Configure two-factor authentication in VMware Horizon View 7 using JaCarta PKI smart cards

Published on October 11, 2017

Configure two-factor authentication in VMware Horizon View 7 using JaCarta PKI smart cards


    We recently talked about how to configure 2FA authentication based on PKI infrastructure and x509 certificates in a Citrix virtual environment using JaCarta PKI dongles. Today we will talk about the closest "friend" of Citrix XenDesktop in the delivery of virtual desktops and applications - VMware Horizon View.



    How it works?


    In simple terms, one can imagine such a scheme.


    Two-factor authentication in a VDI session using JaCarta PKI consists of the following steps:

    1. the user presents a token (the first factor is the possession of the device) and enters a PIN code (the second factor is knowledge of the PIN code);
    2. the server checks the user credentials;
    3. the user receives a desktop \ application or a denial of service.

    The reasons to “make friends” with VMware Horizon View with electronic keys, however, like any other 2FA implementation, have a number of advantages compared to classical password authentication. First of all, this is a general increase in the level of security that occurs due to the rejection of passwords and the transition to strong authentication using the second authentication factor. We will not dwell on this in detail, there are enough articles, and even whole books on the topic. Secondly, since authentication by tokens or smart cards is implemented, they can and should be used already inside the VDI session. For example, for electronic signatures in various scenarios and programs, for access to various web applications, for electronic document management systems and remote banking systems. It is possible to use both Western crypto algorithms, and domestic GOST. Additional advantages include the fact that the same card can be used for authentication, signature and access to the premises (if there is an RFID tag). At the same time, customization options are provided - applying the logo and corporate identity. And as part of the special. projects, it is possible to implement payment applications on the same cards (Mir, MasterCard, Visa).

    Introductory


    It is assumed that the public key infrastructure has already been deployed under Windows Server (version is not important) with the Active Directory Certificate Services role. VDI is deployed as part of VMware Horizon View 7 (we work with 6.x and c 5.x) and is configured for simple password authentication. Another condition is that users have JaCarta dongles with digital certificates issued by them from MSCA.

    The client is any PC, thin client, laptop with VMware Horizon Client installed.

    Customization


    The whole setup comes down to setting up certificates and enabling certificate authentication options on the horizon view server.

    Export Root Certificate


    Open the Certification Authority snap- in on the root CA by running certsrv.msc


    Open the Certification Authority -> CA Name -> Properties window


    On the General tab, select the root certificate and click the View Certificate button .


    Go to the Details tab and click the Copy to File button .


    On the file format selection page, select Base-64 encoded X.509 (.CER)


    Specify the file export path, for example, C: \ temp \ RootCA.cer



    Creating a JKS Key Container File


    On the VMware Horizon View server, open a command prompt and change to the directory with the keytool.exe utility (C: \ Program Files \ VMware \ VMware View \ Server \ jre \ bin).


    Import the root certificate into the storage file using the command keytool -import -alias alias -file root_certificate -keystore truststorefile.key , where alias is the alias (any value), root_certificate is the full path to the certificate file, truststorefile.key is the name of the storage file .

    During the import process, you will need to enter a passphrase to protect the store and confirm the trust in the certificate.


    The truststorefile.key storage file must be copied to the SSL Gateway directory:
    install_directory \ VMware \ VMware View \ Server \ sslgateway \ conf \ truststorefile.key

    In the SSL Gateway directory (install_directory \ VMware \ VMware View \ Server \ sslgateway \ conf \ locked.properties ) you need to create a file named locked.properties and edit it (for example, in notepad) to the following contents:

     trustKeyfile= truststorefile.key
    trustStoretype=JKS
    useCertAuth=true 

    Save the file and restart the View Connection Server service .

    Certificate Login Setup


    Access the VMware Horizon View web console.


    Go to server properties: Inventory -> View Configuration -> Servers -> Connections Servers -> Edit .


    Click the Authentication tab and select your preferred authentication mode.

    Authentication to the administrative console by smart card is configured from the Smart card authentication for administrators drop-down list :

    • Not Allowed - do not use a smart card;
    • Optional - mixed authentication - either by password or by smart card;
    • Required - mandatory use of a smart card.

    User authentication in VDI using a smart card is configured from the Smart card authentication for users drop-down list :

    • Not Allowed - do not use a smart card;
    • Optional - mixed authentication - either by password or by smart card;
    • Required - mandatory use of a smart card.

    The Disconnect user sessions on smart card removal option determines the policy when disconnecting a smart card. Check the box if you want to disconnect the session when removing the smart card.


    Click OK .

    User smart card forwarding settings


    Forwarding a user's smart card allows transparent authentication to the virtual machine with a PIN code once.

    When using Teradici thin clients, configuration is generally not required.

    If you are using the Windows, MacOS, Linux software clients, you must install VMware View Agent with the activation of the Smartcard Redirection option.



    Check


    To check, log in to the Horizon View administration console and to the virtual desktop

    Login to the administration console


    Insert a smart card and go to the administration console.

    In the appeared window of the login form, select the administrator certificate and click OK .


    You are prompted for a PIN code. After successful verification of the PIN, authentication to the web interface will be performed.



    Virtual Desktop Login


    On the client device, start VMware Horizon Client and select the desired connection.


    You are prompted for a PIN code.


    After successful authentication, available resources are displayed.


    Well, we’ll make sure that the smart card has forwarded to the delivered desktop.


    That's all.