In this blog I will explain the first step to use VMWare Horizon with AzureAD.
In this blog we will roll out an Enterprise Root CA for the virtual smartcard for the login proces. If you allready have a Root CA you can skip this step.
From experience I would advice what you make a new sever where you could install the CA role.
1. Logon to the new windows server;
2. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
3. Select Active Directory Certificate Services;
4. The only Role Service needed is Certification Authority;
5. Finish or next to complete the install.
Now we will promote the Microsoft Certificated Authority to a Enterprise CA
1. After installation click the flag icon in the Windows server manager,
2. Click on Configure Active Directory Certificate Services;
3. The Setup Type is Enterprise CA;
4. In the CA Type page we choose Root CA;
5. Create a new private key;
6. The cryptographic must be RSA#Microsoft Software Key Storage Provider with a key length go 2048;
7. Give the CA name a name;
8. The default validity periode is 5 years, I normally make it for 10 years;
9. Choose for the default file location and click on configure.
Now you make a Enterprise CA. Run a “gpupdatep /force” in a member server or wait couple hours.
Certificate Template TrueSSO Certificate
1. On the CA machine, run the Certification Authority;
2. Right-click the Certificate Templates and click Manage;
3. Right-click the Smartcard Logon template and click Duplicate Template;
4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2;
5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2;
6. On the General tab, name it “TrueSSOCert“;
7. Change the Validity Period;
8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon;
9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created;
10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider (Default is legacy);
11. On the Server tab, check the top box for Do not store certificates and requests in the CA database;
12. Uncheck Do not include revocation information in issued certificates;
13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1as the value;
14. Change the drop-down for Policy type required in signature to Application policy;
15. Change the drop-down for Application policy to Certificate Request Agent;
16. At the bottom, change the selection to Valid existing certificate;
17. On the Security tab, add your Horizon Enrollment Servers computer objects. They need read and enroll rights. Apply and ok.
Certificate Template Enrollment Agent.
1. In the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties;
2. On the Security tab, add your Horizon Enrollment Servers computer objects. They need read and enroll rights. Apply and ok;
3. Close the Certificate Templates Console.
Certificate Template Issue
Right-click Certificate Templates and click New > Certificate Template to Issue.
Select Enrollment Agent (Computer) & TrueSSOCert and click OK.
In the next part we will go install the VMWare Horizon Enrollment Servers.