To enable the True SSO feature on a SLED/SLES virtual machine (VM), install the libraries on which the True SSO feature depends, the root CA certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on a SLED or SLES VM.

Prerequisites

Procedure

  1. For SLED 15.x or SLES 12.x/15.x, install the necessary packages by running the following command.
    zypper install mozilla-nss-tools pam_krb5 krb5-client krb5-plugin-preauth-pkinit
  2. For SLED 12.x, install the necessary packages by performing the following steps.
    1. Download the corresponding SLES .iso file to the local disk of your SLED VM (for example, /tmp/SLE-12-SP3-Server-DVD-x86_64-GM-DVD1.iso).
      You must add the SLES .iso file as a package source for your SLED system because the necessary krb5-plugin-preauth-pkinit package is available only for SLES systems.
    2. Mount the SLES .iso file on your SLED system, and install the necessary packages.
      sudo mkdir -p /mnt/sles
      sudo mount -t iso9660 /tmp/SLE-12-SP3-Server-DVD-x86_64-GM-DVD1.iso /mnt/sles
      sudo zypper ar -f /mnt/sles sles
      zypper install mozilla-nss-tools pam_krb5 krb5-client krb5-plugin-preauth-pkinit
    3. When the installation is complete, unmount the SLES .iso file.
      sudo unmount /mnt/sles
  3. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    2. Make an /etc/pki/nssdb directory to contain the system database.
      sudo mkdir -p /etc/pki/nssdb
    3. Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
      sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
      
    4. Add the root CA certificate to pam_pkcs11.
      sudo cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
  4. Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.
    [libdefaults]
          default_realm = MYDOMAIN.COM
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname 
                pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
                pkinit_kdc_hostname = ADS-HOSTNAME
                pkinit_eku_checking = kpServerAuth
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
    
    Note: You must also set the mode equal to 644 in /etc/krb5.conf. Otherwise, the True SSO feature might not work.
    Replace the placeholder values in the example with information specific to your network configuration, as described in the following table.
    Placeholder Value Description
    mydomain.com DNS name of your AD domain
    MYDOMAIN.COM DNS name of your AD domain (in all capital letters)
    ads-hostname Host name of your AD server
    ADS-HOSTNAME Host name of your AD server (in all capital letters)
  5. Install the Horizon Agent package, with True SSO enabled.
    sudo ./install_viewagent.sh -T yes
  6. Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following syntax, where NETBIOS_NAME_OF_DOMAIN is the name of your organization's NetBIOS domain.
    NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
    Note: For SLED/SLES 15.x, always use the long name of the NetBIOS domain, for example LXD.VDI. If you use the short name, such as LXD, the True SSO feature does not work.
  7. Restart the VM and log back in.