To enable the True SSO feature on a RHEL/CentOS 7.x virtual machine (VM), install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.
Use the following procedure to enable True SSO on a RHEL 7.x or CentOS 7.x VM.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_server |
Path to your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
Procedure
- Install the PKCS11 support package group.
yum install -y nss-tools nss-pam-ldapd pam_krb5 krb5-libs krb5-workstation krb5-pkinit
- Install the root CA certificate or certificate chain.
- Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Make an /etc/pki/nssdb directory to contain the system database.
sudo mkdir -p /etc/pki/nssdb
- Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
- Add the root CA certificate or certificate chain to the list of trusted CA certificates on the RHEL/CentOS 7.x VM and update the system-wide trust store configuration using the update-ca-trust command.
sudo cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
update-ca-trust
- Modify the appropriate section in your system's SSSD configuration file for your domain, as shown in the following example.
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#set the next line to false, so you can use the short name instead of the full domain name.
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
- Modify the Kerberos configuration file /etc/krb5.conf, as shown in the following example.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
# Add following line, if the system doesn't add it automatically
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = dns_server
admin_server = dns_server
# Add the following three lines for pkinit_*
pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
pkinit_kdc_hostname = your_org_DNS_server
pkinit_eku_checking = kpServerAuth
}
[domain_realm]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
Note: You must also set the mode equal to
644
in
/etc/krb5.conf. Otherwise, the True SSO feature might not work.
- Install the Horizon Agent package, with True SSO enabled.
sudo ./install_viewagent.sh -T yes
- Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
- Restart the VM and log back in.