To enable the True SSO feature on a RHEL/CentOS 7.x virtual machine (VM), install the libraries on which the True SSO feature depends, the root Certificate Authority (CA) certificate to support trusted authentication, and Horizon Agent. In addition, you must edit some configuration files to complete the authentication setup.

Use the following procedure to enable True SSO on a RHEL 7.x or CentOS 7.x VM.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_server Path to your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters

Prerequisites

Procedure

  1. Install the PKCS11 support package group.
    sudo yum install -y nss-tools nss-pam-ldapd pam_krb5 krb5-libs krb5-workstation krb5-pkinit
  2. Install the root CA certificate or certificate chain.
    1. Locate the root CA certificate or certificate chain that you downloaded, and transfer it to a PEM file.
      sudo openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
      
    2. Make an /etc/pki/nssdb directory to contain the system database.
      sudo mkdir -p /etc/pki/nssdb
    3. Use the certutil command to install the root CA certificate or certificate chain to the system database /etc/pki/nssdb.
      Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
      sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
      
    4. Add the root CA certificate or certificate chain to the list of trusted CA certificates on the RHEL/CentOS 7.x VM and update the system-wide trust store configuration using the update-ca-trust command.
      sudo cp /tmp/certificate.pem /etc/pki/ca-trust/source/anchors/ca_cert.pem
      sudo update-ca-trust
  3. Modify the appropriate section in your system's SSSD configuration file for your domain, as shown in the following example.
    [domain/mydomain.com]
    ad_domain = mydomain.com
    krb5_realm = MYDOMAIN.COM
    realmd_tags = manages-system joined-with-samba
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    default_shell = /bin/bash
    ldap_id_mapping = True
    #set the next line to false, so you can use the short name instead of the full domain name.
    use_fully_qualified_names = False   
    fallback_homedir = /home/%u@%d
    access_provider = ad
  4. Modify the Kerberos configuration file /etc/krb5.conf, as shown in the following example.
    [libdefaults]
     dns_lookup_realm = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     default_ccache_name = KEYRING:persistent:%{uid}
     # Add following line, if the system doesn't add it automatically
     default_realm = MYDOMAIN.COM
     
    [realms]
    MYDOMAIN.COM = {
      kdc = dns_server
      admin_server = dns_server
      # Add the following three lines for pkinit_*
      pkinit_anchors = DIR:/etc/pki/ca-trust/source/anchors
      pkinit_kdc_hostname = your_org_DNS_server
      pkinit_eku_checking = kpServerAuth
     }
    [domain_realm]
     mydomain.com = MYDOMAIN.COM
     .mydomain.com = MYDOMAIN.COM
    Note: You must also set the mode equal to 644 in /etc/krb5.conf. Otherwise, the True SSO feature might not work.
  5. Install the Horizon Agent package, with True SSO enabled.
    sudo ./install_viewagent.sh -T yes
  6. Add the following parameter to the Horizon Agent custom configuration file /etc/vmware/viewagent-custom.conf. Use the following example, where NETBIOS_NAME_OF_DOMAIN is the NetBIOS name of your organization's domain.
    NetbiosDomain=NETBIOS_NAME_OF_DOMAIN
  7. Restart the VM and log back in.