How to Set Up 2-Factor Authentication in VMware Horizon View with TOTPRadius
VMware Horizon View enables you to access a virtual desktop from anywhere, anytime. Horizon offers you the possibility to move from one place to another: to work from your office or from a cybercafé, or from any other place, when you have a network connection that lets you connect to the Horizon View infrastructure.
This document describes how to secure your external connections and authorize only specific users or groups of users connecting to Horizon View from outside, using 2-Factor authentication with hardware tokens or mobile apps by integrating our TOTPRadius solution.
Prerequisites
Prerequisites are the following:
• vSphere Infrastructure correctly configured for Horizon View
• Horizon View correctly configured (Connection Server, Security Server and Composer)
• At least one TOTPRadius appliance deployed and configured
• Administrative access to both TOTPRadius and Horizon View
View Connection Server setup
Connect to your Horizon View Connection Server as Administrator
Select the Horizon View Connection Server you want to use:
On Authentication tab, select RADIUS as “Advanced Authentication”:
1. Check : “Enforce 2-Factor and Windows username matching”
2. Select: “Create New Authenticator”
3. Specify the Label : example : TOTPRadius
4. Specify the Hostname/Address : FQDN or IP address of your radius server
5. Specify the Shared Secret : the secret you specified in TOTPRadius settings
The shared secret should match the settings of your TOTPRadius appliance:
Note: For production usage, you can install and configure a secondary TOTPRadius server, in slave mode.
Adding users to RADIUS
At this point, Horizon View is configured 2-Factors authentication using your TOTPRadius server, now you have to add users to TOTPRadius. There are 2 methods: LDAP self-enrollment and creating users using Admin panel.
LDAP self-enrollment
Guide your users to navigate to https://FQDN_of_TOTPRadius//ldap-enroll and follow the instructions. The process will look like shown in the video below:
Creating users via Admin panel
Login to TOTPRadius admin interface, and click on New User button. This will generate a QR code that should be used to provision the TOTP profile on a mobile authenticator app (Google Authenticator, Microsoft Authenticator, Token2 TOTP+ or any other RFC6238-compliant application). If a hardware token is to be used for this user, click on Edit profile or assign hardware token button and paste the secret key of the hardware token in Token key field in base32 format.
If a programmable hardware token is used, you can burn the secret onto the hardware token by scanning the QR code using one of the NFC Burner apps.
Logging in to Horizon View with 2FA enabled
Now you can test and make a connection on your View Connection Server by providing your login name and password in the form of "AD_PASSWORD""Generated Code" (no spaces nor quotes. I.e. if your password is [email protected] and the OTP code is 123456, you should enter [email protected]):
If everything works fine, the second login screen appears and you have to type your AD password only again (this is a hard-coded design by Horizon View whatever 2-Factor authentication method you want to use, and is not caused by TOTPRadius)
About
Installation and configuration
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Integration guides
Blog
08-06-2023
Azure AD Now Supports FIDO2 Security Keys on Safari on iOS
In a significant development for iOS users, Microsoft Azure Active Directory (AD) has expanded its support for FIDO2 security keys on the Safari browser. This advancement is a crucial step towards enhancing security and usability on Apple's mobile devices, ensuring seamless authentication experiences for Azure AD users. With FIDO2 security keys, users can now enjoy passwordless access to their Azure AD accounts, boosting convenience and significantly reducing the risk of password-related attacks. Let's dive deeper into this exciting development and explore the benefits it brings to iOS users.
15-05-2023
Azure AD Authentication methods policy migration
In an effort to enhance security and streamline administration, Microsoft introduced the Authentication methods policy for Azure AD. This policy allows administrators to manage the MFA and SSPR settings from a single location, simplifying the overall user experience. However, it's important to note that the migration process has a limitation when it comes to hardware OATH tokens.
05-05-2023
Molto2 Receives "Certified Product" Badge from Independent Third-Party Assessment by SySS GmbH
At our company, we believe in delivering safe and secure products to our customers. That's why we engaged SySS GmbH, an independent third-party security company, to conduct a thorough security assessment of our product, Molto2. We are proud to announce that Molto2 has passed this assessment with flying colors and has received a "Certified Product" badge from SySS GmbH.