2Factor Authentication for Horizon8

Hi, Today I would like to configure Multifactor Authentication for Horizon8 through Keycloak.

What is MFA?

Multifactor authentication (MFA) is a multistep account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Which MFA Protocol Supports Horizon?

You can enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Administrator.

Prerequisites

Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.

1- For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.

2- For RADIUS authentication, follow the vendor’s configuration documentation. Make a note of the RADIUS server’s hostname or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2), and the shared secret. You will enter these values in Horizon Administrator. You can enter values for a primary and a secondary RADIUS authenticator.

Procedure

  1. Log into Horizon Server, and select View Settings> Servers.
  2. On the Connection Servers tab, select your connection server and click Edit.
  3. On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RADIUS.
  4. To force RADIUS usernames to match usernames in Active Directory, select Enforce 2-factor and Windows username matching.
    If you select this option, users must use the same RADIUS username for Active Directory authentication. If you do not select this option, the names can be different.
  5. For RADIUS authentication, complete the rest of the fields:
    1. Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
      If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
    2. From the Authenticator drop-down list, select Create New Authenticator and complete the page.

6. Click Add

Give a name for the Authenticator name field. This name is displayed when users want to log in. You can customize username and passcode labels.

7. Click next
Give your Keycloak Radius information

Hostname/Address: keycloak.khoshraftar.com\

Authentication Port: 1812

Accounting Port: 0

Set the Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages, and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in the authentication.

Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.

Authentication Type: PAP-CHAP-MSCAHP1-MSCHAP2

Shared Secret: ***********

Must same with your radius shared secret

If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in Horizon Client is Mohammad and the realm prefix Khoshraftar\ is specified, the username khoshraftar\Mohammad is sent to the RADIUS server. Similarly, if you use the realm suffix, or postfix, string @khoshraftar.com, the username mohammad@khoshraftar.com is sent to the RADIUS server.

Click Next

8. Click OK to save your changes.

You do not need to restart the Connection Server service. The necessary configuration files are distributed automatically, and the configuration settings take effect immediately.
 

What is Keycloak?

Keycloak is an open-source identity and access management solution.

How to install Keycloak?

You can download Keyclock from here. But for this project, I need to Radius, radius is not on Keycloak default. So, you can config a manual radius from this link.

But, I want to write a simple configuration about keycloak radius in my blog.

  1. I download a java base keycloak application from here.
  2. I installed an Ubuntu server and install an openjdk 11 on it.
  3. Copy the keycloak files on the Ubuntu server.
  4.  unzip keycloak-radius.zip -d keycloak-radius
  5. cd keycloak-radius/
  6. export KEYCLOAK_ADMIN=admin
  7. export KEYCLOAK_ADMIN_PASSWORD=admin
  8. bin/kc.sh start-dev
  9. Open http://Server-IP-Address:8080

10. Username: admin

11. Password: admin

12. Under Manage–> Select Clients and Create client

13. Choice radius protocol from the drop-down menu and Fill in a Client ID

Note: This name must be the same as the authenticator name in the Horizon config in the previous section.

14. Click Next

15. Click Save

16. Click on the Users section and click Add Users

Note: If you want to log in with a password, leave the required user actions, Blank.

Click on Create and then click on the user that you created.

17. Click on the Set password button. Type your password and If you turn on Temporary you must change your password in the first login. I turn off it. And Save it.

Note: If you want to use an OTP, select Configure OTP from the menu

You go to step 17 and create a password for your user and then go to this page.

18. http://your-ip-address:8080/realms/master/account/#/

Enter the username and password that you created.

19. Install one of the following applications on your mobile:

Google Authenticator

Microsoft Authenticator

FreeOTP

20. Open the application and scan the barcode.

21. Enter the one-time code provided by the application and submit it to finish the setup.

22. Open Horizon client

For the first Scenario with password only, Enter the user and password that you create in step 16.

For the second Scenario with password + OTP password, Enter the user and password and OTP password that you create in steps 16 and 18.

23. We can need active directory users, You must go to Configure section and click on the User Federation.

24. Click on the Add new provider

25. Enter a UI display name and Connection URL: ldap://dc1.khoshraftar.com

Select Bind DN, where your active directory user exists, to connect to the domain controller.

Enter the password in the Bind credential and other parameters.

26. Click on the Save button.

27. Import your users from the Users section and config them like a local user in the 16 section.

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 9

Hi, Today I decided to install UAG for publishing my Horizon on the internet.

1- Download the Latest UAG OVF version from vmware.com.

2- Deploy your OVF in your vCenter server.

3- Enter UAG virtual name

4- Select a compute resource

5- Review details and click Next

6- You must choose your deployment method, I choose a single NIC for my lab environment

7- Select storage

8- Select your network

9- Customize the template

  • NIC 1 IPV4 address
  • DNS server address
  • DNS search Domain
  • NIC 1 IPV4 netmask
  • IPV4 Default Gateway
  • Unified Gateway Appliance Name
  • Password for the root user of this VM
  • Password for the admin user, which enables
  • Enable SSH
  • Allow SSH root login using a password

10- Finish Deployment

11- Open the UAG Page address

https://your IP address:9443/admin

12- General Settings –> Horizon Setting

Enter these parameters:

  • Enable Horizon
  • Connection server URL
  • Connection server URL Thumbprint
  • Enable PCoIP
  • PCoIP External URL (UAG IP Address)
  • Enable Blast
  • Blast External URL (UAG URL)
  • Enable Tunnel
  • Tunnel External URL (UAG URL)

13- Submit

14- Login to UAG address

15- I get an error

15- If you can not log in to your Panel from the UAG address, you must add this file to this address:

Locked.properties

16- Go to the Connection server –> Settings –> Servers –> Connection servers –> Edit

17-

Select HTTP Secure Tunnel and Enter External URL (connection Server URL)

Select PCoIP secure gateway and Enter PCoIP External URL (connection server IP)

Select use Blast secure gateway for only HTML Access connections to the machine and Enter Blast External URL (connection server URL)

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 8

Hi, Today I decided to publish Application Hosted on RDSH Servers.

The published applications feature supports a wealth of remote-experience features, which include client-drive redirection, access to locally connected USB devices, file-type association, Windows media redirection, content redirection, printer redirection, location-based printing, 3D rendering, smartcard authentication, and more.

After applications are published, end users launch Horizon Client, or the HTML Access web client, to access a catalog of published applications. Selecting an application from the catalog opens a window for that application on the local client device, and the application looks and behaves as if it were locally installed.

1- In the Horizon Console, navigate to Inventory > Applications, click the Add button, and select Add from Installed Applications.

1- For the Application Pool Type, leave the default, which is RDS Farm.
The server farm I created in the previous post should be displayed in the drop-down list.

3- Complete the Select Applications page, as follows, before clicking Next.

Note: Select the Entitle Users After Adding Pool check box.

4- Next

5- Submit

6- In the Add Entitlements dialog box, click Add.

7- Use the Find User or Group dialog box to search for users.

8- From the list of users and groups returned, select the users or groups to entitle, and click OK.

9- In the Add Entitlements dialog box, verify that the desired users or groups now appear in the list, and click OK.

10- Launching Remote Desktops and Applications from Client Devices

you can use the HTML Access web client by entering the URL of your Connection Server, using the following format:

https://<FQDN or IP address>

You can see your applications.

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 7

Hi, Today I want to config RDSH-Published Desktops and Application.

1- In the Horizon Console, navigate to Inventory > Farms, and click the Add button.

2- In the Add Farm wizard that opens, with Type selected in the left pane, select Automated Farm, and click Next.

3- On the vCenter Server page, select Instant Clone, and click Next.

4- On the Storage Optimization page, click Next.

5- On the Identification and Settings page, complete the settings, as follows, before clicking Next:

6- On the Load Balancing and Settings page, click Next.

7-On the Provisioning Settings page, complete the settings, as follows, before clicking Next:

  • Naming Pattern – I use RDS-0. This naming pattern helps you identify RDSH server instant clones in Horizon Console.
  • Farm Sizing – Set Maximum Machines to 3, and set Minimum Number of Ready (Provisioned) Machines to 1.

8- On the vCenter Settings page, complete the Default Image settings, as follows:

1- For the Parent VM in vCenter setting, click Browse to select the golden RDSH server VM you created according to the instructions in creating a Windows Image for a VMware Horizon Virtual Desktop, and click Submit.

2- For the Snapshot setting, click Browse to select the snapshot you created as part of the prerequisites for this exercise, and click Submit.

9- In the Virtual Machine Location section, click Browse to select a VM folder if you created one.

10- In the Resource Settings section, click Browse to select the appropriate vCenter resource for each setting.

Note: For the Network setting, leave the default, which means the Use network from current parent VM image check box is selected.

11- With the vCenter Settings page completed, click Next.

12- Complete the Guest Customization page, as follows:

  1. Verify that the correct domain and domain admin account are selected.
  2. For AD container, click Browse and select the OU that you created.
  3. Leave the other default settings, and click Next.

13- On the Ready to Complete page, click Submit.

You are returned to the Inventory > Farms page.

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 6

Hi, Today I want to config an Instant-Clone Desktop Pool.

Deploy an Instant-Clone Desktop Pool

1- In the Horizon Console, navigate to Inventory > Desktops, and click the Add button.

2- In the Add Pool wizard that opens, with Type selected in the left pane, select Automated Desktop Pool, and click Next.

3- On the vCenter Server page, select Instant Clone, and click Next.

4-On the User Assignment page, select Dedicate and click Next.
Instant-clone pools can use either Dedicated or dedicated user assignments.

  • Dedicated assignment – Each desktop is assigned to a specific user. A user logging in for the first time gets a desktop that is not assigned to another user. The user always gets this same desktop after logging in, and this desktop is not available to any other user.
  • Floating assignment – Users get a random desktop every time they log in. When a user logs out, the desktop is deleted. With automatic deletion, you keep only as many VMs as you need at one time.

5- On the Storage Optimization page, select Use separate datastores for replica and OS disks, and click Next.

6- On the Desktop Pool ID page, complete the settings, as follows, before clicking Next:

7- On the Provisioning Settings page, complete the settings, as follows, before clicking Next:

  1. Naming Pattern – I use ِDP-0.
  2. Provision Machines – Select All Machines Up-Front
  3. Desktop Pool Sizing – Set Maximum Machines to 3, and set spare (Powered On) Machines to 1.
  4. Use the defaults for the other settings.
  • 8- On the vCenter Settings page, complete the Default Image settings, as follows:
  • a. For the Parent VM in vCenter setting, click Browse to select the golden Windows 10 VM you created
  • b. For the Snapshot setting, click Browse to select the snapshot you created as part of the prerequisites, and click Submit.

9- In the Virtual Machine Location section, click Browse to select a VM folder if you created one as described in the prerequisites for this exercise.

10- In the Resource Settings section, click Browse to select the appropriate vCenter resource for each setting.
As with the other settings on this page, to complete each setting, you will select from the resources that are already set up in your vCenter Server and that are specific to your environment.
Important: For the Network setting, leave the default, which means the Use network from current parent VM image check box is selected.

11- With the vCenter Settings page completed, click Next.

12- On the Desktop Pool Settings page, leave the defaults and click Next.

13- On the Remote Display Settings page, select the Allow Session Collaboration check box, and click Next.

14- Complete the Guest Customization page, as follows:

15- On the Ready to Complete page, click Submit.
You are returned to the Inventory > Desktops page, called Desktop Pools.

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 5

Hi, today I want to config this topic:

1- Create the Domain Admin User

2- Create OUs for Instant-Clone Desktops and RDSH Servers and Delegate Control

3- Add an instance – Clone Domain Administrator

4- Add Domain Bind

Create the Domain Admin User

Note: This step is optional.

1- On the Active Directory Domain Controller machine, log in as an administrator, and go to the Start button > Administrative Tools > Active Directory Users and Computers.

2- Add a user: Expand the domain, right-click Users, select New, and select User.

3- Complete the New Object – User dialog box that appears.

Note: my username that was created is Horizon-domain-user. You can choose your username.

Create OUs for Instant-Clone Desktops and RDSH Servers and Delegate Control

1- On the Active Directory Domain Controller machine, log in as an administrator, and go to the Start button > Administrative Tools > Active Directory Users and Computers.

2- Right-click the domain name, select New, and select Organizational Unit.

3- In the New Object – Organizational Unit dialog box, enter a name, such as Instant Clones, and click OK.
This OU is the Active Directory container in which the instant-clone computer accounts will be created. After you complete the text box, you can find the OU under the domain.

4- Right-click this OU you just created (which is the container) and selected Delegate Control.
The Delegation of Control wizard appears.

5- Click Next on the Welcome page and Add on the Users or Groups page.

6- Enter the name of the domain user you just created; click Check Names, to verify that the name can be found in Active Directory, and click OK.

7- When you are returned to the Users or Groups page, click Next.

8- On the Tasks to Delegate page, select Create a custom task to delegate, and click Next.

9- On the Active Directory Object Type page, select the following checkboxes before clicking Next:

  • – Computer objects
  • – Create selected objects in this folder
  • – Delete selected objects in this folder

10- On the Permissions page, select the following checkboxes in the Permissions section before clicking Next:

  • – Create All Child Objects
  • – Delete All Child Objects
  • – Read All Properties
  • – Write All Properties
  • – Reset password

11- On the last page of the wizard, click Finish. The user account now has the following complete list of required permissions, including permissions that are assigned by default:

  • – List Contents
  • – Read All Properties
  • – Write All Properties
  • – Read Permissions
  • – Reset password
  • – Create Computer Objects
  • – Delete Computer Objects

How to add an instance – Clone Domain Administrator?

You use the Horizon Console to specify the user account for joining instant-clone VMs to the Active Directory domain.

In my case, I have two domains:

1- for management domain: That name is khoshraftar.com

2- for client domain: that name is abc.local

For this purpose, I used an account that we created in this post.

1- In the Horizon Console, navigate to Settings > Instant Clone Domain Accounts, and click the Add button.

2- On the Add Domain Admin page that appears, select the domain from the list, and enter the username and password for the user you created. I used administrator user account.

Click ok.

How to add Domain Bind

Before that, the first step is we define each domain as a conditional forwarder in each DNS servers.

1- open the DNS console khoshraftar.com and add a conditional forwarder :

2- open the DNS console abc.local and add a conditional forwarder :

Check with PowerShell commands:

1- In the Horizon Console, navigate to Settings > Domains > Domain Bind, and click the Add button.

2- Add data abc.local domain

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 4

Hi, today I created an Event database to log Horizon events to a SQL Server instance, making the event data available to analytics software. For example, you can find the following types of events in the database:

  • Alerts that report system failures and errors
  • End-user actions, such as logging and starting desktop and application sessions
  • Administrator actions, such as adding entitlements and creating desktop and application pools
  • Statistical sampling, such as recording the maximum number of users over a 24-hour period.

Prerequisites for Setting Up the Events Database

  • SQL Server instance – This is the database server on which you will create the Events database.
  • Microsoft SQL Server Management Studio 
  • Microsoft SQL Server Configuration Manager  
  • SA credentials ­– To create the necessary logins for the database, you will log in to the SQL Server instance as the sysadmin (SA) or as a user account with SA privileges.

How to install and configure the Events Database?

1- Click on SQL Server Installation and then Click on New SQL server

2- Select Specify a free edition or Enter your product key

3-Acept license Term

4-

5-Select Default and Next

6- Default Server Configuration and Next

7- Select Mixed Mode and enter a password for sa username and add domain administrator account for SQL server administrator

8- Click on Install

9-Finish

10-Install Microsoft SQL Server Management Studio

11- In the Object Explorer, right-click Databases, and select New Database from the submenu. Name the database and click OK.

12- My Database name is Horizon

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 3

Hi, today I want to install Replica Connection Server.

How to install Horizon Replica server?

1- Create two VMs and install two Windows servers and join them to your domain.

Guest OS – Microsoft Windows Server 2019
CPU – 4
Memory – 4 GB
New Hard Disk – 40 GB
New SCSI Controller – LSI Logic SAS
Network Adapter Type – VMXNET3

2- Download Connection server from this link and copy it to connection server’s VM.

3- Welcome page, Next

4- License Agreement, Next

5- Destination Folder

6- Installation Options

Standard installation – Generates a Connection Server instance with a new Horizon LDAP configuration.

Replica installation – Generates a Connection Server instance with a Horizon LDAP configuration that is copied from an existing instance.

Enrollment Server installation – Installs an enrollment server that is required for the True SSO (single sign-on) feature, so that after users log in to VMware Workspace ONE Access, they can connect to a remote desktop or application without having to provide Active Directory credentials. The enrollment server requests the short-lived certificates that are used for authentication.

I select Horizon Replica Server, Next.

7- On the Data Recovery page, enter the password you want to use for recovering data backups of the Connection Server.

8- Enter First Horizon Server HostName

9- On the Firewall Configuration page, accept the default, which is Configure Windows Firewall automatically.

10-  On the Initial Horizon Administrators page, for this exercise and for simplicity, I recommend authorizing an Active Directory domain group.

11- On the User Experience Improvement Program page, you can deselect the Join the VMware Customer Experience Improvement Program option to opt out of the program.

12- On the Ready to Install page, leave the default for the drop-down list, which is General, to indicate that you are deploying the Connection Server in an on-premises environment, and click Install.

12- On the Installer Completed page, click Finish.

13- You can launch the Horizon Console

https://<connection-server-hostname>/admin/

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 2

Hi, today I want to configure the following thing on Connection Server:

If you don’t see part 1, please click here.

  • Add license
  • Add vCenter

How to add license for Connection Server?

1- Login to Connection Server 

https://<connection-server-hostname>/admin/

2- My domain name is khoshraftar.com. Enter your domain user administrator.

3- Click on VMware Horizon HTML Access

4- go to Settings –> Product Licensing and Usage –> Edit License

Enter the serial number of the product license key and click OK.

Add a vCenter Server Instance

1- In the Horizon Console, navigate to Settings > Servers, which takes you to the vCenter Servers tab, and click the Add button.

2- On the Add vCenter Server page, complete the following text boxes before clicking Next:

  • Server address – Enter the fully qualified domain name (FQDN) of the vCenter Server instance.
  • User Name and Password – Use the format name@domain.com for the name of the vCenter Server user account.
  • You can leave the default settings for the other text boxes.

Finish 🙂

Step By Step, Install VMware Horizon 8 – Part 1

Hi, today in this post, I decided to explain about how we can install VMware Horizon 8 in high availability mode.

You can find more detailed information about What’s New in this link.

You can find more detailed information about Horizon Administration in this link.

What is my plan:

What is our pre request:

1- Active Directory domain controller – The authentication infrastructure for your setup must include Active Directory, DNS, and DHCP. The Connection Server joins to Active Directory and sets up a lightweight directory service instance for the storage of Horizon configuration information.

2- SQL database Server – This is the database server on which you will create the Events database, which records actions that occur on the Horizon servers. For the example in this post, i used Microsoft SQL Server 2019.

3- VMware vSphere and vCenter Server – you must have a VMware vSphere infrastructure that contains at least one VMware ESXi host and one VMware vCenter Server instance.

4- TLS/SSL certificate – (Optional) By default, Horizon servers include a self-signed certificate that can be used for testing purposes.

5- Network and Storage

What is a Connection Server?

Connection Server acts as a broker for client connections by authenticating and then directing incoming remote desktop user requests to the appropriate virtual desktop, physical desktop, or terminal server. You must run Connection Server on a 32-bit or 64-bit dedicated physical or virtual server.

How to Install Horizon

1- Create two VMs and install two Windows servers and join them to your domain.

Guest OS – Microsoft Windows Server 2019
CPU – 4
Memory – 4 GB
New Hard Disk – 40 GB
New SCSI Controller – LSI Logic SAS
Network Adapter Type – VMXNET3

2- Download Connection server from this link and copy it to connection server’s VM.

3- Welcome page, Next

4- License Agreement, Next

5- Destination Folder

6- Installation Options

Standard installation – Generates a Connection Server instance with a new Horizon LDAP configuration.

Replica installation – Generates a Connection Server instance with a Horizon LDAP configuration that is copied from an existing instance.

Enrollment Server installation – Installs an enrollment server that is required for the True SSO (single sign-on) feature, so that after users log in to VMware Workspace ONE Access, they can connect to a remote desktop or application without having to provide Active Directory credentials. The enrollment server requests the short-lived certificates that are used for authentication.

I select Horizon Standard Server, Next.

7- On the Data Recovery page, enter the password you want to use for recovering data backups of the Connection Server.

8- On the Firewall Configuration page, accept the default, which is Configure Windows Firewall automatically.

9- On the Initial Horizon Administrators page, for this exercise and for simplicity, I recommend authorizing an Active Directory domain group.

10- On the User Experience Improvement Program page, you can deselect the Join the VMware Customer Experience Improvement Program option to opt out of the program.

11- On the Ready to Install page, leave the default for the drop-down list, which is General, to indicate that you are deploying the Connection Server in an on-premises environment, and click Install.

12- On the Installer Completed page, click Finish.

13- You can launch the Horizon Console

https://<connection-server-hostname>/admin/

Finish 🙂