To enable True SSO on an Ubuntu/Debian desktop, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the SSSD solution. Then install the root Certificate Authority (CA) certificate to support trusted authentication before installing Horizon Agent.

Use the following procedure to enable True SSO with SSSD on an Ubuntu/Debian VM.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the host name of your VM. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
myhost Host name of your Ubuntu/Debian VM
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
admin-user User name of the AD domain administrator


  • Verify that the VM is running one of the following distributions.
    • Ubuntu 22.04/20.04
    • Debian 12.x/11.x
    Note: True SSO with SSSD is not supported for Debian 10.x desktops. To configure True SSO on a Debian 10.x desktop, use Samba domain-join instead as described in Configure True SSO with Samba for Ubuntu/Debian Desktops.
  • Configure True SSO for Workspace ONE Access and Horizon Connection Server.
  • Get a root CA certificate and save it to /tmp/certificate.cer on the Ubuntu/Debian VM. See How to Export Root Certification Authority Certificate.

    If a subordinate CA is also an issuing authority, then get the entire chain of root and subordinate CA certificates and save it to /tmp/certificate.cer on the VM.


  1. On the base VM, verify the network connection to Active Directory.
    sudo realm discover
  2. Install the required dependency packages.
    sudo apt-get install sssd-tools sssd libnss-sss libpam-sss adcli samba-common-bin krb5-user krb5-pkinit
  3. Join the AD domain.
    sudo realm join --verbose -U admin-user
  4. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      sudo openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    2. Copy the certificate to the /etc/sssd/pki/sssd_auth_ca_db.pem file.
      sudo cp /tmp/certificate.pem /etc/sssd/pki/sssd_auth_ca_db.pem
  5. Modify the /etc/sssd/sssd.conf configuration file, as shown in the following example.
    domains =
    config_file_version = 2
    services = nss, pam
    ad_domain =
    krb5_realm = MYDOMAIN.COM
    realmd_tags = manages-system joined-with-adcli
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    use_fully_qualified_names = False #Use short name for user
    fallback_homedir = /home/%u@%d
    access_provider = ad
    ad_gpo_map_interactive = +gdm-vmwcred #Add this line for SSO
    ad_gpo_access_control = permissive #Only add this line for Ubuntu 20.04 and Debian 12 to fix
    [pam] #Add pam section for certificate login
    pam_cert_auth = True #Add this line to enable certificate login for system
    pam_p11_allowed_services = +gdm-vmwcred #Add this line to enable certificate login for VMware Horizon Agent
    [certmap/] #Add this section and following lines to set match and map rule for certificate user
    matchrule = <EKU>msScLogin
    maprule = (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
    domains =
    priority = 10
  6. Change the access mode for the /etc/krb5.conf configuration file to make it editable.
    sudo chmod 644 /etc/krb5.conf
  7. Modify the /etc/krb5.conf file, as shown in the following example.
        kdc =
        admin_server =
        pkinit_anchors = DIR:/etc/sssd/pki
        pkinit_kdc_hostname =
        pkinit_eku_checking = kpServerAuth
    [domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM
  8. Install the Horizon Agent package, with True SSO enabled.
    sudo ./ -T yes
  9. Modify the /etc/vmware/viewagent-custom.conf configuration file so that it includes the following line.
    NetbiosDomain = MYDOMAIN
  10. Restart the VM and log back in.