To enable the True SSO feature on an Ubuntu virtual machine (VM), install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.
Use the following procedure to enable True SSO on an Ubuntu VM.
Procedure
- On the Ubuntu VM, install the pkcs11 support package.
sudo apt install libpam-pkcs11
- Install the libnss3-tools package.
sudo apt install libnss3-tools
- Install a Root Certification Authority (CA) certificate.
- Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Make an /etc/pki/nssdb directory to contain the system database.
sudo mkdir -p /etc/pki/nssdb
- Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
- Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
mkdir -p /etc/pam_pkcs11/cacerts
sudo cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
- Create a hash link for the root CA certificate. In the /etc/pam_pkcs11/cacerts directory, run the following command.
- Install the Horizon Agent package, with True SSO enabled.
sudo ./install_viewagent.sh -T yes
- Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
- Edit the /etc/pam_pkcs11/pam_pkcs11.conf configuration file.
- If needed, create the /etc/pam_pkcs11/pam_pkcs11.conf configuration file. Locate the example file in /usr/share/doc/libpam-pkcs11/examples, copy it to the /etc/pam_pkcs11 directory, and rename the file to pam_pkcs11.conf. Add your system information to the contents of the file as needed.
- Modify the /etc/pam_pkcs11/pam_pkcs11.conf configuration file so that it includes content similar to the following example.
Note: For Ubuntu 20.04, append
ms
to the end of the
use_mappers
line.
use_pkcs11_module = coolkey;
pkcs11_module coolkey {
module = /usr/lib/vmware/viewagent/sso/libvmwpkcs11.so;
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
}
mapper ms {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
ignorecase = false;
# ignore domain name
ignoredomain = true;
domain = "DOMAIN.COM"; #<== Replace "DOMAIN.COM" with your organization's domain name
}
use_mappers = digest, cn, pwent, uid, mail, subject, null, ms; #<== For Ubuntu 20.04, append "ms" at end of use_mappers
- Modify the auth parameters in the PAM configuration file.
- Open the PAM configuration file.
- For Ubuntu 16.04, open /etc/pam.d/lightdm.
- For Ubuntu 18.04/20.04, open /etc/pam.d/gdm-vmwcred.
- Edit the PAM configuration file, as shown in the following example.
auth requisite pam_vmw_cred.so
auth sufficient pam_pkcs11.so try_first_pass
- Modify the /etc/krb5.conf configuration file by setting the mode equal to
644
.
Note: If you do not modify
/etc/krb5.conf as specified, the True SSO feature might not work.
- Restart the VM and log back in.