We're currently looking at a method for client authentication for our VMware View 3.1.1 installation.
We don't want to use Smart Cards
I've read the Smart Card and Certificate Authentication in VMware View technical resource from VMware and it would suggest that it's possible to use certificate stored in the local machine. On Page 5 it says
Store Certificate in Local Systems
Installing a certificate on your local machine is much easier than using a smart card, but it is less secure. Follow
the same steps as those in "Microsoft Certificate Enrollment" on page 3 by accessing
serveripadress>/certsrv and request a certificate. When you finish, click Install this certificate. The
certificate is installed on your computer, and you can see it by going to Start > Settings > Control Panel >
Internet Options > Content > Certificates and looking under the Personal tab.
Certificate Authentication Behavior in the View Client for Windows
The default behavior for View Client 3.x for Windows is to use the first valid certificate on the computer
without prompting, even if there are multiple valid certificates. To configure View Client for Windows to
prompt the user to select a certificate, you must set the ShowCertificateSelectDialog group policy object
to true. However, if you make this change, Windows prompts the user to select a certificate even if there is
only one available on the computer.
Can anyone confirm whether this is possible?
Hi
This has been up day and I have had no response the requirment we are trying to meet for our customer is to setup mutal Authentication between the Security Server (or Broker) and the client workstations accessing them to gain access to a secure VDI environment.
Thanks in advance
Have you openned a call with vmware support
We have opened a call with VMware, but it is taking some time for them to come back to us
I can confirm that this IS infact possible. You obviously have to have a server which you can install certifiate services on (free add-in in Microsoft's Server Products) and AD. Once installed and the root certifcate for the server has been created, it is a good idea to create a GPO to add the server's certificate to the Trusted Root Authorities container throughout the domain. This ensures that the certificates generated will be trusted. You will then want to follow the steps in the Admin guide to created and implement a certificate for the View Manager and vCenter servers (you will most likely have to modify these steps slightly). Note that to generate certifcates using the web interface you would go to . Another important point to mention is that is you are going to be installing cert services on a 2003 server, and making certificates for Vista or Win 7 clients, you will need to upgrade the cert services, as these OS's handle the process differnetly. If you are using server 2008 this is not nessesary. Read the KB article at All that you have to do then is confirgure the View Manager use certificates for auth, as out lined in the Admin guide.
Thanks TShoun
We followed the Admin guide but it didn't work, we will try again
HI
We created certificates for the broker and security server (Web Server Certificate template) using the key tool command in the admin guide on page 90 onwards. We verified the certificates in the browser
On the client workstation we created a computer certificate and saved the root ca certificate.
Within View Manager, Servers, View Servers changed the Smart Card Authentication to Required.
Is there something were missing?
What exactly is happening, is it failing to connect altogether becuase of authentication, or is it connecting, but not requiring the certificate to do so?
HI TShoun
Thanks for getting back to me, the message we get is "Samrt Card or Certificate Authentication is Required" but we have out the certificate everywhere the Admin Guide says to.
I think the probable explanation is that you missed a step in configuring the View Connection Server to enable certificate authentication. You said you created a truststore, but did you create a locked.properties file that says "useCertAuth=true" in addition to the other entries it recommends?