This section describes how to integrate VMware Horizon with RSA Cloud Authentication Service using RADIUS.
To configure RADIUS for Cloud Authentication Service for use with a RADIUS client, you must first configure a RADIUS client in the RSA SecurID Access Console.
Sign into the RSA Cloud Administrative Console and browse to Authentication Clients > RADIUS > Add RADIUS Client and enter the Name, IP Address and Shared Secret.
Perform these steps in this section to configure VMware Horizon as a RADIUS client to RSA Cloud Authentication Service.
Before You Begin
This section provides instructions for configuring the VMware Horizon with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations.
It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All VMware Horizon components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
VMware Horizon is normally implemented on multiple servers to provide high availability and to meet scalability requirements. Each VMware Horizon server can be individually configured for RSA SecurID authentication. If RSA SecurID is not enabled, the user is authenticated using just Microsoft Active Directory credentials (username, password, and domain name).
If RSA SecurID is enabled on a VMware Horizon server, then users of the server are first required to supply their RSA SecurID username and passcode. If they are not authenticated at this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and are then required to enter their Active Directory credentials.
It is possible in a multi-server VMware Horizon deployment to have some servers enabled for RSA SecurID authentication and to have others disabled. This scenario can be used to force RSA SecurID authentication for users accessing the VMware Horizon environment remotely over the Internet.
The following steps to configure each VMware Horizon server for RSA SecurID, RADIUS and SecurID Access authentication are carried out using VMware Horizon Console.
1. Log into the VMware Horizon Console using an administrator username and password.
2. From the VMware Horizon Console, expand the Settings and select Servers. Locate the list of Horizon Connection Servers on the right hand page, select the appropriate Connnection Server and click Edit.
3. Within the Edit View Connection Server Settings window locate and select the Authentication tab.
4. Under Advanced Authentication section, select RADIUS for the 2-factor authentication setting.
5. Under Advanced Authentication, use the Select Authenticator pulldown to select Create New Authenticator and configure the new RADIUS Host.
6. In the Add RADIUS Authenticator window, provide an Authenticator Name, Description, Username Label and Passcode Label of the RADIUS Host.
7. On Primary Authentication Server page, provide Hostname/Address, Authentication Port, Accounting Port, Authentication Type, Shared Secret and other necessary fields. Click Next.
8. Continue with step 9 only if a secondary RADIUS Authenticator exists, otherwise skip to step 10.
9. Check the Use a secondary server if primary is unavailable and enter the details of the secondary RADIUS Host.
10. Select Finish.
11. Click OK button on Manage Authenticators.
12. From Authenticator drop-down menu, select the authenticator just added. Click OK.
Note: There is no need to restart VMware Horizon View after making these configuration changes.
Configuration is complete.
This section provides details about the end user interface for VMware Horizon HTML Access when configured for RSA SecurID authentication. This section shows dialogs from the VMware Horizon HTML Access, which is a browser based client for VMware Horizon.
When a user connects to VMware Horizon HTML Access, which is enabled for RSA SecurID authentication, the user is presented with a specific VMware Horizon HTML Access RSA SecurID login prompt as shown below.
Users enter their RSA SecurID username (which may be the same as their Active Directory username). Users enter their passcode and click Log In. An RSA SecurID passcode is normally made up of a PIN followed by a tokencode.
If the users are required to enter a new RSA SecurID PIN after entering their RSA SecurID username and passcode, they are presented with a new PIN prompt. Users choose a new PIN and click OK. After users set a new PIN, they are prompted to re-enter the next tokencode.
System generated PINs are also supported. If the RSA Authentication Manager is set up to use system generated PINs, users are presented with a new PIN when they first log in.
If the RSA SecurID credentials are correct as validated against RSA Authentication Manager, the user then gets a second VMware Horizon HTML Access prompt to enter their Microsoft Active Directory credentials.
Login screen (Suite/Access):
User-defined New PIN (Suite/Access):
Next Tokencode (Suite/Access):
For additional integrations, see "Configuration Summary" section.