To accomplish pairing, you can use the MMC Certificates snap-in to export automatically generated, self-signed Enrollment Service Client certificate from one connection server in the cluster. This certificate is called a client certificate because the connection server is a client of the Enrollment Service provided by the enrollment server.
Enrollment Service must trust the VMware Horizon Connection Server when it prompts the Enrollment Servers to issue the short lived certificates for Active Directory users. Hence, the VMware Horizon Connection Server clusters or pods must be paired with Enrollment Servers.
The Enrollment Service Client certificate is automatically created when a Connection Server is installed and the VMware Horizon Connection Server service starts. The certificate is distributed through Horizon LDAP to other Connection Servers that get added to the cluster later. The certificate is then stored in a custom container (VMware Horizon Certificates\Certificates) in the Windows Certificate Store on the computer.
Prerequisites
Verify that you have a Connection Server. For installation instructions, see the Horizon Installation document. For upgrade instructions, see the Horizon Upgrades document.
Procedure
- On one of the Connection Server machines in the cluster, add the Certificates snap-in to MMC:
- Open the MMC console and select
- Under Available snap-ins, select Certificates and click Add.
- In the Certificates snap-in window, select Computer account, click Next, and click Finish.
- In the Add or Remove Snap-in window, click OK.
- In the MMC console, in the left pane, expand the VMware Horizon Certificates folder and select the Certificates folder.
- In the right pane, right-click the certificate file with the friendly name vdm.ec, and select .
- In the Certificate Export wizard, accept the defaults, including leaving the No, do not export the private key radio button selected.
- When you are prompted to name the file, type a file name such as EnrollClient, for Enrollment Service Client certificate, and follow the prompts to finish exporting the certificate.
What to do next
Import the certificate into the enrollment server. See Import the Enrollment Service Client Certificate on the Enrollment Server.