- Advertisement -
HomeVirtualizationVDIVDI-LAB-2018 – Part 10 – Signed Certificate for Horizon Connection Server

VDI-LAB-2018 – Part 10 – Signed Certificate for Horizon Connection Server

Summary:

We need to create a signed certificate for Horizon 7 connection server. The first thing is installing in our Domain Controller the Certificate Service role, then configuring the certificates template, and finally, applying this certificate to the Horizon Connection Server

Note: I am using the Domain Controller to install AD CA, this is considered to be a bad practice because too many services running on a single server… well, it is a bad practice. This is a lab, so no problema.

Note: Default when the Horizon Servers is installed, a certificate is generated, but is not signed by a CA. Due to this being a LAB environment this step could be skipped, BUT it is strongly recommended to replace the default certificate with a signed certificate after the installation, especially for production environments.

This is part 10 out of 12 of the VDI LAB series. Check out the introduction first.

- Advertisement -

The ultimate VDI deployment guide (from scratch) with VMware vSphere 6.5 and Horizon View 7.3 – 2018. 😉

1. Prerequisites

  • Windows Server 2016. Domain Controller server previously created in Part 5 of this series
  • Horizon View 7 Connection Server. Previously created in Part 9 of this series

2. Active Directory Certificate Services role

@Domain Controller Server

2.1 Create a new Active Directory group

Note: This group is used to manage the created credentials in the Horizon environment. Another group used for the VDI computers, the Domain Admin group or, even Authenticated User group will also do.

Note: For the lab, another quick way to do this is to use the Domain Controller user with the Horizon Connection server.

  1. From Active Directory Users and Computers. Located the VM folder (Or the one used to organize the infrastructure), right-click on it and select Group.
Part10 Image01
  1. Name and create a new group. “Connection Servers” is used in the example.
Part10 Image02
  1. The new group is now added to the infrastructure.
Part10 Image03
  1. Add to this group, Connection Server(s) computer.

2.2 Install Active Directory Certificate Service role.

  1. From Server Manager / Dashboard, Click Add roles and features.
Part10 Image04
  1. Click Next until reach to Server Roles, Check Active Directory Certificate Services and click Next.
Part10 Image05
  1. Wait for the installation of the role to be completed and click Close.
Part10 Image06

2.3 Configure Active Directory Certificate Service role.

  1. Stil in the Dashboard, click on the warning message next to the flag, it should appear once you finish the role installation. Click Configure Active Directory Certificate Services on This Server.
Part10 Image07
  1. Use the Domain Controller Administrator credentials.
Part10 Image08
  1. Check Certification Authority.
Part10 Image09
  1. Select Enterprise CA.
Part10 Image10
  1. Select Root CA.
Part10 Image11
  1. Select Create a new private key.
Part10 Image12
  1. Leave as the image below or change based on preferences.
Part10 Image13
  1. Leave the name of the Certification Authority as default.
Part10 Image14
  1. Select the validity period.
Part10 Image15
  1. Specify the database location. Leave as default.
Part10 Image16
  1. Review the settings and click Configure.
Part10 Image17
  1. Wait for the role to be configured and click Close.
Part10 Image18

3. Configure a new certificate template

@Domain Controller Server

3.1 Configure Properties of the Web Server Certificate Template

  1. From Server Manager / Dashboard. Click on Tool / Certificate Authority.
Part10 Image19
  1. Expand the Certification Authority created during the installation of the role, right-click on Certificate Templates and click Manage.
Part10 Image20
  1. Scroll-down the template list, right-click on Web Server and click Properties.
Part10 Image21
  1. From the Compatibility tab. Change Certificate Authority and Certificate recipient to Windows Server 2016 (The current Domain Controller version). If you are not sure about this, better leave it as default.
Part10 Image22
  1. Click OK to both “resulting changing” windows.
Part10 Image23
  1. Compatibility setting is now changed to Windows Server 2068.
Part10 Image24
  1. From the General tab. Name template and select Validity and Renewal period. This is the name that we are going to look later on Horizon Connection server.
Part10 Image25
  1. From the Request Handling tab. Check Allow private key to be exported.
Part10 Image26
  1. From the Security tab. Click Add
Part10 Image27
  1. Add Active Directory group (Connection Servers) created in step 2.1.
Part10 Image28
  1. The group is now added to the list. Make sure that Read, Write and Enroll is checked to this group.
Part10 Image29
  1. Form the Extensions tab. Select Application Policies and click Edit.
Part10 Image30
  1. Click Add.
Part10 Image31
  1. Select Client Authentication and click OK.
Part10 Image32
  1. Client Authentication is now added to "application policies". Click OK twice until close “Properties of New Template” window.
Part10 Image33

3.2 Issue a new Certificate Template

  1. Expand the Certification Authority created during the installation of the role and right-click on Certificate Templates / New / Certificate Template to Issue.
Part10 Image34
  1. Select the “Connection Server” certificate template.
Part10 Image35
  1. “Connection Server” will be added to the list of Certificate Templates.
Part10 Image36

4. Configure the certificate in Horizon Connection server

- Advertisement -

@Horizon Connection Server

4.1 Add new Snap-in to the local computer account

  1. Go to Start / Run and type “mmc”.
Part10 Image37
  1. From the new console, go to File / Add/Remove Snap-in...
Part10 Image38
  1. Select Certificates, click Add and  select Computer account. Click Next.
Part10 Image39
  1. Select Local computer and click Finish.
Part10 Image40
  1. “Certificates” is now added to Snap-ins under Console Root. Click OK.
Part10 Image41

4.2 Request New Certificate

  1. From Certificates (Local Computer). Go to Personal, right-click on Certificates and go to All tasks / Request New Certificate...
Part10 Image42
  1. Click Next.
Part10 Image43
  1. Select Active Directory Enrollment Policy and click Next.
Part10 Image44
  1. Select the Connection Server template previously created.

Note: If the current Horizon Connection user/computer doesn't have the right permission, no templates will be available here. If below message show up here, go back to sections 2.1 and 3.1 (9-11).

“No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory”.

Part10 Image45
  1. Expand the Connection Server template and click Properties.
Part10 Image46
  1. From Certificates Properties go to the Subject tab. In Subject name area, Change Common name under Type, and type the DNS name of the Horizon Connection server under Type. Click Add.
Part10 Image47
  1. In the  General tab, type “vdm” under the Friendly name. Click OK.

Note: There is a typo in the image: it is "vdm" instead of "vda".

Part10 Image48
  1. Click Enroll.
Part10 Image49
  1. Status now will be Succeeded. Click Finish.
Part10 Image50

4.3 Export the certificate from the personal folder

  1. From Certificates (Local Computer). Go to Personal, right-click on Certificates and go to All Tasks / Export
Part10 Image51
  1. Click Next.
Part10 Image52
  1. Do not export the private key, click Next.
Part10 Image53
  1. Select Base-64 encoded X.509 (.CER) as file format. Click Next.
Part10 Image54
  1. Type the name of the certificate and add .cer extension. Horizon.cer is used in this example. Click Next.
Part10 Image55
  1. Click Finish and then OK.
Part10 Image56

4.4 Import the certificate to the Trusted Root CA folder

  1. From Certificates (Local Computer). Go to Trusted Root Certification Authorities, right-click on Certificates and go to All Tasks / Import…
Part10 Image57
  1. Local Machine should be the default selection, Click Next.
Part10 Image58
  1. Click Browse...
Part10 Image59
  1. Look for the “Horizon.cer” certificate and click Open. By default is created under System32.
Part10 Image60
  1. With the certification selected, click Next.
Part10 Image61
  1. Select Place all certificates in the following store and make user that is Trusted Root Certification Authorities. Click Next.
Part10 Image62
  1. Click Finish.
Part10 Image63

@Horizon Administrator From the Horizon Administrator dashboard, the Connection server should not show warning messages. Indicating that all is well configured, including the certificates.

Horizon Administrator dashboard
Juan Mulford
Juan Mulford
I have been active in IT for over fourteen years now. I am a solutions architect, working with storage, virtualization, and VDI solutions. For the past ten years, I have been living and working in Taiwan.

2 COMMENTS

    • Hi Rucker. I am not sure at this moment, but it should be "vdm". I'll check better later, it seems to be a huge typo.

Leave a Reply

- Advertisement -

Popular Articles

mulcas.com-Raspberry-Pi

Raspberry Pi OS in a Virtual Machine with VMware

4
Although the Raspberry Pi OS is designed and optimized for the Raspberry Pi module, it is possible to test and use it without its hardware, with VMware. This solution can be useful if you are a developer (or just a curious guy) and don't have a Raspberry Pi module with you
Unable to delete inaccessible datastore

Unable to delete an "inaccessible" datastore

4
I was switching my storage array, so I migrated the VMs from that old datastore/storage to a new datastore/storage. The old datastore was shared by 3 ESXi hosts, no cluster. After migrating the VMs and unmount/delete the datastore, it was still presented in two of the ESXi hosts and was marked as inaccessible.
mulcas.com-VMware-OVF-Tool

How to export a Virtual Machine using the VMware OVF Tool

8
The VMware OVF Tool is implemented by VMware for easily importing and exporting virtual machines in Open Virtualization Format (OVF) standard format. Here, I want to show you how to download and install it, and then how to use it from a Windows machine.
This is not a valid source path / URL

This is not a valid source path / URL - SourceTree and Gitlab

0
I have been working on a project with a friend who set up a repository in Gitlab but even though I was able to view all projects on it, I couldn’t really join the repository. I was using SourceTree and Gitlab.
WinSCP VCSA

Unable to Access the VCSA 6.7 via WinSCP

8
One of the many and easiest ways to get the logs from the ESXi hosts and vCenter Server Appliance (VCSA), is accessing directly to the files directory using tools such as WinSCP, which helps to transfer the files between a local and a remote computer ( Ex. VCSA). I never have had issues with the ESXi hosts and WinSCP, however, trying to access the VCSA is a different story.
- Advertisement -

Recent Comments