Configure True SSO on Ubuntu Desktops

To enable the True SSO feature on an Ubuntu 16.04 or 18.04 virtual machine (VM), install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on an Ubuntu 16.04 or 18.04 VM.

Prerequisites

Configure True SSO for Workspace ONE Access and Horizon Connection Server.
Complete the steps described in Integrate an Ubuntu Virtual Machine with Active Directory for True SSO .
Obtain a root Certificate Authority certificate and save it to /tmp/certificate.cer on the Ubuntu VM. See How to Export Root Certification Authority Certificate.

Procedure

On the Ubuntu VM, install the pkcs11 support package.
```
sudo apt install libpam-pkcs11
```
Install the libnss3-tools package.
```
sudo apt install libnss3-tools
```
Install a Root Certification Authority (CA) certificate.
1. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
```
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
```
2. Make an /etc/pki/nssdb directory to contain the system database.
```
sudo mkdir -p /etc/pki/nssdb
```
3. Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
```
sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
```
4. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
```
mkdir -p /etc/pam_pkcs11/cacerts

sudo cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
```
5. Create a hash link for the root CA certificate. In the /etc/pam_pkcs11/cacerts directory, run the following command.
```
pkcs11_make_hash_link
```
Install the Horizon Agent package, with True SSO enabled.
```
sudo ./install_viewagent.sh -T yes
```
Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
```
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
```
Edit the /etc/pam_pkcs11/pam_pkcs11.conf configuration file.
1. If needed, create the /etc/pam_pkcs11/pam_pkcs11.conf configuration file. Locate the example file in /usr/share/doc/libpam-pkcs11/examples, copy it to the /etc/pam_pkcs11 directory, and rename the file to pam_pkcs11.conf. Add your system information to the contents of the file as needed.
2. Modify the /etc/pam_pkcs11/pam_pkcs11.conf configuration file so that it includes content similar to the following example.
```
use_pkcs11_module = coolkey;
pkcs11_module coolkey {
  module = /usr/lib/vmware/viewagent/sso/libvmwpkcs11.so;
  slot_num = 0;
  ca_dir = /etc/pam_pkcs11/cacerts;
  nss_dir = /etc/pki/nssdb;
}
```
Modify the auth parameters in the PAM configuration file.
1. Open the PAM configuration file.
  - For Ubuntu 16.04, open /etc/pam.d/lightdm.
  - For Ubuntu 18.04, open /etc/pam.d/gdm-vmwcred.
2. Edit the PAM configuration file, as shown in the following example.
```
auth requisite pam_vmw_cred.so
auth sufficient pam_pkcs11.so try_first_pass
```
Restart the VM and log back in.