Configure True SSO on a RHEL/CentOS 7.x Virtual Machine

To enable the True SSO feature on a RHEL/CentOS 7.x virtual machine (VM), install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on a RHEL 7.x or CentOS 7.x VM.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.


Placeholder Value	Description
dns_server	Path to your DNS name server
mydomain.com	DNS name of your AD domain
MYDOMAIN.COM	DNS name of your AD domain, in all capital letters

Prerequisites

Configure True SSO for vWorkspace ONE Access and Horizon Connection Server.
Complete the steps described in Integrate a RHEL/CentOS 7.x Virtual Machine with Active Directory for True SSO.
Obtain a root Certificate Authority certificate and save it to /tmp/certificate.cer on your RHEL/CentOS 7.x VM. See How to Export Root Certification Authority Certificate.

Procedure

Install the PKCS11 support package group.

yum install -y nss-tools nss-pam-ldapd pam_krb5 krb5-libs krb5-workstation krb5-pkinit

Install a Root Certification Authority (CA) certificate.
1. Locate the root CA certificate you downloaded, and transfer it to a .pem file.
```
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
```
2. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
```
certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
```
3. Add the root CA certificate to the list of trusted CA certificates on the RHEL/CentOS 7.x VM and update the system-wide trust store configuration using the update-ca-trust command.
```
cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
update-ca-trust
```

Modify the appropriate section in your system's SSSD configuration file for your domain, as shown in the following example.

[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#set the next line to false, so you can use the short name instead of the full domain name.
use_fully_qualified_names = False   
fallback_homedir = /home/%u@%d
access_provider = ad

Modify the Kerberos configuration file /etc/krb5.conf, as shown in the following example.

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 # Add following line, if the system doesn't add it automatically
 default_realm = MYDOMAIN.COM
 
[realms]
MYDOMAIN.COM = {
  kdc = dns_server
  admin_server = dns_server
  # Add the following three lines for pkinit_*
  pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
  pkinit_kdc_hostname = your_org_DNS_server
  pkinit_eku_checking = kpServerAuth
 }
[domain_realm]
 mydomain.com = MYDOMAIN.COM
 .mydomain.com = MYDOMAIN.COM

Install the Horizon Agent package, with True SSO enabled.
```
sudo ./install_viewagent.sh -T yes
```
Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
```
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
```
Restart the VM and log back in.