Configure Certificate Mappings for Certificate-Based Authentication

Note: This version of the topic applies to Horizon 8 Security versions 2111.2 and 2306 and later. Certificate-based authentication such as Smart Card rely on user principal names (UPNs) to authenticate in VMware Horizon 8. With a recent Microsoft Security update (See Microsoft KB5014754 for details.), all mapping types based on usernames and email addresses are considered weak and must be changed to one of the stronger mapping types. This setting allows you configure certificate authentication mapping if you are using certificate based authentication.

Procedure

Navigate to Global Settings > Security Settings > Certificate Authentication.

Select a Certificate Authentication Mapping Control option.

Option Description

SID This is the preferred option and is the default for a fresh install. If selected with the Custom Alternate Security Identities option, SID will be addressed first.

Custom Alternate Security Identities

Option	Description
SID	This is the preferred option and is the default for a fresh install. If selected with the Custom Alternate Security Identities option, SID will be addressed first.
Custom Alternate Security Identities	When the Custom Alternate Security Identities checkbox is selected, a textbox to add Alternate Mapping Names displays. Certificate authentication mapping should start with 'x509:' followed by certificate authentication mapping names wrapped inside %%. For example: `x509:<I>%issuer_dn%<S>%subject_dn%` Default values for certificate authentication mapping names are: `subject_dn`, `issuer_dn`, `subject_key_id`, `serial`, `san_dns`, `ian_dns`, `san_822`, `public_key_sha1`, `san_other`: and `oid:`
UPN and Predefined Alternate Security Identities (Legacy)	This is the default option when upgrades are performed.

When the Custom Alternate Security Identities checkbox is selected, a textbox to add Alternate Mapping Names displays.

Certificate authentication mapping should start with 'x509:' followed by certificate authentication mapping names wrapped inside %%. For example: x509:<I>%issuer_dn%<S>%subject_dn%

Default values for certificate authentication mapping names are: subject_dn, issuer_dn, subject_key_id, serial, san_dns, ian_dns, san_822, public_key_sha1, san_other: and oid:

UPN and Predefined Alternate Security Identities (Legacy)

This is the default option when upgrades are performed.

Restart the secure gateway service to have the changes take effect.
Note: If more than one option is selected, authentication is done based on priority, in this order:
- SID
- Custom Alternate Security Identities
- UPN and Predefined Alternate Security Identities (Legacy)
If you have applied the Microsoft Security update described in Microsoft KB5014754, and still continue to use UPN for certificate-based authentication then authentication will be denied once the enforcement mode is enabled by Microsoft.