After setting up your Horizon environment, you must set up your VMware Identity Manager environment before you integrate the Horizon pods and pod federations with the VMware Identity Manager service.

Prerequisites

  • If you intend to sync any Horizon Connection Server 5.x instances or use the Perform Directory Sync option, you must join VMware Identity Manager to the same Active Directory domain as Horizon. Ensure that you have an Active Directory username and password with the rights to join the domain. For more information about the rights required to join a domain, see "Integrating with Active Directory" in Directory Integration with VMware Identity Manager.
    Note: In a VMware Identity Manager on Windows installation, the Windows server is already joined to the domain.

Procedure

  1. Ensure that distinguishedName is set as a required attribute for the VMware Identity Manager directory and that it is mapped to the Active Directory attribute distinguishedName.
    Attributes must be marked as required before the directory is created. After the directory is created, attributes cannot be changed from optional to required.
    1. In the VMware Identity Manager console, navigate to the Identity & Access Management > Setup > User Attributes page.
    2. Under Default Attributes, select the Required check box for distinguishedName.
    3. Click Save.
    4. While creating the directory, map the distinguishedName attribute to the Active Directory attribute distinguishedName.
  2. Sync the users and groups that have global or local entitlements in Horizon from Active Directory to the VMware Identity Manager service using directory sync.
    1. To view current users and groups, click the Users & Groups tab.
    2. Select the Identity & Access Management > Directories tab.
    3. Select the appropriate directory.
    4. Modify the directory settings if needed, and click Sync Now.
    Note: Users must have the userPrincipalName attribute set. If the userPrincipalName attribute is not set for a user, the user may not be able to run desktops and applications.
  3. If applicable, establish a connection to multi-domains or trusted multi-forest domains in Active Directory. See Installing and Configuring VMware Identity Manager for information.
  4. (VMware Identity Manager Linux virtual appliance only) Join the VMware Identity Manager directory to the same Active Directory domain as Horizon if you are syncing any Horizon Connection Server 5.x instances or if you intend to use the Perform Directory Sync option. Both these configurations use an alternative way of syncing, which requires the domain to be joined.
    1. Click the Identity & Access Management tab.
    2. Click Setup and select the Connectors tab.
    3. Click Join Domain next to the appropriate directory.
    4. Type the information for the Active Directory domain and click Join Domain. Do not use non-ASCII characters when you enter the domain information.
      Option Description
      Domain Select the domain to join or select Custom Domain and type the domain name. Ensure that you type the fully qualified Active Directory domain name For example, server.example.com.
      Note: The Active Directory FQDN must be in the same domain as the View Connection Server instances. Otherwise, your deployment fails.
      Domain User Type the username of an Active Directory user who has permissions to join systems to that Active Directory domain.
      Domain Password Type the password for the user. This password is not stored by VMware Identity Manager.
      Organizational unit (OU) of domain to join (Optional) The organizational unit (OU) to join. This option joins the machine to the specified OU instead of the default Computers OU.

      For example, ou=testou,dc=test,dc=example,dc=com.

    5. Verify that VMware Identity Manager and the Horizon servers are joined to the same domain.
    Note: In a VMware Identity Manager on Windows installation, this step is not required because the Windows server is already joined to the domain.