To enable True SSO on an Ubuntu/Debian desktop, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the SSSD solution. Then install the root Certificate Authority (CA) certificate to support trusted authentication before installing Horizon Agent.
Use the following procedure to enable True SSO with SSSD on an Ubuntu/Debian VM.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your VM. Replace the placeholder values with information specific to your configuration, as described in the following table.
| Placeholder Value |
Description |
| dns_IP_ADDRESS |
IP address of your DNS name server |
| mydomain.com |
DNS name of your AD domain |
| MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
| myhost |
Host name of your Ubuntu/Debian VM |
| MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
| ads-hostname |
Host name of your AD server |
| admin-user |
User name of the AD domain administrator |
Procedure
- On the base VM, verify the network connection to Active Directory.
sudo realm discover mydomain.com
- Install the required dependency packages.
sudo apt-get install sssd-tools sssd libnss-sss libpam-sss adcli samba-common-bin krb5-user krb5-pkinit
- Join the AD domain.
sudo realm join --verbose mydomain.com -U admin-user
- Install the root CA certificate or certificate chain.
- Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
sudo openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Copy the certificate to the /etc/sssd/pki/sssd_auth_ca_db.pem file.
sudo cp /tmp/certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
- Modify the /etc/sssd/sssd.conf configuration file, as shown in the following example.
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
krb5_realm = MYDOMAIN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False #Use short name for user
fallback_homedir = /home/%u@%d
access_provider = ad
ad_gpo_map_interactive = +gdm-vmwcred #Add this line for SSO
ad_gpo_access_control = permissive #Only add this line for Ubuntu 20.04 and Debian 12 to fix https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1934997
[pam] #Add pam section for certificate login
pam_cert_auth = True #Add this line to enable certificate login for system
pam_p11_allowed_services = +gdm-vmwcred #Add this line to enable certificate login for VMware Horizon Agent
[certmap/mydomain.com/truesso] #Add this section and following lines to set match and map rule for certificate user
matchrule = <EKU>msScLogin
maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
domains = mydomain.com
priority = 10
- Change the access mode for the /etc/krb5.conf configuration file to make it editable.
sudo chmod 644 /etc/krb5.conf
- Modify the /etc/krb5.conf file, as shown in the following example.
[realms]
MYDOMAIN.COM = {
kdc = kdcserver.mydomain.com
admin_server = dnsserver.mydomain.com
pkinit_anchors = DIR:/etc/sssd/pki
pkinit_kdc_hostname = kdcserver.mydomain.com
pkinit_eku_checking = kpServerAuth
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- Install the Horizon Agent package, with True SSO enabled.
sudo ./install_viewagent.sh -T yes
- Modify the /etc/vmware/viewagent-custom.conf configuration file so that it includes the following line.
- Restart the VM and log back in.
