VMware Horizon can leverage smart card technology to better secure the authentication process when a user tries to access the entitled virtual desktop.
If also Active Directory is configured to authenticate users through smart cards, users need to enter the PIN when requested and they can directly access the entitled virtual desktop making the login process faster and more secure.
To implement smart card authentication in VMware Horizon, you need the following prerequisites:
- A working public key infrastructure (PKI)
- Active Directory configured to authenticate users using smart cards
Export the root certificate from CA
If you have a working CA infrastructure, login to the server with the Certification Authority role and open the Certification Authority manager.
Right click the Root CA item and select Properties.
Go to General tab, select the certificate and click View Certificate.
Go to Details tab and click Copy to File.
Click Next in the Certificate Export Wizard page.
Select Base-64 encoded X.509 (.CER) option and click Next.
Enter the File name and click Next.
Click Finish to export the certificate to the specified path.
The certificate has been exported successfully. Click OK to exit the wizard.
Now we need to copy the exported root CA certificate and paste it into the Connection Server.
Import the Root certificate into Horizon
Login to the Connection Server and paste the previously exported root certificate anywhere in the server.
Open the Command Prompt as Administrator.
Go to the folder Program Files\VMware\VMware View\Server\jre\bin.
C:\> cd "Program Files\VMware\VMware View\Server\jre\bin"
Run the following command:
C:\..> keytool.exe -import -alias RootCA -file c:\cert\RootCA.cer -keystore truststorefile.key -storetype JKS
Enter a password for the certificate twice then press Enter.
Type yes and press Enter to trust the certificate. The truststorefile.key file is created in the selected folder.
Once the truststorefile.key has been created, you need to copy the file to the correct folder. Copy the truststorefile.key to the folder C:\Program Files\VMware\VMware View\Server\sslgateway\conf\.
C:\..> copy truststorefile.key "C:\Program Files\VMware\VMware View\Server\sslgateway\conf\"
Now you need to edit the locked.properties file (create the file if it doesn't exist) located in the folder C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ to add the configuration required to use the smart card authentication.
Add the following rows to the locked.properties file:
trustKeyfile = truststorefile.key
trustStoretype = jks
useCertAuth = true
Save the file and restart the VMware Horizon View Connection Server service.
Configure additional Connection Servers
If you have multiple Connection Servers configured in your Horizon infrastructure, you need to configure each Connection Server accordingly.
From the configured Connection Server select and copy both locked.properties and truststorefile.key files.
Login to the other Connection Servers and paste the files to the same folder C:\Program Files\VMware\VMware View\Server\sslgateway\conf\.
Restart the VMware Horizon View Connection Server service.
Enable the smart card authentication in Horizon
From the Connection Server, go to Settings > Servers area and select the Connection Servers tab. Select the first Connection Server (CS1 in the example) and click Edit.
Select the Authentication tab and scroll down to the Smart card authentication section.
From the drop-down menu Smart card authentication for users select the Required option and if you need to increase the security enable the Disconnect user sessions on smart card removal option. Click OK to save the configuration.
If you have multiple Connection Servers in your infrastructure, repeat same procedure on each server.
Test the smart card authentication
Once the configuration has been completed, it's time to test if everything works as expected.
Remember to connect the reader and insert the smart card before logging in to Horizon otherwise you will receive an error. Make sure also to enable the Smartcard Redirection feature in the View Agent installed in the Golden Image.
Insert the smart card in the used computer, open the View Client and connect to your VMware Horizon infrastructure.
Compared to the standard login, you are now prompted to enter the PIN associated with your smart card. Click Login.
The entitled Desktop Pool is displayed. Click the desired Desktop Pool to connect the virtual desktop.
The system is connecting to the VDI.
After few seconds you are connected to the virtual desktop without entering the Windows credentials.
Smart card authentication is useful when the business requires an extra level of security and is one of the available options provided by VMware Horizon. SAML, RADIUS, True SSO are some of the available options you can use for the authentication process in Horizon.