Centrify Identity Service and MFA for VMware Horizon View 7
This post covers how to configure VMware Horizon View 7 for RADIUS to enable Multi Factor Authentication via Centrify Identity Service v16.9. It documents with screen shots the configuration and the testing in three sections:
- Configuration of RADIUS and a Security Policy in Centrify Identity Service.
- Configuration of RADIUS to work with Centrify Cloud Connector in VMware Horizon View 7
- The end user’s experience when testing.
As follows are the items that should already be in place in your environment:
- Horizon View installed and configured to enable Access by users utilizing their Active Directory Credentials. Know the IP Addresses or FQDN for the Horizon View Connection Server.
- Centrify Identity Service already installed and configured for your environment for which you should have at least one cloud connector, in production it is preferable to have two or more cloud connectors. For more information on setting up Centrify Identity Service, please see http://community.centrify.com/t5/Centrify-Identity-Service/Centrify-Identity-Service-Technical-Resou....
- Administrator credentials for Horizon View and sysadmin credentials for your Centrify Identity Service
- Configuration of RADIUS in Centrify Identity Service:
- Cloud Manager-->Settings-->Authentication-->RADIUS Connection
On the “Clients” tab, configure the Horizon View Connection Server as a RADIUS client by clicking the add button. Specify the information in the menu as the screen shot indicates:
- Cloud Manager -->Settings —> Network —> Cloud Connectors
Double-Click on your preferred cloud connector for the test in order to modify the configuration. Click on RADIUS on the left as shown in the screen shot below, and Check the box to “Enable incoming RADIUS connections. The default port is 1812, this should match the RADIUS PORT as specified in Horizon View as well.
- Cloud Manager --> Settings --> Authentication -->Authentication Profiles:
Click the Add Profile Button and then choose the methods of authentication that are supported in your environment and click OK. Remember the name of the Authentication Profile, as we will use it in a later step.
- Cloud Manager -->Policies
Click the Add Policy Set button to add a policy for your Horizon View Users.
- Click on Policy Settings on the left, to specify the settings as shown in the screen shot. Note that you have the option to apply this policy to only specify roles of users, however in our configuration we applied it to all users and devices.
- Then on the left expand User Security Policies and select RADIUS to allow RADIUS Connections and specify the Authentication Profile from a previous step and click Save.
*Note that we are assuming that this policy is specific to RADIUS and that you have other security policies configured and applied where needed.
- Configuration of RADIUS to work with Centrify Cloud Connector in VMware Horizon View 7.
- Login to your VMware Horizon 7 Administrator with your Administrator Credentials
- In the left frame, under the Inventory section, expand “View Configuration” and select “Servers” as shown in the screen shot below. Then in the right frame, select the “Connection Servers” tab.
- Highlight your preferred HORIZONVIEW connection server and click on the “Edit…” button.
- On the “Edit Connection Server Settings” menu, select the “Authentication” tab.
- Under Advanced Authentication, select “RADIUS” from the pull down menu for “2-factor authentication”. And then choose the check box for “Use the same user name and password for RADIUS and Windows Authentication”.
- Then for Authenticator, choose “Create New Authenticator from the pull down menu.
- Specify the Primary Authentication Server similar to the screen shot,
- The Primary Authentication Server hostname/address is the Centrify Cloud Connector machine for your tenant.
- Specify the “PAP” authentication type as shown below.
- Specify the same “shared secret” that you specified in the Cloud Manager-->Settings-->Authentication-->RADIUS Connection previously.
- Specify a Secondary Authentication Server if you have an additional Centrify Cloud Connector you want to use, and then click the “OK” button.
- The end user’s experience when testing.
- The user goes to VMware Horizon login page, and enters his/her Active Directory Credentials.
- The user is then prompted for multiple factors, and chooses one of the factors:
- The user completes authentication with the chosen factor, and is granted access to VMware Horizon.
For more information on Centrify MFA options, please see https://www.centrify.com/solutions/why-multi-factor-authentication/.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.