Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware



Similar documents
Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

ThinPrint GPO Configuration for Location-Based Printing

VMware vcenter Support Assistant 5.1.1

Installing and Configuring vcenter Multi-Hypervisor Manager

Check Point FDE integration with Digipass Key devices

Smart Card Setup Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

HOTPin Integration Guide: DirectAccess

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

YubiKey PIV Deployment Guide

Entrust Managed Services PKI

Managing Multi-Hypervisor Environments with vcenter Server

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Obtaining SSL Certificates for VMware Horizon View Servers

Obtaining SSL Certificates for VMware View Servers

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Administration Guide ActivClient for Windows 6.2

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Certificate Revocation Checking Using OCSP and CRL in VMware View 4.5/4.6 TECHNICAL WHITE PAPER

Setting Up Resources in VMware Identity Manager

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

Using MSCS to Cluster VirtualCenter VirtualCenter Patch 2

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Shakambaree Technologies Pvt. Ltd.

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

VMware Virtual Desktop Manager User Authentication Guide

Troubleshooting smart card logon authentication on active directory

Microsoft Windows Server 2003 Integration Guide

Upgrading Horizon Workspace

IBM Client Security Solutions. Client Security User's Guide

How to Migrate Citrix XenApp to VMware Horizon 6 TECHNICAL WHITE PAPER

Introduction to VMware vsphere Data Protection TECHNICAL WHITE PAPER

VMware User Environment Manager

Director and Certificate Authority Issuance

vsphere Upgrade vsphere 6.0 EN

Getting Started with ESXi Embedded

Getting Started with VMware Fusion

VMware Horizon FLEX 1.5 WHITE PAPER

Configuring Multiple ACE Management Servers VMware ACE 2.0

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Installing and Configuring vcloud Connector

Reconfiguration of VMware vcenter Update Manager

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

VMware vsphere Data Protection Evaluation Guide REVISED APRIL 2015

Quick Start Guide for Parallels Virtuozzo

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

VMware AlwaysOn Point of Care Desktop. with Indigo Identityware software for Fast Access & Strong Authentication with Roaming Desktops

VMware Horizon FLEX User Guide

VMware vsphere Data Protection 6.0

USER GUIDE WWPass Security for Windows Logon

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

VMware View Backup Best Practices

User Guide Remote Access to VDI/Workplace Using PIV

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

Installing and Configuring vcenter Support Assistant

How To Configure An Activcard Smart Card With An Hp Powerbook On A Pc Or Ipa (Powerbook) On A Powerbook 2 (Powercard) On An Hpla 2 (Ahemos) Or Powerbook (Power Card

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

VMware Horizon FLEX User Guide

Citrix Access Gateway Plug-in for Windows User Guide

Installation and Configuration Guide

VMware Horizon FLEX User Guide

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

VMware vrealize Operations for Horizon Security

Synthetic Monitoring Scripting Framework. User Guide

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

VMware vcenter Log Insight Getting Started Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

UserGuide ReflectionPKIServicesManager

Outlook Web Access 2003 Remote User Guide

User Guide Remote PIV to VDI Using a PIV Card

4cast Client Specification and Installation

Symantec Managed PKI. Integration Guide for ActiveSync

vsphere Host Profiles

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Scenarios for Setting Up SSL Certificates for View

VMware vrealize Operations for Horizon Security

Defense Logistics Agency. Virtual Desktop: User Guide

Active Directory Rights Management Service Integration Guide

Sage HRMS 2012 Sage Employee Self Service. Technical Installation Guide for Windows Server 2003 and Windows Server 2008

Table of Contents. CHAPTER 1 About This Guide CHAPTER 2 Introduction CHAPTER 3 Database Backup and Restoration... 15

VMware Workspace Portal Reference Architecture

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Yubico PIV Management Tools

Quick Start Guide for VMware and Windows 7

Integration with Active Directory

VMware vcenter Configuration Manager Software Provisioning Components Installation and User Guide

TECHNICAL SUPPORT GUIDE

User Documentation for SmartPolicy. Version 1.2

Reconfiguring VMware vsphere Update Manager

Installing and Configuring vcloud Connector

PC-Duo Web Console Installation Guide

Transcription:

Implementing Federal Personal Identity Verification for VMware View By Bryan Salek, Federal Desktop Systems Engineer, VMware Technical WHITE PAPER

Introduction This guide explains how to implement authentication using federal Personal Identity Verification (PIV) access cards including Department of Defense (DoD) Common Access Card (CAC) in a VMware View environment. It provides a one-stop shop for federal PIV information relating to VMware View by including the essential steps here and referencing the authoritative sources in the VMware product documentation. It is intended to help organizations successfully configure VMware View environments to leverage PIV to access their virtual desktops. Background The U.S. federal government, under Homeland Security Presidential Directive 12 (HSPD 12), made it mandatory for all organizations to implement two-factor authentication for access to all federal buildings and information systems. HSPD 12 mandates that all federal employees and contractors have a Federal Information Processing Standard 201 (FIPS 201) PIV card. The DoD CAC and DoD Public Key Infrastructure (PKI) programs are being aligned to meet this additional set of requirements. According to a February 3, 2011, Office of Management and Budget (OMB) memo, all agencies were to have a documented implementation plan for PIV in place by March 31, 2011. 1 Prerequisites This guide makes a few basic assumptions about the environment: Users have properly issued CAC or PIV smart cards with their certificates installed. The Active Directory and PKI components are already properly configured, and users are currently authenticating via their smart cards for access. Although it is not a prerequisite for enabling smart-card authentication, it is pertinent to address certificates for the server components of the architecture. You can replace the default certificates before or after enabling smart-card authentication, but it is recommended you make them separately and validate the configuration before implementing the other. Refer to pp. 75 80 of the View 4.5 Installation Guide for detailed procedures. 2 These assumptions are addressed in other sources and are out of scope for this guide. Limitations Be aware of the following limitations: Several versions of CAC and PIV credentials exist that vary in memory size and card type. Currently, T0 and T1 cards in are in circulation. T1 cards require upgrades to View 4.6 and PCoIP firmware v3.4 (if the environment uses zero clients). The VMware View Client for Mac OS X does not support smart-card authentication. When using smart-card authentication, users must log off before switching to a different display protocol. Checking the Log In As Current User option in the VMware View Client will cause the user to be prompted for a smart-card PIN a second time when connecting to Windows. If the Smart Card Authentication policy is set to Optional, Local Mode users must use smart-card authentication to access their desktops for the checkout operation. HP s RGS protocol is not supported with smart-card authentication. Process for Configuring VMware View The high-level overview of the process for configuring VMware View is 1. Prepare the parent image for smart-card authentication. 2. Configure Smart Card Authentication on each VMware View Connection Server. 3. Ensure that access endpoints leveraging the VMware View Client software have Cryptographic Service Provider (CSP) software installed. TECHNICAL WHITE PAPER / 2

Detailed instructions for these procedures follow. Configure the Parent Image for Smart-Card Authentication Refer to Chapter 4 of the VMware View 4.5 Administrator s Guide for detailed instructions on preparing a virtualmachine image for use in VMware View. 3 To ensure a successful implementation, it is critical that you install several components in the correct order during this process: 1. Install VMware Tools. 2. Install VMware View Agent with the custom PCoIP Smartcard Enabled setup option. 3. Install the.net Framework. (It is considered a best practice to install it after installing the View Agent to prevent any issues with application-specific graphics settings being modified during the View Agent installation.) 4. Install the ActivIdentity ActivClient software. Configure VMware View Connection Servers The procedures for configuring the Connection Servers (including Security Servers) comprise three main activities: Importing the certificate truststore Enabling the Smart Card Authentication setting Configuring certificate revocation checking Detailed instructions are included in the View Manager Administration Guide, in the sections entitled Creating a Truststore and Enable Smart Card Authentication in the Server. 4 Import the Certificates to the Truststore You must obtain the root and intermediate certificate authority (CA) certificate(s) for all users you want to access the environment. They can be obtained from the CA or from a user certificate. You must ensure that the system path includes the location of the key-management utility, keytool. The procedures are included on page 76 of the VMware View 4.5 Installation Guide. Go to Environment Variable, then System variables, and edit the Path to include C:\Program Files\VMware\VMware View\Server\jre\bin\. Next, add the certificate to a truststore file using the keytool utility, via the following syntax: Keytool import alias alias file root _ certificate keystore truststorefile.key In this command, alias is a unique case-insensitive name for a new entry in the truststore file. root _ certificate is the root certificate that you obtained or exported. truststorefile.key is the name of the truststore file that you are adding the root certificate to. If the file does not exist, it is created in the current directory. Repeat this process for all root certificates. Then copy the truststore file to the Connection Server at C:\Program Files\VMware\VMware View\Server\sslgateway\conf\. Next, edit or create a file called locked.properties in that same folder and set three parameters in the file: trustkeyfile=truststorefile.key truststoretype=jks usecertauth=true Note: If you have already replaced the default server certificates, locked.properties will already exist, and you can just edit the existing file. Copy the truststore and locked.properties files to the same folder location on each of the other Connection Servers you wish to use for smart-card authentication. TECHNICAL WHITE PAPER / 3

Enable Smart-Card Settings in View Administrator Go to Global Settings and verify that the Require SSL for Client Connections and View Administrator setting is selected. Then you must configure each Connection Server for smart-card authentication. For Security Servers, no additional action is required after the previous steps are completed. For standard Connection Servers, edit each server s Configuration page. Select the Authentication tab and set Smart Card Authentication to Required. (Federal mandates prohibit access to systems with normal Active Directory authentication.) Next set the Smart Card Removal Policy to either disconnect users from View upon removal or leave them connected. The best practice is to disconnect user sessions upon smart-card removal. However, be aware that if pools are set to log off on disconnect, users will be logged off each time the smart card is removed. It is also considered a best practice to enable group policy to lock the virtual desktops upon smart-card removal to prevent possible compromise of an unlocked console session. Note: The Smart Card Removal Policy does not apply to users who authenticate to View using the Log In as Current User check box in the View Client. The final step is to restart the View Connection Server service. You can omit this step now if you are going to configure certificate revocation checking in View next. Configure Smart-Card Certificate Revocation Checking Some organizations leverage the Tumbleweed tool to do revocation checking. If you use Tumbleweed, refer to the manufacturer s documentation for configuration information. Refer to the Certificate Revocation Checking Using OCSP and CRL in View 4.5/4.6 technical paper for a thorough explanation of certificate revocation checking and how it is accomplished in View. 5 The detailed procedures for configuring revocation checking in View begin on page 127 of the VMware View 4.5 Administrator s Guide. You configure Online Certificate Status Protocol (OSCP) with Certificate Revocation List (CRL) as a failback for CAC or PIV by adding the following lines to the locked.properties file: enablerevocationchecking=true enableocsp=true allowcertcrls=true ocspsigningcert=va.cer ocspurl=http://<servername> You retrieve the oscpsigningcert by browsing to the Web site of the local OCSP responder, saving the certificate in.cer format and placing it in the conf folder. View uses the certificate to handshake with the OCSP responder prior to validating the OCSP response of the user s certificate from the user s CAC. The final step is to restart the View Connection Server service. Add New Certificate Authorities New CAs come online periodically and should be added to the truststore at your earliest convenience. Numerous sites make this information available. A number of them including the DoD PKE site (http://iase.disa.mil/pki-pke/) are listed at http://militarycac.com/dodcerts.htm. You can easily add new CAs to the truststore by making a copy of the truststore file and running the command described earlier in this paper for importing certificates. Do this for each new CA, and be sure to use a unique alias so you don t overwrite previous entries. When done, overwrite the truststore file in the conf folder and restart the View Connection Server service. Configure Endpoints Zero clients are configured completely for smart-card authentication out of the box in the firmware on the PCoIP chip. For Linux-based thin clients, refer to the blog post entitled Setting up CAC or Smartcard for use with an HP Thin Client. 6 See the Google Code site s VMware View Open Client page for instructions on configuring Open Client for Linux endpoints. 7 TECHNICAL WHITE PAPER / 4

The remaining clients are Windows-based either a thin client with an embedded Windows OS or a full version of Windows XP, Vista or 7. The only configuration necessary for these clients is to prevent users from selecting the Log In as Current User option. This is done by setting LoginAsCurrentUser _ Default = 0 in HKLM\SOFTWARE\ VMWare, Inc.\VMware VDM\Client\Security\. It is also advisable to prevent users from selecting this check box. This is done by setting LoginAsCurrentUser _ Display = 0 in the same registry key. Troubleshooting Few CAC and PIV troubleshooting practices are unique to VMware View. Your general troubleshooting steps are the same as with physical desktops, but the location where you validate or change the settings might be different because of the additional authentication that occurs to the View environment. The following list recommends some first steps to consider when authentication to your virtual desktops is not working properly: Check the documentation provided by your smart-card vendor to confirm that the smart-card software and hardware have been configured correctly. Verify that the smart-card reader has been updated to the latest firmware available from the manufacturer. This will ensure maximum compatibility with new card types. Verify that the zero client has been updated to the latest firmware. This will ensure maximum compatibility with new card types. If using a Windows client, go to Start > Settings > Control Panel > Internet Options > Content > Certificates > Personal to verify that certificates are available for smart-card authentication. If smart-card users use the PCoIP protocol to connect to View desktops, verify that the View Agent PCoIP Smartcard subfeature is installed on desktop sources. Verify that all DoD CA certificates are included in the truststore file. Confirm that the locked.properties file is located in C:\Program Files\VMware\VMware View\ Server\sslgateway\conf\. Verify that the usecertauth property in the locked.properties files is set to true. The usecertauth property is commonly misspelled as usercertauth. If you configured smart-card authentication on a View Connection Server instance, check the Smart Card Authentication setting in View Administrator: Select View Configuration > Servers, select the View Connection Server instance and click Edit. On the Authentication tab, verify that Smart Card Authentication is set to either Optional or Required. You must restart the View Connection Server services for changes to the smart-card settings to take effect. If the user s domain is different from the domain the root certificate was issued from, verify that the user s User Principal Name (UPN) is set to the subjectaltname (SAN) contained in the root certificate of the trusted CA. Find the SAN contained in the root certificate of the trusted CA by viewing the certificate properties. On your Active Directory server, select Start > Administrative Tools > Active Directory Users and Computers. Right-click the user in the Users folder and select Properties. The UPN appears in the User logon name text boxes on the Account tab. Check the log files in C:\Documents and Settings\All Users\Application Data\VMware\VDM\logs on the View Connection Server or Security Server host for messages stating that smart-card authentication is enabled. Validate that the WdfCoInstaller files are properly matched. A mismatch can occur if Windows Update was disabled during Agent install. More details are available from Microsoft Knowledge Base article 2494168. 8 If you are having problems with PIV-II CACs, validate that you have installed ActivClient Hot Fix FIXS1101013.msp. TECHNICAL WHITE PAPER / 5

References 1 Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. 2 VMware View Installation Guide: http://www.vmware.com/support/pubs/view_pubs.html. 3 VMware View Administrator s Guide: http://www.vmware.com/support/pubs/view_pubs.html. 4 View Manager Administration Guide: http://www.vmware.com/support/pubs/view_pubs.html. 5 Certificate Revocation Checking Using OCSP and CRL in View 4.5/4.6: http://www.vmware.com/files/pdf/techpaper/certificate-revocation- Checking-OCSP-CRL-View45-WP.pdf. 6 Setting up CAC or Smartcard for use with an HP Thin Client: http://blogs.vmware.com/view/2009/03/setting-up-cac-or-smartcard-for-use-with-anhp-thin-client.html. 7 VMware View Open Client: http://code.google.com/p/vmware-view-open-client/wiki/smartcardlinux. 8 Deployment may fail when an injected driver requires an update to the Kernel Mode Driver Framework (KMDF) or User Mode Driver Framework (UMDF) during deployment (Microsoft Knowledge Base article 2494168): http://support.microsoft.com/kb/2494168. Other Resources VMware View Architecture Planning Guide: http://www.vmware.com/support/pubs/view_pubs.html. Smart Card Certificate Authentication with VMware View 4.5/4.6: http://www.vmware.com/files/pdf/vmware- View-SmartCardAuthentication-WP-EN.pdf. Certificate enrollment using smart cards (Microsoft Knowledge Base article 257480): http://support.microsoft.com/kb/257480. TECHNICAL WHITE PAPER / 6

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TECH-WP-CAC-USLET-101

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information