VMware View – Objective 2.7 Enable RSA/Smart Card

Knowledge

  • Import certificates
  • Turn on certificate based authentication
  • Identify RSA instance
  • Identify authentication requirements for RSA and Smart Cards

You may have noticed you have a couple of errors on your Events Dashboard every time you log into View Administrator.  This is due to  using the default Self Signed Certificates.

Not a problem you say, it doesn’t really concern me, however when we role out too production, your users might get slightly annoyed that they have to click on ‘continue’ constantly when connecting to the the View Security/Connection Server.

View Certificates 1

We could just turn off the SSL by turning checking ‘do not verify server identify certificates’.  However this isn’t very elegant and can pose a security risk.

View Certificates 2

A few prerequisites before we crack on:

  • Any Connection/Security Servers /Load Balancers which are client facing require an SSL certificate
  • If you use a load balancer which has an SSL certificate and you enable secure tunnel, then the Security Server or Connection Server requires an SSL certificate as well as the View Client makes a secondary tunnel directly to the Security/Connection Server.
  • Local Mode, if you enable SSL for this, you also require an SSL certificate

Generally speaking you would want to use a Trusted Root Certificate Authority such as Verisign or Thwarte for any Security Servers and/or Load Balancers which are public facing.

If you have a PKI infrastructure internally, with an Enterprise Certificate Authority then you can use these to replace your Self Signed Certificate on your Connection Servers.

In this particular blog post, we aren’t going to cover generating a certificate request from a Trusted Root Authority as VMware have kindly written an excellent KB entitled Using Microsoft Certreq to generate and import a signed certificate into View 5.1

Import Certificates

To enable the creation of a PKI infrastructure on my home lab, I have added the role ‘Active Directory Certificate Services’ to my domain controller VMF-DC01.

We will be using the Web Server certificate for server authentication, however by default we won’t be able to enroll any servers using this as they won’t be trusted.

After you have installed the Active Directory Certificate Services role, run the command ‘certtmpl.msc’ which loads up the default certificate templates.

We want to create a duplicate of the Web Server certificate, by Right Clicking and selecting Duplicate

View Certificates 3

Give it the name VMware View (I know very original) and go to the Request Handling Tab and select ‘Allow private key to be exported’

View Certificates 4

Next onto the Security Tab, I have created a Security Group called ‘View Servers’ and entered the computer accounts VMF-CON01 and VMF-TR01 which are my Connection and Transfer Server.

I have then granted the Read and Enroll rights to the Security Group ‘View Servers’  This is really important as without this when we go to request a Certificate, you won’t have access to any templates.

View Certificates 5

Onto our Connection Server VMF-CON01 and click Start > Run and enter MMC.  Add a Snap In and Choose Certificates and Computer Account > Local Computer

We want to expand Personal and Select Certificates

View Certificates 6

I have already deleted my Self Signed Certificate, I’m feeling that confident!

Right Click Certificates > All Tasks > Request New Certificate

View Certificates 7

Click Next

View Certificates 8

Select Active Directory Enrollment Policy and hit next

View Certificates 9

Select VMware View and click on ‘More information is required to enroll this certificate.  Click here to configure settings’.

View Certificates 10

Select Command Name from Type and enter your NetBios name, in my case VMF-CON01 and Add this to the request.

I also recommend adding in the Subject Alternate Names as well, you can achieve this by selecting DNS under ‘Alternative Name’ and entering your FQDN, in my case VMF-CON01.vmfocus.local

Note this needs to match the URL and Server Name in your Connection Server Settings.

View Certificates 11

Just a side note if you don’t follow these settings and enter the FQDN in Common Name and NetBios in the Alternate Name, you will get ‘Server’s certificate does not match the URL’ in View.

View Certificates 17

Click on the General Tab and enter vdm which is a name that View continues to lookup.

View Certificates 13

Hit OK to apply and then Click Enroll

View Certificates 14

After you click Finish you will see the installed Certificate

View Certificates 15

To ensure the View Connection Server uses this Certificate we can either restart the Connection Server or restart the ‘VMware View Connection Server’ service.

I have opted to restart the service, so let’s check the View Administrator Dashboard.  Happy days our Connection Server is green with no problems reported.

View Certificates 16

Turn On Certificate Based Authentication

By default Certificate Based Authentication is enabled for Client Connections.

This can be changed by going to View Configuration > Global Settings > Edit

TOP TIP If you change this setting then all Client Connections are dropped

Identify RSA Instance

Err, I don’t really know what VMware mean by this, I presume it is in relation to Two Factor Authentication.

To identify if you are using Two Factor Authentication, go into View Configuration > Servers > Connection Servers > Edit > Authentication Tab

View RSA 1

Identify Authentication Requirements for RSA and Smart Cards

The authentication requirements for RSA are:

  • Disabled
  • RSA SecurID
  • RADIUS

The authentication requirements for Smart Cards are:

  • Not allowed
  • Optional
  • Required

Felt this objective was a strange one, as it pulls experience and understanding from PKI and Two Factor Authentication which may not be in every View Administrators arsenal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s