To support True SSO on RHEL 9.x/8.x desktops, you must first integrate the base virtual machine (VM) with your Active Directory (AD) domain. Then you must modify certain configurations on the system to support the True SSO feature.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN Name of your NetBIOS domain
dnsserver.mydomain.com Name of your DNS server

Prerequisites

  • Configure True SSO for Workspace ONE Access and Horizon Connection Server.
  • Verify that the Active Directory (AD) server is resolvable by DNS on the base VM.
  • Configure the host name of the VM.
  • Configure the Network Time Protocol (NTP) on the VM.
  • Get a root Certificate Authority (CA) certificate and save it to /tmp/certificate.cer on the VM. See How to Export Root Certification Authority Certificate.

    If a subordinate CA is also an issuing authority, then get the entire chain of root and subordinate CA certificates and save it to /tmp/certificate.cer on the VM.

  • To use True SSO in FIPS mode, ensure that you have completed all the steps described in Configure a FIPS-compliant Linux Virtual Machine. You must add the trusted CA certificate for VMwareBlastServer to /etc/vmware/ssl/rui.crt and add the key paired with rui.crt to /etc/vmware/ssl/rui.key.

Procedure

  1. On the base VM, verify the network connection to Active Directory.
    realm discover mydomain.com
  2. Install the required dependency packages.
    yum install oddjob oddjob-mkhomedir sssd adcli samba-common-tools
  3. Join the AD domain.
    realm join --verbose mydomain.com -U administrator
  4. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
      
    2. Copy the certificate to the /etc/sssd/pki/sssd_auth_ca_db.pem file.
      sudo cp /tmp/certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
  5. Modify the /etc/sssd/sssd.conf configuration file, as shown in the following example.
    [sssd]
    domains = mydomain.com
    config_file_version = 2
    services = nss, pam
     
    [domain/mydomain.com]
    ad_domain = mydomain.com
    krb5_realm = MYDOMAIN.COM
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False             #Use short name for user
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ad_gpo_map_interactive = +gdm-vmwcred         #Add this line for SSO
     
    [pam]                                         #Add pam section for certificate logon
    pam_cert_auth = True                          #Add this line to enable certificate logon for system
    pam_p11_allowed_services = +gdm-vmwcred       #Add this line to enable certificate logon for VMware Horizon Agent
     
    [certmap/mydomain.com/truesso]                #Add this section and following lines to set match and map rule for certificate user
    matchrule = <EKU>msScLogin
    maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
    domains = mydomain.com
    priority = 10
  6. Modify the /etc/krb5.conf configuration file by setting the mode equal to 644.
    Note: If you do not modify /etc/krb5.conf as specified, the True SSO feature might not work.
  7. (RHEL 9.x) To ensure that TrueSSO works properly with instant-clone desktop pools, modify the following configurations.
    Note: You can skip these configurations if you are not using the VM for an instant-clone desktop pool.
    1. Run the command to explicitly allow the SHA-1 cryptographic policy.
      update-crypto-policies --set DEFAULT:SHA1
    2. Locate the root CA certificate or certificate chain that you downloaded earlier, and copy it to /etc/pki/ca-trust/source/anchors/ca_cert.pem. Then use the update-ca-trust command to enable legacy applications to read the trusted certificates.
      cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
      update-ca-trust
    3. Modify the /etc/krb5.conf file, as shown in the following example.
      [realms]
           MYDOMAIN.COM = {
                kdc =  dnsserver.mydomain.com
                admin_server =  dnsserver.mydomain.com
                pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
                pkinit_kdc_hostname =  dnsserver.mydomain.com
                pkinit_eku_checking = kpServerAuth
           }
      [domain_realm]
           .mydomain.com = MYDOMAIN.COM
           mydomain.com = MYDOMAIN.COM
  8. Install the Horizon Agent package, with True SSO enabled.
    sudo ./install_viewagent.sh -T yes
  9. Modify the /etc/vmware/viewagent-custom.conf configuration file so that it includes the following line.
    NetbiosDomain = MYDOMAIN
  10. Restart the VM and log back in.