Configure True SSO on a SLED/SLES Virtual Machine

To enable the True SSO feature on a SLED/SLES virtual machine (VM), install the libraries on which the True SSO feature depends, the root Certificate Authority (CA) certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on a SLED or SLES VM.

Prerequisites

Configure True SSO for Workspace ONE Access and Horizon Connection Server.
Complete the steps described in Integrate a SLED/SLES Virtual Machine with Active Directory for True SSO.
Get a root Certificate Authority certificate and save it to /tmp/certificate.cer on your SLED/SLES VM. See How to Export Root Certification Authority Certificate.
If a subordinate CA is also an issuing authority, then get the entire chain of root and subordinate CA certificates and save it to /tmp/certificate.cer on the VM.

Procedure

Install the required packages by running the following command.

zypper install mozilla-nss-tools pam_krb5 krb5-client krb5-plugin-preauth-pkinit

Install the root CA certificate or certificate chain.
1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
```
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
```
2. Make an /etc/pki/nssdb directory to contain the system database.
```
sudo mkdir -p /etc/pki/nssdb
```
3. Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
  Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
```
sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
```
4. Add the root CA certificate to pam_pkcs11.
```
sudo cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
```

Edit the /etc/krb5.conf configuration file so that it has content similar to the following example.

[libdefaults]
      default_realm = MYDOMAIN.COM
      dns_lookup_realm = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      default_ccache_name = KEYRING:persistent:%{uid}

[realms]
      MYDOMAIN.COM = {
            kdc = ads-hostname
            admin_server = ads-hostname 
            pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
            pkinit_kdc_hostname = ADS-HOSTNAME
            pkinit_eku_checking = kpServerAuth
      }

[domain_realm]
      .mydomain.com = MYDOMAIN.COM
      mydomain.com = MYDOMAIN.COM

Note: You must also set the file permissions to 644 for /etc/krb5.conf. Otherwise, the True SSO feature might not work.

Replace the placeholder values in the example with information specific to your network configuration, as described in the following table.


Placeholder Value	Description
mydomain.com	DNS name of your AD domain
MYDOMAIN.COM	DNS name of your AD domain (in all capital letters)
ads-hostname	Host name of your AD server
ADS-HOSTNAME	Host name of your AD server (in all capital letters)

Install the Horizon Agent package, with True SSO enabled.
```
sudo ./install_viewagent.sh -T yes
```
Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following syntax, where NETBIOS_NAME_OF_DOMAIN is the name of your organization's NetBIOS domain.
```
NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
```
Note: Always use the long name of the NetBIOS domain, for example LXD.VDI. If you use the short name, such as LXD, the True SSO feature does not work.
Restart the VM and log back in.