VMware True SSO

Hi,

We use Horizon View 7 with True SSO configured and ZENworks 2020 U1. The user will not be logged in and the ZAPP stays empty. When logging in after ZAPP starts, I can log in fine.

Without True SSO there was a seamless login with ZAPP.

The User Source uses Username/Password as Authentication Mechanism.

Should I configure Kerberos to get this seamless login working again?

Regards

Paul de Jongh

  • Verified Answer

    0  

    Anytime you use a 3rd Party Credential Provider one should set the following registry key: DisableZENCredentialProvider

    https://www.novell.com/documentation/zenworks-2017-update-3/zen_sys_registry_keys/data/bvj1efc.html

    Typically, this is all that is required with Horizon View Credential Providers.

    That said, I had to end up configuring Kerberos for one Horizon View Customer due to how their SSO was configured.

    With the key above configured, ZCM still does logons but is secondary so that instead of passing the UID and Password to Windows, it accepts the UID and PWD from Windows.  If the authentication method used by the SSO is configured to not use UID/PWD to login or that is not what gets passed back out of Windows then yet Kerberos may be required.

    As I recall SSO software he was using with Horizon View could be configured two ways and the way he was doing it did not use UID/PWD, hence why needed Kerberos. 

    So it is possible that you may just need the registry key, but if that does not work you might need Kerberos depending on how Windows passes the creds back to ZCM.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to   

    And as I think back, I believe the issue was my customer configured their Horizon View SSO to use Kerberos instead of UID/PWD....

    Hence, there was not any UID/PWD for Windows to pass to ZENworks.  Setting to user Kerberos worked since it did not rely upon UID/PWD.

    Quite Likely it was TrueSSO but I don't recall.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Hi Craig, thanks for the fast reply. The DisableZENCredentialProvider key did not work. Will try Kerberos next (will be onsite with the customer next monday)

  • 0 in reply to 

    Hi Craig, Kerberos is implemented at that works ! We do not need the DisableZENCredentialProvider setting.

    Thanks for the support !

  • Verified Answer

    +1   in reply to 

    Glad it is working....

    Keep in MInd....There can only be a "SINGLE" Credential Provider in WIndows 10.  (They can be coded to "Chain", but that is not needs special coding for the providers as is done between some of the MF Providers such as the OES Client as well as our SSO Provider.)

    So if you are intentionally using another Credential Provider, it is best to disable the ZENworks one, but it does not disable ZCM auth, as ZCM will use a Hook in that case.

    Example - When you install the OES Client on Windows 10, it is ZCM aware and explicitly disables the ZCM Credential Provider, but then calls into it directly.

    So it is possible the True SSO provider reads the registry for others and disables them in code, it is still safer to explicitly disable the ZENworks one to avoid issues where intermittently it actually does not get disabled which would break the True SSO cred provider.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Will do that, thanks !

  • 0 in reply to   

    Hi Craig, Are u configuring Kerbros in the vmware view/horizon environment there or in the zenworks environment as i cant seem to find anything about configuring horizon to use kerbros with TrueSSO ?

  • Suggested Answer

    0   in reply to 

    I can't help anyone with configuring Vmware View TrueSSO, though I have assisted customers using it.  In short, I could see in our logs that Windows was not passing any Credentials to us, which was because it was using Kerberos.

    See - https://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html

    The "Normal" process when a 3rd Party Credential Provider (Non ZCM/Novell/MF/OT Provider), A ZCM registry key is set so our provider configures acts a secondary and ACCEPTS the Authentication from Windows to authenticate to ZCM.   Windows will normally pass a UserID and Password.

    However, in some cases Windows will not be able to pass the UID/PWD because that was not the authentication method sent to Windows.  Kerberos can be one method.  As a result if ZCM is configured to use UID/PWD authentication will fail because WIndows is unable to pass those items for ZCM to consume.

    In such cases, the use of KERBEROS would be required on the ZENworks Side.  When that is configured, we are able to consume the Tokens from the user session to confirm identity.

    --

    In Summary some general rules....

    #1 - If using any 3rd Party Credential Provider - Set DisableZENCredentialProvider (This Set ZCM Auth to POST Windows Logon)

    www.novell.com/.../bvj1efc.html

    #2 - If the Active Credential Provider Passed UID/PWD to the Windows Credential Proivder, they will be passed and consumed by ZCM. 

    #3 - If UID/PWD are not passed to Windows for Auth, then ZCM will not be able to seamlessly use UID/PWD and Kerberos Should be configured which will not rely on authentication info passed to it.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Hiya

    We just cannot get this to work, we are using Horizon v8 2309, we have setup SSO as shown via the link below

    Setting Up True SSO (omnissa.com)

    True SSO works fine and logs in the desktop after the user has authenticated to Azure over SAML initially, but the zen window remains empty as the user fails to get logged into, the True SSO is passing the Windows 11 credential provider a Certificate issued by our AD Domain Cert authority for the user (as configured in the SSO setup document shown above)

    We have enabled Kerbros on Zenworks by following the link below:

    Authentication Mechanisms - ZENworks User Source and Authentication Reference (novell.com)

    but when ever i log in to the machine zen doesn't login and pops up the login box

    the ats.log on the primary server contains the following 

    [DEBUG] [07 Jun 2024 14:07:17,611] [https-jsse-nio-7491-exec-894] Searching the root :OU=Staff,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,611] [https-jsse-nio-7491-exec-894] getSetting()- Setting value = /etc/CASA/authtoken/svc/iaRealms.xml
    [WARN ] [07 Jun 2024 14:07:17,645] [https-jsse-nio-7491-exec-894] invoke()- NamingException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563^@]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='xxx.mydomain.ac.uk']]
    [DEBUG] [07 Jun 2024 14:07:17,645] [https-jsse-nio-7491-exec-894] invoke()- Reason could be due to LDAP errors:[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563^@]Exception occured while adding connector specified at [XPath: /bci:realms/bci:realm[@id='xxx.mydomain.ac.uk']]
    [DEBUG] [07 Jun 2024 14:07:17,645] [https-jsse-nio-7491-exec-894] Searching the root :OU=Students,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,645] [https-jsse-nio-7491-exec-894] Searching the root :OU=Technical Support,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,646] [https-jsse-nio-7491-exec-894] Searching the root :OU=Test,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,646] [https-jsse-nio-7491-exec-894] Searching the root :OU=Win10Users,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,646] [https-jsse-nio-7491-exec-894] Searching the root :OU=LectureTheatreW10,OU=Service Accounts,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] Searching the root :OU=ExternalRDP,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] Searching the root :OU=ABW,OU=Service Accounts,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] Searching the root :OU=VMware,OU=Service Accounts,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] Searching the root :OU=DA-S,DC=xxx,DC=mydomain,DC=ac,DC=uk
    [WARN ] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] invoke()- Failed to resolve identity for entity G.H.Wilson
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] invoke()- It seems User has entered wrong user name / Password
    [DEBUG] [07 Jun 2024 14:07:17,647] [https-jsse-nio-7491-exec-894] invoke()- Send Invalid Credential Code
    [WARN ] [07 Jun 2024 14:07:17,648] [https-jsse-nio-7491-exec-894] Authenticated IdentID :Invalid Credentials
    [INFO ] [07 Jun 2024 14:07:17,648] [https-jsse-nio-7491-exec-894] invoke()- identId NOT resolved because of Invalid Credentials, Invalid Credentials

    and the corresponding client logs show the same thing basically

    [KerberosAuthMechanismHandler] [] [GetAuthMechToken Entered] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Mech Info SVC_PRINCIPAL=zenkerb/zenkerb.xxx.mydomain.ac.uk] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Mech Info REALM_CREDENTIALS_ONLY=true] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Authsource service principal : zenkerb/zenkerb.xxx.mydomain.ac.uk] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [LUID Created HighPart : 0 Low Part :21403528] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Attempting to query user token] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.085] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Attempting to impersonate] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.088] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Acquired the Credential Handle for the LUID :21403528] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [KerberosAuthMechanismHandler] [] [Got the Client Token for the Service : zenkerb/zenkerb.xxx.mydomain.ac.uk] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ConstructURL entered] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ConstructURL returned https://123.123.123.123:443/CasaAuthTokenSvc/Rpc?method=Authenticate ] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [(Thread 95) GetObject(PROXY_DEFAULT, UserContext{_LocalId=none; _RemoteId=(Public)}) called] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [proxy_default(public) doesn't exist in memory key cache] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.103] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [(Thread 95) GetObject returning <not cached> in 0 ms] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.115] [3344] [ZenworksWindowsService] [95] [] [UserPwdAuthMechanismHandler] [] [GetAuthMechToken Entered] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.118] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ConstructURL entered] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.118] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ConstructURL returned https://123.123.123.123:443/CasaAuthTokenSvc/Rpc?method=Authenticate ] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.118] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [(Thread 95) GetObject(PROXY_DEFAULT, UserContext{_LocalId=none; _RemoteId=(Public)}) called] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.118] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [proxy_default(public) doesn't exist in memory key cache] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.118] [3344] [ZenworksWindowsService] [95] [] [ZenCache] [] [(Thread 95) GetObject returning <not cached> in 0 ms] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.235] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ObtainSessionTokenFromServer returned with code 3355377702 ] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.235] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ObtainAuthTokenFromServer returned with code 3355377702 ] [] [] [] [ZENworks Agent]
    [DEBUG] [06/07/2024 14:07:17.235] [3344] [ZenworksWindowsService] [95] [] [ZenCasa] [] [ObtainAuthToken returned with code 3355377702 ] [] [] [] [ZENworks Agent]

    The seems to have the error code 3355377702 which seems to say LDAP error when finding the user 

    Any ideas ?

  • 0   in reply to 

    I'm wondering if AZURE is throwing you for a loop??

    Are you logging into Windows as the AZURE user or the On Premise AD User?

    If you are logging in as the AZURE user, then your Kerberos Ticket may not work since that is likely set for On-Premise.

    Simply having your UID and PWDs synched between Azure and On-Prem would not matter since you are using KRB Tickets and not credentials.  

    Perhaps you would need ZCM to be setup to handle Azure Authenticaiton.....but I've never done SSO with Azure before.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks