To support True SSO on RHEL 8.x desktops, you must first integrate the base virtual machine (VM) with your Active Directory (AD) domain. Then you must modify certain configurations on the system to support the True SSO feature.
Note: True SSO is not supported on instant-clone RHEL 8.x desktops.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
Name of your NetBIOS domain |
Procedure
- On the RHEL 8.x VM, verify the network connection to Active Directory.
realm discover mydomain.com
- Install the required dependency packages.
yum install oddjob oddjob-mkhomedir sssd adcli samba-common-tools
- Join the AD domain.
realm join --verbose mydomain.com -U administrator
- Install the root CA certificate or certificate chain.
- Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Copy the certificate to the /etc/sssd/pki/sssd_auth_ca_db.pem file.
sudo cp /tmp/certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
- Modify the /etc/sssd/sssd.conf configuration file, as shown in the following example.
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = IMYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False <---------------- Use short name for user
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_map_interactive = +gdm-vmwcred <---------------- Add this line for SSO
[pam] <---------------- Add pam section for certificate logon
pam_cert_auth = True <---------------- Add this line to enable certificate logon for system
pam_p11_allowed_services = +gdm-vmwcred <---------------- Add this line to enable certificate logon for VMware Horizon Agent
[certmap/mydomain.com/truesso] <---------------- Add this section and following lines to set match and map rule for certificate user
matchrule = <EKU>msScLogin
maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
domains = mydomain.com
priority = 10
- Modify the /etc/krb5.conf configuration file by setting the mode equal to
644
.
Note: If you do not modify
/etc/krb5.conf as specified, the True SSO feature might not work.
- Install the Horizon Agent package, with True SSO enabled.
sudo ./install_viewagent.sh -T yes
- Modify the /etc/vmware/viewagent-custom.conf configuration file so that it includes the following line.
- Restart the VM and log back in.