To provide your end users with single sign-on (SSO) access to their desktops and applications using a VMware Certificate Authority (CA), you use the VMware CA to issue short-lived smartcard certificates for SSO. For transparency and security, the process includes a VMware PowerShell script that uses established Microsoft utilities.
The following bulleted list provides information about configuring the VMware CA. When you configure SSO, as described in the topics that follow, you will encounter many of these same details in context. For example, Add an SSO Configuration to Horizon Cloud Service - next-gen for a VMware CA provides instructions for downloading the VMware CA bundle. That bundle contains the VMware PowerShell script that you will run to configure SSO, as instructed in Publish the VMware SSO CA Bundle to the Active Directory Forest.
- To enable the functionality required by SSO with a VMware CA, either of the following situations must apply to your Active Directory forest:
- The Active Directory forest has at least one online Microsoft Enterprise CA configured in it, in which case the following results occur.
- The Microsoft Enterprise CA automatically publishes its CA certificates and certificate revocation lists (CRLs) to the forest.
- The domain controllers automatically enroll for certificates.
- The Active Directory forest uses a third-party CA or stand-alone Microsoft CA, in which case the following must apply.
- All CA certificates must be manually published to the forest using a utility such as certutil.
- Revocation information must always be available over HTTP.
- Domain Controllers must be issued with certificates that allow client authentication, server authentication, smart card logon, and KDC authentication.
- The Active Directory forest has at least one online Microsoft Enterprise CA configured in it, in which case the following results occur.
- You can configure the VMware CA as a root CA or an intermediate CA. However, the Public Key Infrastructure (PKI) best practice is to select an intermediate CA.
- If you use a root CA, the VMware CA certificate is valid for 5 years.
- If you use an intermediate CA, the issuing CA determines the validity period of the VMware CA certificate.
- If you use an intermediate CA, the VMware CA certificate can be signed by a Microsoft CA or any third-party CA.
- If you use a third-party CA, ensure that domain member machines have access to all certificates and revocation information required to validate the VMware CA certificate.
- In order for the VMware CA to be trusted, you must publish the VMware CA bundle to various locations in the Active Directory forest.
- You publish the VMware CA bundle by running the VMware PowerShell script as an administrator with suitable permissions on a domain member machine.
- You are only required to run the VMware PowerShell script once. Active Directory replicates the published PKI data to all domain controllers and desktops in all domains in the Active Directory forest. You can use a utility such as Repadmin in complex Active Directory deployments to ensure timely replication of the configuration naming context between domain controllers in different domains or sites before attempting SSO.
- The PowerShell script uses Microsoft utilities certreq and certutil for complete transparency. Before you run the PowerShell script, you can read the script to see precisely what it does.
