VDI-LAB-2018 – Part 10 – Signed Certificate for Horizon Connection Server

Summary:

We need to create a signed certificate for Horizon 7 connection server. The first thing is installing in our Domain Controller the Certificate Service role, then configuring the certificates template, and finally, applying this certificate to the Horizon Connection Server

Note: I am using the Domain Controller to install AD CA, this is considered to be a bad practice because too many services running on a single server… well, it is a bad practice. This is a lab, so no problema.

Note: Default when the Horizon Servers is installed, a certificate is generated, but is not signed by a CA. Due to this being a LAB environment this step could be skipped, BUT it is strongly recommended to replace the default certificate with a signed certificate after the installation, especially for production environments.

This is part 10 out of 12 of the VDI LAB series. Check out the introduction first.

The ultimate VDI deployment guide (from scratch) with VMware vSphere 6.5 and Horizon View 7.3 – 2018. 😉

1. Prerequisites

• Windows Server 2016. Domain Controller server previously created in Part 5 of this series
• Horizon View 7 Connection Server. Previously created in Part 9 of this series

2. Active Directory Certificate Services role

@Domain Controller Server

2.1 Create a new Active Directory group

Note: This group is used to manage the created credentials in the Horizon environment. Another group used for the VDI computers, the Domain Admin group or, even Authenticated User group will also do.

Note: For the lab, another quick way to do this is to use the Domain Controller user with the Horizon Connection server.

1. From Active Directory Users and Computers. Located the VM folder (Or the one used to organize the infrastructure), right-click on it and select Group.

2. Name and create a new group. “Connection Servers” is used in the example.

3. The new group is now added to the infrastructure.

4. Add to this group, Connection Server(s) computer.

2.2 Install Active Directory Certificate Service role.

1. From Server Manager / Dashboard, Click Add roles and features.

2. Click Next until reach to Server Roles, Check Active Directory Certificate Services and click Next.

3. Wait for the installation of the role to be completed and click Close.

2.3 Configure Active Directory Certificate Service role.

1. Stil in the Dashboard, click on the warning message next to the flag, it should appear once you finish the role installation. Click Configure Active Directory Certificate Services on This Server.

2. Use the Domain Controller Administrator credentials.

3. Check Certification Authority.

4. Select Enterprise CA.

5. Select Root CA.

6. Select Create a new private key.

7. Leave as the image below or change based on preferences.

8. Leave the name of the Certification Authority as default.

9. Select the validity period.

10. Specify the database location. Leave as default.

11. Review the settings and click Configure.

12. Wait for the role to be configured and click Close.

3. Configure a new certificate template

@Domain Controller Server

3.1 Configure Properties of the Web Server Certificate Template

1. From Server Manager / Dashboard. Click on Tool / Certificate Authority.

2. Expand the Certification Authority created during the installation of the role, right-click on Certificate Templates and click Manage.

3. Scroll-down the template list, right-click on Web Server and click Properties.

4. From the Compatibility tab. Change Certificate Authority and Certificate recipient to Windows Server 2016 (The current Domain Controller version). If you are not sure about this, better leave it as default.

5. Click OK to both “resulting changing” windows.

6. Compatibility setting is now changed to Windows Server 2068.

7. From the General tab. Name template and select Validity and Renewal period. This is the name that we are going to look later on Horizon Connection server.

8. From the Request Handling tab. Check Allow private key to be exported.

9. From the Security tab. Click Add

10. Add Active Directory group (Connection Servers) created in step 2.1.

11. The group is now added to the list. Make sure that Read, Write and Enroll is checked to this group.

12. Form the Extensions tab. Select Application Policies and click Edit.

13. Click Add.

14. Select Client Authentication and click OK.

15. Client Authentication is now added to "application policies". Click OK twice until close “Properties of New Template” window.

3.2 Issue a new Certificate Template

1. Expand the Certification Authority created during the installation of the role and right-click on Certificate Templates / New / Certificate Template to Issue.

2. Select the “Connection Server” certificate template.

3. “Connection Server” will be added to the list of Certificate Templates.

4. Configure the certificate in Horizon Connection server

@Horizon Connection Server

4.1 Add new Snap-in to the local computer account

1. Go to Start / Run and type “mmc”.

2. From the new console, go to File / Add/Remove Snap-in...

3. Select Certificates, click Add and  select Computer account. Click Next.

4. Select Local computer and click Finish.

5. “Certificates” is now added to Snap-ins under Console Root. Click OK.

4.2 Request New Certificate

1. From Certificates (Local Computer). Go to Personal, right-click on Certificates and go to All tasks / Request New Certificate...

2. Click Next.

3. Select Active Directory Enrollment Policy and click Next.

4. Select the Connection Server template previously created.

Note: If the current Horizon Connection user/computer doesn't have the right permission, no templates will be available here. If below message show up here, go back to sections 2.1 and 3.1 (9-11).

“No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory”.

5. Expand the Connection Server template and click Properties.

1. From Certificates Properties go to the Subject tab. In Subject name area, Change Common name under Type, and type the DNS name of the Horizon Connection server under Type. Click Add.

6. In the  General tab, type “vdm” under the Friendly name. Click OK.

Note: There is a typo in the image: it is "vdm" instead of "vda".

7. Click Enroll.

8. Status now will be Succeeded. Click Finish.

4.3 Export the certificate from the personal folder

1. From Certificates (Local Computer). Go to Personal, right-click on Certificates and go to All Tasks / Export

2. Click Next.

3. Do not export the private key, click Next.

4. Select Base-64 encoded X.509 (.CER) as file format. Click Next.

5. Type the name of the certificate and add .cer extension. Horizon.cer is used in this example. Click Next.

6. Click Finish and then OK.

4.4 Import the certificate to the Trusted Root CA folder

1. From Certificates (Local Computer). Go to Trusted Root Certification Authorities, right-click on Certificates and go to All Tasks / Import…

2. Local Machine should be the default selection, Click Next.

3. Click Browse...

4. Look for the “Horizon.cer” certificate and click Open. By default is created under System32.

5. With the certification selected, click Next.

6. Select Place all certificates in the following store and make user that is Trusted Root Certification Authorities. Click Next.

7. Click Finish.

@Horizon Administrator From the Horizon Administrator dashboard, the Connection server should not show warning messages. Indicating that all is well configured, including the certificates.