CA CSR. You can choose a root or intermediate MSFT enterprise CA to process the VMware CA CSR. If applicable, select the appropriate enterprise CA. You must enable the Subordinate Certification Authority template for the selected enterprise CA.

      Respond to the following required confirmation prompt with Y as illustrated.

      Confirmation required
      Do you want to publish to AD?
      N] No [Y] Yes [?] Help (default is "N"): Y


The expected result is that the script runs without error. However, if you encounter the following type of error, perform the troubleshooting suggestion provided.
2022-03-22T15:35:39 [INFO ] [VmwAuthEngine-CA-62351bb62ff3dd5966ad3575-1.ps1,67] certutil.exe -dspublish -f C:\SSO-C\Vmw
error : 2022-03-22T15:35:39 [ERROR][-2147016563][] Failed to publish base CRL
At C:\SSO-C\VmwAuthEngine-CA-62351bb62ff3dd5966ad3575-1.ps1:303 char:5
+     error $retCode "Failed to publish base CRL"
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,error

Run the following Get-ADRootDSE command and check the output to see if the CA configuration domain name used to create the SSO configuration matches what the following property returns: configurationNamingContext.

        Get-ADRootDSE -Server dnsDomainName

For example, C:\> Get-ADRootDSE -Server horizonv2.local

configurationNamingContext       :  "CN=Configuration,DC=horizonv2,DC=local"
        output fields...

If the CA configuration domain name does not match the output, you can use the Horizon Universal Console to edit the SSO configuration, specifically to correct the CA configuration domain name. See Add an SSO Configuration to Horizon Cloud Service - next-gen for a VMware CA for information about accessing the SSO configuration. To edit an SSO configuration, click the three vertical dots next to the SSO configuration and select Edit. After you correct the domain name, you can download and publish the updated CA bundle.

What to do next

After you deploy the Horizon Edge Gateway, verify that the SSO configuration status is properly set. In the Horizon Universal Console, select Resources > Capacity, click the name of the Horizon Edge Gateway instance you configured and edit the configuration to activate the Use SSO option. Select the SSO Configuration to associate it with the Horizon Edge Gateway. Save and verify that the status is set to READY_TO_SERVE, which indicates that SSO is functional for end users.