Re: client authentication in VMware View 3.1.1

pburgess · ‎09-21-2009

We're currently looking at a method for client authentication for our VMware View 3.1.1 installation.

We don't want to use Smart Cards

I've read the Smart Card and Certificate Authentication in VMware View technical resource from VMware and it would suggest that it's possible to use certificate stored in the local machine. On Page 5 it says

Store Certificate in Local Systems

Installing a certificate on your local machine is much easier than using a smart card, but it is less secure. Follow

the same steps as those in "Microsoft Certificate Enrollment" on page 3 by accessing

serveripadress>/certsrv and request a certificate. When you finish, click Install this certificate. The

certificate is installed on your computer, and you can see it by going to Start > Settings > Control Panel >

Internet Options > Content > Certificates and looking under the Personal tab.

Certificate Authentication Behavior in the View Client for Windows

The default behavior for View Client 3.x for Windows is to use the first valid certificate on the computer

without prompting, even if there are multiple valid certificates. To configure View Client for Windows to

prompt the user to select a certificate, you must set the ShowCertificateSelectDialog group policy object

to true. However, if you make this change, Windows prompts the user to select a certificate even if there is

only one available on the computer.

Can anyone confirm whether this is possible?

pburgess · ‎09-22-2009

Hi

This has been up day and I have had no response the requirment we are trying to meet for our customer is to setup mutal Authentication between the Security Server (or Broker) and the client workstations accessing them to gain access to a secure VDI environment.

Thanks in advance

Smeagol · ‎09-22-2009

Have you openned a call with vmware support

pburgess · ‎09-22-2009

We have opened a call with VMware, but it is taking some time for them to come back to us

TShoun · ‎09-22-2009

I can confirm that this IS infact possible. You obviously have to have a server which you can install certifiate services on (free add-in in Microsoft's Server Products) and AD. Once installed and the root certifcate for the server has been created, it is a good idea to create a GPO to add the server's certificate to the Trusted Root Authorities container throughout the domain. This ensures that the certificates generated will be trusted. You will then want to follow the steps in the Admin guide to created and implement a certificate for the View Manager and vCenter servers (you will most likely have to modify these steps slightly). Note that to generate certifcates using the web interface you would go to . Another important point to mention is that is you are going to be installing cert services on a 2003 server, and making certificates for Vista or Win 7 clients, you will need to upgrade the cert services, as these OS's handle the process differnetly. If you are using server 2008 this is not nessesary. Read the KB article at All that you have to do then is confirgure the View Manager use certificates for auth, as out lined in the Admin guide.

pburgess · ‎09-23-2009

Thanks TShoun

We followed the Admin guide but it didn't work, we will try again

pburgess · ‎09-23-2009

HI

We created certificates for the broker and security server (Web Server Certificate template) using the key tool command in the admin guide on page 90 onwards. We verified the certificates in the browser

On the client workstation we created a computer certificate and saved the root ca certificate.

Within View Manager, Servers, View Servers changed the Smart Card Authentication to Required.

Is there something were missing?

TShoun · ‎09-23-2009

What exactly is happening, is it failing to connect altogether becuase of authentication, or is it connecting, but not requiring the certificate to do so?

pburgess · ‎09-23-2009

HI TShoun

Thanks for getting back to me, the message we get is "Samrt Card or Certificate Authentication is Required" but we have out the certificate everywhere the Admin Guide says to.

grossag · ‎09-25-2009

I think the probable explanation is that you missed a step in configuring the View Connection Server to enable certificate authentication. You said you created a truststore, but did you create a locked.properties file that says "useCertAuth=true" in addition to the other entries it recommends?