As I recently rebuilt some components in my lab I had to set up True SSO again as well. Seeing as I prefer being lazy over being tired I decided it was a good moment to give the True SSO Configuration Utility fling a spin.
The fling won’t set up everything from A to Z, but it will save you from all the “vdmUtil” commands.
So before you can get started you’ll need to make sure your environment is ready to be configured (not in scope for this post), but the following post still stands as of today: VMware Horizon 7 True SSO: Setting Up In a Lab
When you hit section “2. Configure True SSO on the Horizon CS” it’s a good time to switch and continue with this post.
Table of Contents
Taking it for a spin
The fling uses the same commands as you’ll use when doing everything manually, so you’ll run it from a Connection Server.
Once fired up you’ll be welcomed by the screen displayed above.
Fill in all the values based on your environment, where the Workspace One Access name is the name of the SAML authenticator you created earlier on your Connection Server.
The Certificate Authority Server is the name displayed in the Certificate Authority mmc.
Once everything is filled in it should look something like below, which means we’re ready to start configuring True SSO!
All that remains is following all the steps provided within the fling, which should result in a functional True SSO setup.
The results in my environment are displayed below:
Step 1
Step 2
Step 3
Step 4
Step 5
And that should be it, everything should now be in place for True SSO to work.
Testing
To make sure everything is working as expected I’ve configured Workspace One Access to authenticate using Kerberos, which without True SSO, requires a second login with the users username and password.
As we are not prompted for a second login and we’re greeted with a Windows desktop everything appears to be working.
We can confirm this by checking the debug logs located in:
%PROGRAM_DATA%\VMware\VDM\logs\
As stated in the blog post mentioned earlier there are several lines which indicate True SSO working properly, I’ve snippets of two of those sections.
2020-10-23T10:10:08.135+02:00 DEBUG (096C-0BA4) <MessageFrameWorkDispatch> [wsnm_desktop] startSession added portal logon for user JAL\Administrator, timeout=900 secs, portalcount=1(1), preLaunchSession=0 {SESSION:9a8d_***_a898} 2020-10-23T10:10:08.135+02:00 INFO (096C-0BA4) <MessageFrameWorkDispatch> [wsnm_certlogon] CertLogon: CryptoContainer created: id=234887619 {SESSION:9a8d_***_a898; SESSION:9a8d_***_a898}
2020-10-23T10:10:08.791+02:00 DEBUG (096C-0C3C) <MessageFrameWorkDispatch> [wsnm_desktop] DesktopManager got a StoreSessionCertificate message (52) 2020-10-23T10:10:08.791+02:00 DEBUG (096C-0C3C) <MessageFrameWorkDispatch> [wsnm_desktop] commandhandler::storeSessionCertificate(): CertSSO: CERTIFICATESSOID=37d15f21-9d4f-4156-953b-a6b947f1512b 2020-10-23T10:10:08.791+02:00 DEBUG (096C-0C3C) <MessageFrameWorkDispatch> [wsnm_certlogon] CertLogon: StoreContext ok, id=234887619 2020-10-23T10:10:08.791+02:00 DEBUG (096C-0C3C) <MessageFrameWorkDispatch> [wsnm_desktop] CertSso_StoreCertificate(): Certificate stored for contextId: 23488761
Conclusion
With this post I’m hoping this fling will get some extra time in the spotlight, as it really deserves it.
It takes the sting out of using all the commands with “vdmUtil”, which is something I personally never liked doing in the first place.
It makes setting up True SSO that much easier that I’m actually amazed this fling isn’t mentioned more often.