Configuring Support for VMware True SSO

Configuring support for True SSO requires that you enable Imprivata OneSign for Kerberos authentication.

VMware True SSO Support Introduced

As part of True SSO authentication, the Microsoft Certificate Authority (CA) creates a certificate on behalf of the user. True SSO uses this certificate to log the user into their virtual desktops or applications, without requiring them to enter their Active Directory credentials.

Enabling Kerberos support allows Imprivata OneSign to trust the True SSO user certificate, which extends the True SSO environment to Imprivata Virtual Desktop Access functionality.

NOTE: For additional details on the True SSO workflow, see Introducing True SSO in VMware Horizon 7.

When True SSO support is enabled:

  1. The user logs into VMware Workspace ONE.
  2. The user opens the virtual desktop or applications manually.
  3. The Imprivata agent is active and is available to:
    • Provide Imprivata Virtual Desktop Access functionality.
    • Proxy user credentials to Imprivata SSO-enabled applications, if licensed for Imprivata Single Sign-On.

Before You Begin

Before you begin:

  • Verify that the True SSO environment is functioning normally, independent of Imprivata OneSign, before installing and configuring Imprivata components. For more information on configuring True SSO, see "Setting up True SSO" in the VMware Horizon documentation.
  • Review Imprivata OneSign Supported Components to confirm that your True SSO environment meets all of the minimum or recommended requirements.

NOTE: Imprivata Virtual Desktop Access supports True SSO on Windows endpoints only.

Kerberos Prerequisites

Review the following prerequisites before you begin:

  • The Imprivata OneSign keytab utility, which you use to create and upload a keytab file to an appliance, uses ktpass. The keytab utility is installed with the Imprivata agent.

  • Ktpass is part of the Microsoft Windows Server resource kit. Beginning with Windows Server 2008, the resource kit tools are installed as part of the server role installation.

  • The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

    For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  • The Service Principal Name (SPN) of the appliance that the keytab utility registers with Active Directory is case-sensitive. The hostname and the domain name that appear in the Imprivata Appliance Console of this appliance must contain all lowercase letters.

  • If the Imprivata enterprise includes more than one domain that share a trust relationship, for example a parent company (company.com) and two subdomains (us.company.com and eu.company.com), make sure that at least one appliance is placed in company.com. Upload the keytab file to this appliance.

    Uploading to the appliance that is in the second-level domain (SLD) ensures that the keytab file is valid for all domains.

Enabling Kerberos Authentication

Enabling Kerberos authentication requires that you:

Configuring Kerberos authentication requires access to the following:

  • Domain administrator access to an endpoint computer on which the Imprivata agent is installed.
  • The Imprivata Appliance Console.
  • The Imprivata Admin Console.
IMPORTANT:

If more than one person is responsible for domain administration, appliance administration, and Imprivata OneSign administration, coordinate with these individuals before beginning.

Configuring Network Protocol Time (NTP) servers makes sure that the Kerberos ticket does not expire before the appliance can extract the user identity from the Kerberos ticket.

Complete the following for each appliance in the enterprise to enable time synchronization.

  1. In the Imprivata Appliance Console, go to Network > NTP.

  2. Enter the IP address for one or more NTP servers.

  3. Click Save.

The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  1. Log into the endpoint computer.
  2. Open the registry editor and go to the ISXAgent registry key:

    • 64–bit — HKLM\SOFTWARE\SSOProvider\ISXAgent

  3. Use the IPTXPrimServer value to confirm that the agent's primary appliance is in the same Active Directory domain as the endpoint computer.

Creating and uploading a keytab file establishes a Kerberos trust relationship between Imprivata OneSign and Microsoft Active Directory. You use the Imprivata key tab utility, which is installed with the Imprivata agent, to create and upload a keytab file. After the keytab file is uploaded to the appliance, it is propagated to all other appliances in the enterprise.

NOTE: Obtain the Imprivata OneSign administrator user credentials of the appliance to which you are uploading the keytab file. The Imprivata keytab utility requires these credentials to upload the keytab file.

  1. As a domain administrator, log into an endpoint computer to which the Imprivata agent is installed and open a command prompt.

  2. At the command prompt, type:

    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent and press Enter.

  3. Type ISXKerbUtil.exe and press Enter. The utility returns the names of domain, domain controller, and the appliance host name in the Service Principal Name (SPN) format.

  4. Type the username of the Domain account that has Super Administrator rights in the Admin Console, using the User Principal Name (UPN) format and press Enter.

    Example: username@example.com

  5. Enter the password of the Domain Account, with the Super Administrator rights you provided above, and press Enter.

  6. Enter a password that meets the Active Directory complexity requirements and press Enter. The utility creates a domain user account named ssoKerberos, sets the password, and creates/uploads the keytab file to the appliance.

    NOTE: If the Imprivata keytab utility detects that a domain user account is already mapped to the SPN, it updates the domain account with the password you entered. If the utility detects that multiple domain user accounts are mapped to the SPN, the utility detects which user it previously created and updates it with the password you entered; the remaining users are removed from the SPN.

The Imprivata keytab utility creates the keytab file with all of the supported cryptographic types supported by Windows Server.

NOTE: Only 1 keytab file is allowed per Imprivata enterprise.

  1. In the Imprivata Admin Console, go to the Users menu > Directories page.
  2. Click the name of the domain from which you created the keytab file.
  3. Go to Kerberos authentication and click 5 keytab files.
  4. Verify that the Windows Server keys are using the following cryptographic types:
    • DES cbc mode with CRC-32
    • DES cbc mode with RSA-MD5
    • ArcFour with HMAC/md5
    • AES-256 CTS mode with 96-bit SHA-1 HMAC
    • AES-128 CTS mode with 96-bit SHA-1 HMAC

Identify the computers to which Kerberos authentication applies and configure a computer policy. Configuring the computer policy enables the computers in the policy for Kerberos authentication.

Step 6a: Create a Computer Policy for Endpoint Computers

  1. In the Imprivata Admin Console go to the Computers menu > Computer policies page.

    You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point. If you want to edit an existing computer policy, click the existing computer policy name, and skip to Step 6b: Configure the Computer Policy for Endpoint Computers.

  2. To copy the Default Computer Policy, select Default Computer Policy , then click Copy.

  3. Click Default Computer Policy (2).

  4. Rename the computer policy.

Step 6b: Configure the Computer Policy for Endpoint Computers

  1. Click the General tab, go to the Authentication section, and select Accept Kerberos authentication in place of OneSign authentication.

  2. Click Save.

Step 6c: Assign the Computer Policy to Endpoint Computers

To manually assign the computer policy:

  1. Go to the Computers menu > Computers page.

  2. Select the computers to which you want to apply the computer policy.

  3. Select Change policy

  4. Select Choose a policy and the name of the policy configured for Kerberos authentication.

  5. Click Change Policy.

Use computer policy assignment rules to assign a computer policy to existing endpoint computers and to automatically assign the policy to endpoint computers added in the future.

  1. Go to the Computers menu > Computer policy assignment page.

  2. Click Add new rule.

  3. Enter a Name for the assignment rule.

  4. Select one of the following:

    • Computer IP address, and then enter the range of IP addresses to include in the computer policy.

    • Computer host name to match the computer policy to a specific computer.

    • Imprivata agent type to apply the computer policy to all computers with a specific Imprivata agent.

Disabling (unregistering) the Imprivata OneSign module prevents Imprivata OneSign from authenticating users, ensuring that Kerberos authentication is enforced on the endpoint computer.

  1. As a domain administrator, log into an endpoint computer that is enabled for Kerberos authentication and open a command prompt.
  2. At the command prompt, type:
    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent\x64 and press Enter
  3. Type:
    • 64–bit — regsvr32 /u ISXCredProv.dll and press Enter.
  4. Type:
    • 64–bit — ISXCredProvDiag.exe /unwrapall and press Enter.
  5. Close the command prompt window.

The Imprivata OneSign login module is disabled on the endpoint computer.

BEST PRACTICE: To disable the Imprivata OneSign login module on multiple endpoint computers, use the Microsoft Group Policy Management Editor to create or modify a group policy object to disable the dynamic link library and executable.

While the Imprivata OneSign login module remains disabled, enabling (registering) the Imprivata credential manager module ensures that Imprivata OneSign continues to manage application single sign–on after users change their password.

  1. As a domain administrator, log into an endpoint computer that is enabled for Kerberos authentication and open a command prompt.
  2. At the command prompt, type:
    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent\x64 and press Enter.
  3. Type:
    • 64–bit — regsvr32 ISXCredMan.dll and press Enter.

BEST PRACTICE: To enable the Imprivata OneSign credential manager module on multiple endpoint computers, use the Microsoft Group Policy Management Editor to create or modify a group policy object to enable the dynamic link library.

Install the Imprivata Agent to the Virtual Machines

The Imprivata agent must be installed on each virtual machine from which Imprivata Virtual Desktop Access functionality is required.

The installation can be pushed to groups of computers or installed on one computer at a time, depending on your organization's preferences. See Deploying the Imprivata Agent for instructions on installing agents. Choose the method that suits your environment.

Create and Assign Computer Policy for the Virtual Machines

Create and assign a computer policy for the virtual machines. The computer policy must be enabled for Kerberos authentication.

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.
  2. You can select an existing computer policy from the list, or make a copy of the Default Computer Policy as a starting point. If you want to edit an existing computer policy, click the existing computer policy name, and configure the computer policy.
  3. To copy the Default Computer Policy, select Default Computer Policy , then click Copy.
  4. Click Default Computer Policy (2).
  5. Rename the computer policy in the Name field.
  1. Go to the General tab > Authentication section.
  2. Select Accept Kerberos authentication in place of OneSign authentication.
  3. Click Save.

Computer policy assignment rules let you assign a policy to existing virtual machines and make sure that the policy is automatically assigned to virtual machines that are added later.

To use a rule to assign the computer policy:

  1. Go to the Computers menu > Computer policy assignment page.
  2. Click Add new rule.
  3. Name the rule and select the assignment criteria.
  4. Select the policy you created and click Save.

Create and Apply a User Policy

Create and apply a user policy for the True SSO users. The user policy must be configured for smart cards.

  1. In the Imprivata Admin Console, go to the Users menu > User policies page.
  2. You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and configure the user policy.
  3. To copy the Default User Policy, select Default User Policy , then click Copy.
  4. Click Default User Policy (2).
  5. Rename the user policy in the Policy Name field.
  1. Go to the Authentication tab > Desktop Access authentication section.
  2. Select Smart Card or USB token using Active Directory certificate.
  3. Click Save.
  1. Go to the Users menu > Users page.
  2. Use Search for Users to locate the users to which you want to assign the policy.
  3. Select the users from the search results.
  4. Click Apply Policy. The Apply Policy dialog box opens.
  5. Choose the policy from the drop-down list, and click OK.

Verify that the Imprivata Agent is Enabled for Kerberos

You can use the Imprivata agent logging utility (ISXTrace) to verify the Imprivata agent is functioning normally in the True SSO environment.

  1. Use a test user to log into Workspace ONE and launch a desktop or application.
  2. From the virtual machine that is hosting the virtual desktop or application, verify that the Imprivata OneSign agent icon is in active status.
  3. Ctrl + click the icon, and click Trace Utility.
  4. Click Logging options (hammer icon) to open the ISXTrace Options dialog.
  5. Select Log to Viewer (Real-Time Logging), and click OK.
  6. Verify that the log includes messages that Kerberos is employed.
  7. Re–open the ISXTrace Options dialog, select No Log, and click OK.
  8. Close the tracing utility.