November 13, 2017 at 15:02Configuring Two-Factor Authentication in VMware Horizon View 7 Using OTP and JAS Server
In our last article, we talked about setting up two-factor authentication in VMware Horizon View based on PKI infrastructure and x509 certificates. Today, consider another option for 2FA authentication - one-time passwords (OTP). The use of PKI technology is probably more reliable, but in our age of universal mobility and the BYOD trend, when users need to access information resources from any device, including mobile, using PKI technology is not always convenient, and sometimes completely impossible. Therefore, one-time password authentication (OTP) is gaining in popularity.
The OTP implementation in our example is based on the product of our company. This is an authentication server - JaCarta Authentication Server (JAS). The authenticator (OTP generation tools) can be:
The following OTP generation algorithms are supported:
It is also possible to connect an SMS gateway and receive one-time passwords in the form of SMS messages.
As last time, it is assumed that VDI within the framework of VMware Horizon View is already deployed and configured for simple password authentication. A JAS server and an NTP plugin for it have already been installed and configured. And for users, software or hardware tokens are instituted. About installing and configuring JAS, we have a large boring document that is included in the package.
Next, we will show how easy and simple it is to connect an existing JAS server to a VMware Horizon View server and implement OTP authentication.
On the server where the JAS and NPS plug-in is installed, go to the Network Policy Server snap-in and add a new RADIUS Client .
Set Friendly name, IP address of Horizon View Connection Server, and Shared secret .
Go to VMware View server, open the View Connection Server administration console.
Go to View Configuration -> Servers -> Connection Servers .
Select the required authentication server and click the Edit button .
In the window that opens, go to the Authentication tab . Under Advanced Authentication 2-factor authentication, select RADIUS from the drop-down menu .
Uncheck the boxes with the Enforce 2-factor and Windows user name matching and Use the same user name and password for RADIUS and Windows authentication .
Click the Manage Authenticators button . In the new window, click on the Add ... button
Fill in the fields Label - Server name displayed to the client, Hostname / address - address of the NPS server with the OTP plugin, Shared Secret. Authentication type - PAP.
Now the configuration is finished, you need to check.
Launch the VmWare Horizon Client (it may be on Windows, Linux, and MacOS) and connect to the server.
After connecting to the server, a login dialog box will be displayed with a request to enter a username and OTP ( Passcode field ).
Open google authenticator to get OTP value.
After successful OTP authentication, a login request will be made by username and password.
The OTP-> Password request occurs in this order, and not vice versa. This is done to protect the password from guessing.
From a mobile phone everything will look similar. Below is an example on iOS (Android is also supported).
First, launch the Horizon application and connect to the server.
The server will request OTP.
Switch to Google authenticator, remember the OTP value.
Switch to Horizon enter OTP.
Next, enter the password.
Choose your desktop or application.
That's all.
The OTP implementation in our example is based on the product of our company. This is an authentication server - JaCarta Authentication Server (JAS). The authenticator (OTP generation tools) can be:
- software token (google authenticator for smartphones running iOS, Android, Windows);
- physical token with USB port (JaCarta WebPass, Yubikey and others);
- physical token without a USB port (eToken Pass and others).
The following OTP generation algorithms are supported:
- RFC 4226 + HMAC-SHA-1 (6 characters);
- RFC 4226 + HMAC-SHA-256 (6 characters);
- RFC 4226 + HMAC-SHA-256 (7 characters);
- RFC 4226 + HMAC-SHA-256 (8 characters).
It is also possible to connect an SMS gateway and receive one-time passwords in the form of SMS messages.
As last time, it is assumed that VDI within the framework of VMware Horizon View is already deployed and configured for simple password authentication. A JAS server and an NTP plugin for it have already been installed and configured. And for users, software or hardware tokens are instituted. About installing and configuring JAS, we have a large boring document that is included in the package.
Next, we will show how easy and simple it is to connect an existing JAS server to a VMware Horizon View server and implement OTP authentication.
Tuning progress
On the server where the JAS and NPS plug-in is installed, go to the Network Policy Server snap-in and add a new RADIUS Client .
Set Friendly name, IP address of Horizon View Connection Server, and Shared secret .
Go to VMware View server, open the View Connection Server administration console.
Go to View Configuration -> Servers -> Connection Servers .
Select the required authentication server and click the Edit button .
In the window that opens, go to the Authentication tab . Under Advanced Authentication 2-factor authentication, select RADIUS from the drop-down menu .
Uncheck the boxes with the Enforce 2-factor and Windows user name matching and Use the same user name and password for RADIUS and Windows authentication .
Click the Manage Authenticators button . In the new window, click on the Add ... button
Fill in the fields Label - Server name displayed to the client, Hostname / address - address of the NPS server with the OTP plugin, Shared Secret. Authentication type - PAP.
Now the configuration is finished, you need to check.
Checking performance from a laptop
Launch the VmWare Horizon Client (it may be on Windows, Linux, and MacOS) and connect to the server.
After connecting to the server, a login dialog box will be displayed with a request to enter a username and OTP ( Passcode field ).
Open google authenticator to get OTP value.
After successful OTP authentication, a login request will be made by username and password.
The OTP-> Password request occurs in this order, and not vice versa. This is done to protect the password from guessing.
Functional check from a mobile device
From a mobile phone everything will look similar. Below is an example on iOS (Android is also supported).
First, launch the Horizon application and connect to the server.
The server will request OTP.
Switch to Google authenticator, remember the OTP value.
Switch to Horizon enter OTP.
Next, enter the password.
Choose your desktop or application.
That's all.