- Mastering VMware Horizon 7.8
- Peter von Oven Barry Coombs
- 396字
- 2025-02-18 10:09:52
The Horizon View enrolment server and True SSO
The Horizon View Enrollment Server is the final component that is part of the Horizon View connection server installation options, and is another installation option from the connection server installation process and is selected from the drop-down menu. So, what role does the enrolment server perform?
Horizon 7 saw the introduction of a new feature, called True SSO. True SSO is a solution that allows a user to authenticate to a Microsoft Windows environment without them having to enter their AD credentials. It integrates into another VMware product, VMware Identity Manager (VIDM), which forms part of both Horizon 7's advanced and enterprise editions.
Its job is to sit between the connection server and the Microsoft CA to request temporary certificates from the certificate store.
This process is described pictorially in the following diagram:
A user first logs into VIDM, either using their credentials or another authentication method such as the following:
- RSA SecurID
- Kerberos
- RADIUS authentication
- RSA Adaptive Authentication
- Standards-based, third-party identity providers
Once successfully authenticated, the end user will be presented with the virtual desktop machines or hosted applications that they are entitled to use. They can launch any of these by simply double-clicking, which will launch the Horizon client, as shown by the red arrow (1) in the previous diagram. The user's credentials will then be passed to the connection server (2), which, in turn, will verify them by sending a Security Assertion Markup Language (SAML) assertion back to the identity manager (3).
If the end user's credentials are verified, then the connection server passes them on to the enrolment server (4). The enrolment server then makes a request to the Microsoft Certificate Authority (CA) to generate a short-lived, temporary certificate for that user to use (5).
With the certificate now generated, the connection server presents it to the operating system of the virtual desktop machine (6), which, in turn, validates with Active Directory to confirm whether the certificate is authentic (7).
When the certificate has been authenticated, the end user is logged on to their virtual desktop machine, which is then displayed/delivered to the Horizon client using the chosen display protocol (8).