To enable the True SSO feature on an Ubuntu virtual machine (VM), install the libraries on which the True SSO feature depends, the root Certificate Authority (CA) certificate to support trusted authentication, and Horizon Agent. If True SSO authentication is also issued by a subordinate CA, then you must install the entire certificate chain of root and subordinate CA certificates. To complete the authentication setup, you must edit some configuration files.

Use the following procedure to enable True SSO on an Ubuntu VM.

Prerequisites

Procedure

  1. On the Ubuntu VM, install the pkcs11 support package.
    sudo apt install libpam-pkcs11
  2. Install the libnss3-tools package.
    sudo apt install libnss3-tools
  3. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    2. Make an /etc/pki/nssdb directory to contain the system database.
      sudo mkdir -p /etc/pki/nssdb
    3. Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
      sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
    4. Make an /etc/pam_pkcs11/cacerts directory and copy the root CA certificate or certificate chain there.
      mkdir -p /etc/pam_pkcs11/cacerts
      sudo cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
    5. Create a hash link for the root CA certificate or certificate chain. In the /etc/pam_pkcs11/cacerts directory, run the following command.
      pkcs11_make_hash_link
  4. Install the Horizon Agent package, with True SSO enabled.
    sudo ./install_viewagent.sh -T yes
  5. Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
    NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
  6. Edit the /etc/pam_pkcs11/pam_pkcs11.conf configuration file.
    1. If needed, create the /etc/pam_pkcs11/pam_pkcs11.conf configuration file. Locate the example file in /usr/share/doc/libpam-pkcs11/examples, copy it to the /etc/pam_pkcs11 directory, and rename the file to pam_pkcs11.conf. Add your system information to the contents of the file as needed.
    2. Modify the /etc/pam_pkcs11/pam_pkcs11.conf configuration file so that it includes content similar to the following example.
      Note: For Ubuntu 20.04, append ms to the end of the use_mappers line.
      use_pkcs11_module = coolkey;
      pkcs11_module coolkey {
        module = /usr/lib/vmware/viewagent/sso/libvmwpkcs11.so;
        slot_num = 0;
        ca_dir = /etc/pam_pkcs11/cacerts;
        nss_dir = /etc/pki/nssdb;
      }
      
      mapper ms {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
        ignorecase = false;
        # ignore domain name
        ignoredomain = true;
        domain = "DOMAIN.COM"; #<== Replace "DOMAIN.COM" with your organization's domain name
      }
      
      use_mappers = digest, cn, pwent, uid, mail, subject, null, ms;  #<== For Ubuntu 20.04, append "ms" at end of use_mappers
  7. Modify the auth parameters in the PAM configuration file.
    1. Open the PAM configuration file at /etc/pam.d/gdm-vmwcred.
    2. Edit the PAM configuration file, as shown in the following example.
      auth requisite pam_vmw_cred.so
      auth sufficient pam_pkcs11.so try_first_pass
      
  8. In Linux terminal, set the mode for /etc/krb5.conf configuration file equal to 644 as shown in the following example.
    sudo chmod 644 /etc/krb5.conf 
    ls -l /etc/krb5.conf
    -rw-r--r-- 1 root root xxx xx xx xxxx /etc/krb5.conf
    Note: If you do not modify the permissions attributes of /etc/krb5.conf as specified, the True SSO feature might not work.
  9. Restart the VM and log back in.