Configure two-factor authentication in VMware Horizon View 7 using OTP and JAS server
In our last article, we talked about setting up two-factor authentication in VMware Horizon View based on the PKI infrastructure and x509 certificates. Today we will consider another version of 2FA authentication - one-time passwords (OTP). Using PKI technology is probably more reliable, but in our age of universal mobility and BYOD trends, when users need to access information resources from any device, including mobile, using PKI technology is not always convenient, and sometimes impossible. Therefore, one-time password authentication (OTP) is gaining increasing popularity.
The implementation of OTP in our example is based on the product of our company. This is an authentication server - JaCarta Authentication Server (JAS) . The authenticator (means of generating OTP) can be:
The following OTP generation algorithms are supported:
It is also possible to connect an SMS gateway and receive one-time passwords as SMS messages.
')
Like last time, it is assumed that VDI has already been deployed within VMware Horizon View and configured for simple password authentication. Also already installed and configured JAS server and NTP-plugin for it. And for users software or hardware tokens are got. About installing and configuring JAS, we have a big boring document included in the package.
Next, we show how easy it is to connect an existing JAS server with a VMware Horizon View server and implement OTP authentication.
On the server where JAS and NPS plug-in is installed, go to the Network Policy Server snap-in and add a new RADIUS Client .
Set the Friendly name, the IP address of the Horizon View Connection Server, and the shared Shared secret .
Go to the VMware View server, open the View Connection Server administration console.
Go to View Configuration -> Servers -> Connection Servers .
Select the required authentication server and click the Edit button.
In the window that opens, go to the Authentication tab. In the Advanced Authentication 2-factor authentication section, select RADIUS from the drop down menu.
Uncheck checkboxes from Enforce 2-factor and Windows user name matching matching .
Click the Manage Authenticators button. In the new window, click on the Add button ...
Fill in the Label fields — Server name displayed to the client, Hostname / address is the NPS server address with the OTP plug-in, Shared Secret. Authentication type - PAP.
Now the setup is complete, you need to run a check.
Launch VmWare Horizon Client (it can be on Windows, Linux and MacOS) and connect to the server.
After connecting to the server, a login dialog will be displayed asking you to enter a username and OTP ( Passcode field).
Open google authenticator to get the OTP value.
After successful authentication via OTP, you will be prompted to log in using a username and password.
The OTP-> Password request happens exactly in this sequence, and not vice versa. This is done to protect the password from the selection.
From a mobile phone, everything will look similar. Below is an example on iOS (Android is also supported).
First, launch the Horizon application and connect to the server.
The server will request an OTP.
Switch to Google authenticator, remember the OTP value.
Switch to Horizon type OTP.
Next, enter the password.
Select the desired desktop or application.
That's all.
The implementation of OTP in our example is based on the product of our company. This is an authentication server - JaCarta Authentication Server (JAS) . The authenticator (means of generating OTP) can be:
- software token (google authenticator for smartphones running iOS, Android, Windows);
- physical token with USB port (JaCarta WebPass, Yubikey and others);
- physical token without USB port (eToken Pass and others).
The following OTP generation algorithms are supported:
- RFC 4226 + HMAC-SHA-1 (6 characters);
- RFC 4226 + HMAC-SHA-256 (6 characters);
- RFC 4226 + HMAC-SHA-256 (7 characters);
- RFC 4226 + HMAC-SHA-256 (8 characters).
It is also possible to connect an SMS gateway and receive one-time passwords as SMS messages.
')
Like last time, it is assumed that VDI has already been deployed within VMware Horizon View and configured for simple password authentication. Also already installed and configured JAS server and NTP-plugin for it. And for users software or hardware tokens are got. About installing and configuring JAS, we have a big boring document included in the package.
Next, we show how easy it is to connect an existing JAS server with a VMware Horizon View server and implement OTP authentication.
Setting progress
On the server where JAS and NPS plug-in is installed, go to the Network Policy Server snap-in and add a new RADIUS Client .
Set the Friendly name, the IP address of the Horizon View Connection Server, and the shared Shared secret .
Go to the VMware View server, open the View Connection Server administration console.
Go to View Configuration -> Servers -> Connection Servers .
Select the required authentication server and click the Edit button.
In the window that opens, go to the Authentication tab. In the Advanced Authentication 2-factor authentication section, select RADIUS from the drop down menu.
Uncheck checkboxes from Enforce 2-factor and Windows user name matching matching .
Click the Manage Authenticators button. In the new window, click on the Add button ...
Fill in the Label fields — Server name displayed to the client, Hostname / address is the NPS server address with the OTP plug-in, Shared Secret. Authentication type - PAP.
Now the setup is complete, you need to run a check.
Laptop Health Check
Launch VmWare Horizon Client (it can be on Windows, Linux and MacOS) and connect to the server.
After connecting to the server, a login dialog will be displayed asking you to enter a username and OTP ( Passcode field).
Open google authenticator to get the OTP value.
After successful authentication via OTP, you will be prompted to log in using a username and password.
The OTP-> Password request happens exactly in this sequence, and not vice versa. This is done to protect the password from the selection.
Mobile Health Check
From a mobile phone, everything will look similar. Below is an example on iOS (Android is also supported).
First, launch the Horizon application and connect to the server.
The server will request an OTP.
Switch to Google authenticator, remember the OTP value.
Switch to Horizon type OTP.
Next, enter the password.
Select the desired desktop or application.
That's all.
Source: https://habr.com/ru/post/342250/
All Articles