Skip to main content

VMware Horizon View

This technical integration guide describes how to integrate a VMware Horizon View and Identity as a Service. Although this document specifically covers the VMware View KVM appliance (v), the information provided applies to all VMware View Series appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your VMware View Series appliance solution using Identity as a Service.

The VMware Horizon View software supports the Identity as a Service authentication methods and authentication protocols listed in the table below. The capabilities may depend on the Identity as a Service configuration, or the setup of other 3rd party authentication resources (Active Directory, for example).

Supported authentication methods

Authentication methodNotesSupported protocols
PasswordPassword authentication is first-factor authentication with Identity as a Service password feature.PAP, CHAP
RADIUSRADIUS authentication is first-factor authentication with a RADIUS server.PAP, CHAP
ExternalExternal authentication is first-factor authentication with an LDAP-compliant directory or a Windows domain controller through Kerberos.PAP, CHAP
GridTwo-step authentication only.PAP, CHAP
TokenIdentity as a Service supports response-only tokens.
One-step and Two-step authentication (including push).		PAP, CHAP
Temporary Access CodeGrid or token authentication must be configured.PAP, CHAP
One-time passwordTwo-step authentication only.PAP, CHAP
Knowledge-based questions and answersThe RADIUS proxy only supports a single question and answer.
Two-step authentication only.		PAP, CHAP
Mobile STMobile Soft Token Push authentication (supports response-only tokens for second-factor authentication).PAP, CHAP
Classic token authentication for fallback.
note

VMWare Horizon View supports PAP and CHAP only.

Prerequisites

Complete the following steps before integrating your authentication system with Identity as a Service:

  • Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
  • Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.
  • Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
  • If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

Integrate VMware Horizon View

Complete the following to integrate VMware Horizon View with IDaaS.

Step 1: Configure IDaaS as a client on VMware Horizon View as an AAA client

This procedure assumes that you have already configured vCenter Server and VDI resource pool in VMware Horizon View server.

Configure Identity as a Service on VMware Horizon View as an AAA client:

  1. Open a browser and enter https://localhost/admin, or go to Start > VMware > Horizon8 Administrator Console and open the VMware Horizon View Administrator Console.
note

You must enter https://<IP address>/admin (for example, https://10.10.10.20/admin) to open the VMware Horizon View admin console on different windows or computers, where the IP address is the Windows server 2012 static IP address.

  1. When the VMware login page appears, sign in:
    • In the User Name field, enter administrator.
    • In the Password field, enter the Active Directory Server administrator password.
    • Select the required Domain from the drop-down list, for example, IDaaSUSER.
    • Click Log In. The VMware View Administrator Dashboard page appears.
  2. In the dashboard, expand View Configuration > Servers, then select the Connection Servers tab.
  3. Select the Connection Server from the list and click Edit to open the Edit Connection Server Settings page.
  4. Open the Authentication tab and from the Advanced Authentication 2-factor authentication drop-down list, select RADIUS.

Configure the authentication options:

  • Select the Enforce 2-Factor and Windows user name matching check box to require the Entrust username value to match your Active Directory username (including any Realm prefix and suffix). Clear the check box to allow different usernames.
  • Select Use the same user name and password for RADIUS and Windows authentication if the Entrust password must match the Windows/AD password and the Entrust First-Factor authentication method is configured for External. If disabled, the user is prompted separately for Entrust password and multi-factor authentication and for the Windows/AD password.
note

For one-step authentication, Use the same user name and password for RADIUS and Windows authentication must be disabled. If enabled, the user receives an “Unknown user name or bad password” error and is prompted for the Active Directory password. When disabled, the user is prompted for the Active Directory password after Entrust multi-factor authentication.

Create the RADIUS authenticator:

  1. From the Authenticator drop-down list, select Create New Authenticator.
  2. On the Client Customization page:
    • In the Authenticator Name field, enter a name that indicates the configuration is for Identity as a Service (for example, EntrustIDaaS).
    • Optional: In the Description field, add details about the RADIUS server.
    • In the Username Label field, enter the label that displays during log in.
    • In the Passcode Label field, enter the label that displays during log in.
  3. On the Add RADIUS Authenticator - Primary Authentication Server page, enter:
    • Hostname/Address: the hostname or IP address of your Identity as a Service gateway.
    • Authentication Port: 1812.
    • Accounting Port: leave blank.
    • Authentication type: select PAP or CHAP.
    • Shared secret: the RADIUS shared secret value you share with Identity as a Service.
    • Server timeout: a value greater than the IDaaS VPN timeout value if you are using TVS Authentication.
    • Max attempts: 10. Leave other settings at their default values.
  4. Optional: On the Add RADIUS Authenticator – Secondary Authentication Server page, enable Use a secondary server if primary is unavailable and provide the Hostname/Address, Authentication port, Authentication type, Shared secret, Server timeout, and Max attempts.
  5. Click Finish, then OK to close the Edit Connection Server Settings. You have finished adding and configuring the RADIUS server settings in VMware View.

Step 2: Add VMware Horizon View to Identity as a Service

note

Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.

Integrate a RADIUS client:

  1. Click > Security > Applications. The Applications page appears.
  2. Click Add to open the Select an Application Template page.
  3. Do one of the following:
    • Select RADIUS and VPN Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
  4. Click VMware. The Add VMware page appears.
  5. Optional: Edit the Application Name and enter a Description.
  6. Optional: Add a custom application logo:
    • Click next to Application Logo.
    • Click to upload an image file, select it, and click Open.
    • Resize if required, then click OK.
  7. Click Next to open the Setup page.
  8. Click Add next to Hosts to add the host name of the VPN server. Enter the host name in the Host dialog box and click OK. Repeat to add more host names.
  9. In the Port field, enter the port on which the RADIUS agent accepts messages.

Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.

Attention: The RADIUS agent uses the host name that sent a request and the port number that it received the request from to determine which RADIUS application made the request. Because of that: –Two RADIUS applications with the same port value cannot share any host names. –Two RADIUS applications that have one or more matching host names must have different port values.

  1. In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.
  2. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.
  3. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.
  4. Set the following fields:
    • Challenge Response Queue Max Time: number of seconds that the RADIUS agent waits for a response to first-factor authentication (default 180 seconds).
    • Challenge Response Queue Max Size: maximum number of second-factor challenge requests allowed in the queue (default 1000; maximum 10,000).
    • Request Cache Timeout: number of seconds to cache requests (default 10 seconds).
    • Character Set: select the character set used to decode and encode string values in RADIUS messages (options include ISO-8859-1).
  5. Optional: Select Log RADIUS messages to enable RADIUS message logging.
  6. Optional: Configure Authentication Settings:
    • Enable Push Authentication Fallback and set the Push Authentication Fallback Timeout if needed.
    • When authenticating the user will be asked to select their second-factor authenticator to prompt users to select their second-factor authenticator; options depend on the resource rule.
  7. Supported strings matched to authentication types:
    • Grid: grid
    • Knowledge-based Authentication: kba
    • One-time password: email, sms, voice
    • Smart Credential Push: scpush
    • Temporary Access Code: tac
    • Token: token
    • Token push: push
  8. Additional options:
    • Select Indicate if requests must include the message-authenticator attribute for incoming messages to include the message-authenticator attribute for incoming messages.
    • Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
    • Select Remove domain from user ID for incoming requests to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format domain\username and the user ID in IDaaS is in the format username.
    • Select Indicate if Active Directory password authentication requests are handled by the same Gateway Instance that initiated the request to require Active Directory password authentication and change requests to be handled by a Gateway Instance in the same Gateway cluster that initiated it. If disabled, the request is handled by any Gateway Instance.
    • Select Enable one-step multi-factor authentication to allow the user to enter user ID, password, and token response in the password field. When enabled, second-factor authenticators available in the resource rule are limited to token and temporary access code.
    • Enter the One-step multi-factor authentication security token length for the token or temporary access code response when one-step multi-factor authentication is enabled.
  9. Optional: Add Response Attributes to return information (such as user group information) to the VPN server after successful authentication. When adding response attributes, you can optionally add group filters.

Users in IDaaS may belong to one of the following groups CANADA, US, UK, FRANCE. The VPN server may want the FilterID attribute returned from the IDaaS RADIUS agent to be the value NA or EUROPE, depending on whether the user is in NA (Canada, US) or Europe (UK, France). To do this, use a RADIUS attribute filter for the FilterID attribute with a Groups value with the following filters:

  • match CANADA, replace NA
  • match US, replace NA
  • match UK, replace EUROPE
  • match FRANCE, replace EUROPE

Set the Response Attributes as follows:

  • Click Add to open the Add a Response Attribute dialog box.
  • Select the RADIUS Attribute ID from the drop-down list. The option you select depends on your VPN vendor.
  • Select the Value Type from the drop-down list.
  • To return a static value specified in the RADIUS attribute definition, select Static, enter a Value, and click Add.
  • To return the user’s group membership, select Group and optionally:
    1. Click Add to add filters.
    2. Enter the Match and the Replace attribute filters.
    3. Click Add to add more attribute filters.
    4. If you add multiple filters, drag and drop them in order of preference.
    5. Select Stop after matching filter if you only want one filter to return one value. Using the example above, list Canada and US first if you want NA to have preference over Europe.
    6. For Multiple Values Per Attribute, enter the Value Separator and click Add.
note

If a user belongs to more than one group, you can either add a separate attribute to your RADIUS response for each group or you can combine all of the groups into a single attribute. For example, if the user belongs to G1,G2,G3 then you would

  • return a RADIUS response with three attributes  OR
  • return a RADIUS response with one attribute and a value like “G1,G2,G3” where the comma is defined in the Value Separator setting or a value like “G1 G2 G3” where the Value Separator is defined as a space.

Attention: The default group separator is a space. If you have group names that are separated by a space, use another separator, such as a comma.

Repeat these steps to add more response attributes.

  1. Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol:
    • Select EAP Enabled to allow the RADIUS application to accept EAP messages.
    • When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.
    • When disabled, incoming authentication requests are processed as standard RADIUS authentication requests (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.
    • Select the EAP Protocol from the drop-down list (options include PEAPv1 with GTC).
    • Select Return MPPE Keys to include the MPPE recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication (enabled by default).
    • Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.
    • Leave Minimum TLS Version, Maximum TLS Version, and Allow Weak Ciphers at the default settings unless you need compatibility with older VPN servers.
  2. Configure the Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are required only for backwards compatibility. Select No first-factor as the Authentication Type for a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.
note

MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.

  1. Click Submit.

Step 3: Add a resource rule

See Create resource rules.

Step 4: Test the integration using the following procedures

Test VMware Horizon View for one-step authentication

  1. Launch the VMware Horizon View Client and initiate connection to the VMware Horizon Server.
  2. In the Username field, enter the Identity as a Service username.
  3. In the Passcode field, enter the Identity as a Service Password/TOKEN/Temporary Access Code.
  4. Respond to the second-factor challenge and then click Login. You are prompted to enter the Active Directory password.
  5. Enter the Active Directory password and then click Login. You are successfully logged in and now have access to the resources.
note

Make sure you have already unchecked Use the same username and password for RADIUS and Windows authentication.

Test VMware Horizon View for two-step authentication

  1. Launch the VMware Horizon View Client and initiate connection to the VMware Horizon Server.
  2. In the Username field, enter the Identity as a Service username.
  3. In the Passcode field, enter the Identity as a Service Password.
  4. Respond to the second-factor challenge and then click Login.
  5. Provide the second-factor authentication response (based on the configured second-factor authentication in Identity as a Service) and click Login.

Test VMware Horizon View HTML access for one-step authentication

  1. Access VMWare Horizon View in a web browser.
  2. In the Username field, enter the Identity as a Service username.
  3. In the Passcode field, enter the Identity as a Service Password/TOKEN/Temporary Access Code.
  4. Respond to the second-factor challenge and then click Login. You are prompted to enter the Active Directory password.
  5. Enter the Active Directory password and then click Login. You are successfully logged in and now have access to the resources.
note

Make sure you have already unchecked Use the same username and password for RADIUS and Windows authentication.

Test VMware Horizon View HTML access for two-step authentication

  1. Access VMWare Horizon View in a web browser.
  2. In the Username field, enter the Identity as a Service username.
  3. In the Passcode field, enter the Identity as a Service Password.
  4. Respond to the second-factor challenge and then click Login.
  5. Provide the second-factor authentication response (based on the configured second-factor authentication in Identity as a Service) and click Login.