To enable the True SSO feature on an Ubuntu/Debian virtual machine (VM), install the libraries on which the True SSO feature depends, the root Certificate Authority (CA) certificate to support trusted authentication, and Horizon Agent. If True SSO authentication is also issued by a subordinate CA, then you must install the entire certificate chain of root and subordinate CA certificates. To complete the authentication setup, you must edit some configuration files.

Use the following procedure to enable True SSO on an Ubuntu/Debian VM.

Prerequisites

Procedure

  1. On the VM, install the pkcs11 support package.
    sudo apt install libpam-pkcs11
  2. Install the libnss3-tools package.
    sudo apt install libnss3-tools
  3. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    2. Make an /etc/pki/nssdb directory to contain the system database.
      sudo mkdir -p /etc/pki/nssdb
    3. Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
      Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
      sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
    4. Make an /etc/pam_pkcs11/cacerts directory and copy the root CA certificate or certificate chain there.
      mkdir -p /etc/pam_pkcs11/cacerts
      sudo cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
    5. Create a hash link for the root CA certificate or certificate chain. In the /etc/pam_pkcs11/cacerts directory, run the following command.
      pkcs11_make_hash_link
  4. Install the Horizon Agent package, with True SSO enabled.
    sudo ./install_viewagent.sh -T yes
  5. Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
    NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
  6. Edit the /etc/pam_pkcs11/pam_pkcs11.conf configuration file.
    1. If needed, create the /etc/pam_pkcs11/pam_pkcs11.conf configuration file. Locate the example file in /usr/share/doc/libpam-pkcs11/examples, copy it to the /etc/pam_pkcs11 directory, and rename the file to pam_pkcs11.conf. Add your system information to the contents of the file as needed.
    2. Modify the /etc/pam_pkcs11/pam_pkcs11.conf configuration file so that it includes content similar to the following example.
      Note: For Ubuntu 20.04 or later, append ms to the end of the use_mappers line.
      use_pkcs11_module = coolkey;
      pkcs11_module coolkey {
        module = /usr/lib/vmware/viewagent/sso/libvmwpkcs11.so;
        slot_num = 0;
        ca_dir = /etc/pam_pkcs11/cacerts;
        nss_dir = /etc/pki/nssdb;
      }
      
      mapper ms {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
        ignorecase = false;
        # ignore domain name
        ignoredomain = true;
        domain = "DOMAIN.COM"; #<== Replace "DOMAIN.COM" with your organization's domain name
      }
      
      use_mappers = digest, cn, pwent, uid, mail, subject, null, ms;  #<== For Ubuntu 20.04 or later, append "ms" at end of use_mappers
  7. In the Linux terminal, set the access permissions for the /etc/krb5.conf configuration file to 644, as shown in the following example.
    sudo chmod 644 /etc/krb5.conf

    Verify that the permissions have been modified.

    ls -l /etc/krb5.conf
    
    -rw-r--r-- 1 root root xxx xx xx xxxx /etc/krb5.conf
    Note: If you do not modify the permissions of /etc/krb5.conf as specified, the True SSO feature might not work.
  8. Restart the VM and log back in.