4 Replies Latest reply on Feb 8, 2019 3:57 PM by techguy129

    SSO breaks on linux desktop pools

    pariseeurosystem Lurker



      I have setup Horizon View with 2 Desktop Pools, one is a Centos7 pool and the other one an Ubuntu 18.04 pool.

      I already made a script that at the startup of the machines it joins every machine to the domain and enables sssd for authentication with the AD domain. It works smoothly on both distros.

      SSO was not working on CentOS7 from the beginning.

      On the other hand, on Ubuntu 18.04 it was working, but after an apt update and an apt upgrade SSO got broken.

      I can find on viewagent-debug.log entries like


      "Start session for user: mattia.parise, have SSO cred: false"

      "[SessionHandler] SSO is disabled by broker"


      what could be the cause?

      Any best practice to make SSO work Windows-like?

      Documentation lacks about the normal SSO and quotes everytime the TrueSSO feature, which I'm not interested in at the moment.

      Many thanks

      Best regards

      Mattia Parise

        • 1. Re: SSO breaks on linux desktop pools
          techguy129 Expert

          Have you seen this in the release notes?


          Single Sign On (SSO) does not work well on a RHEL/CentOS 7.2 desktop when you add a domain using System Security Services Daemon (SSSD).

          Workaround: After you add a domain using SSSD, modify the /etc/pam.d/password-auth file using the information in the VMware Knowledge Base article 2150330 SSO configuration changes required when using SSSD to join AD on RHEL/CentOS 7.2 Desktops.





          Release Notes for VMware Horizon 7 version 7.7

          • 2. Re: SSO breaks on linux desktop pools
            pariseeurosystem Lurker

            Hello, thanks for the answer! I did not find that but I will give a check, thank you very much, I must have missed that!





            • 3. Re: SSO breaks on linux desktop pools
              pariseeurosystem Lurker


              I would like to focus on CentOS at the moment...

              in my CentOS 7 version these lines were already set.
              There were, by the way, other lines : this is the content of the file


              auth        required      pam_env.so
              auth        required      pam_faildelay.so delay=2000000
              auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
              auth        [default=1 ignore=ignore success=ok] pam_localuser.so
              auth        sufficient    pam_unix.so nullok try_first_pass
              auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
              auth        sufficient    pam_sss.so forward_pass
              auth        required      pam_deny.so

              account     required      pam_unix.so
              account     sufficient    pam_localuser.so
              account     sufficient    pam_succeed_if.so uid < 1000 quiet
              account     [default=bad success=ok user_unknown=ignore] pam_sss.so
              account     required      pam_permit.so

              password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
              password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
              password    sufficient    pam_sss.so use_authtok

              password    required      pam_deny.so

              session     optional      pam_keyinit.so revoke
              session     required      pam_limits.so
              -session     optional       pam_systemd.so
              session     optional      pam_oddjob_mkhomedir.so umask=0077
              session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
              session     required      pam_unix.so
              session     optional      pam_sss.so


              And it's not working.
              Any suggestions?



              • 4. Re: SSO breaks on linux desktop pools
                techguy129 Expert

                This line:

                auth sufficient pam_sss.so forward_pass



                Should be this line:

                auth sufficient pam_sss.so use_first_pass