For those already consuming Microsoft Office 365, then you will undoubtedly (to some level) be utilising Azure Active Directory. Azure AD comes with an array of tools, some of which aren’t confined to public cloud; some can even aid and strengthen your on-premises applications. One such tool is the Azure Multi-Factor Authentication Server, an on-premises 2-factor authentication mechanism which can integrate with on-prem VMware Horizon environments.
The Azure MFA Server enables us to further enhance the security of numerous applications capable of integrating with 2FA authentication, and VMware Horizon has been able to integrate with such solutions for some time. This additional level of security is a much sought after function which serves to further secure public access to internal desktop pools.
Having utilised a number of 2FA provider services over the years, it can be tricky to pick the right one, more so as the wrong choice will likely lock you in to the product of choice for X years. All come at an additional cost, and some can have limited management functionality. The Azure Multi-Factor Authentication Server is simple to deploy and configure, and if you already utilise Azure Active Directory Premium, Enterprise Mobility Suite, or Enterprise Cloud Suite licensing, you are already paying for the functionality. So why not consume it?
Note: This article assumes you a) already utilise Azure AD (and are licensed accordingly), b) have deployed and configured the Microsoft Azure Multi-Factor Authentication Server to authenticate against a Windows domain, and c) users have registered with the MFA Server. Likewise, this article also assumes your domain users have registered their mobile devices and have the Microsoft Authenticator app installed. This article will not cover the installation or configuration of the Microsoft Azure Multi-Factor Authentication Server, however, full details for these areas can be viewed via Microsoft’s Getting started with the Azure Multi-Factor Authentication Server.
As mentioned above, configuring the Azure MFA Server and VMware Horizon is nice and quick, and can be covered in four simple steps.
- Enable RADIUS authentication on the Microsoft Multi-Factor Authentication Server
- Add VMware Horizon Connection Servers as RADIUS Clients
- Configure VMware Horizon Connection Servers to utilise the Microsoft MFA Server for 2-Factor Authentication
- Test remote access.
1. Launch the Multi-Factor Authentication Server application. Browse to RADIUS Authentication > Clients, and check the Enable RADIUS Authentication tick box. Next, click Add….
2. Add all VMware Horizon Connection Servers and configure accordingly. Ensure you make note of the Shared secret. You will need this in a later step.
3. Confirm successful addition of all VMware Horizon Connection Servers.
4. Login to the VMware Horizon Administrator console and browse to View Configuration > Servers > Connections Servers. Select one of your Horizon View Connection Servers and click Edit.
5. Browse to the Authentication tab and set 2-Factor Authentication to RADIUS.
6. Ensure both Enforce 2-factor and Windows user name matching and Use the same user name and password for RADIUS and Windows authentication are checked.
7. From the Authenticator field, select Create New Authenticator.
8. Configure the new RADIUS Authenticator with the Azure MFA Server FQDN (consider whether this solution is load-balanced or standalone, etc.) and add the Shared Secret which we created in Step 2. When ready, click Next.
9. On the Secondary Authentication Server page, accept the defaults, and click Finish.
10. Finally, let’s test. Browse to the public facing FQDN for your VMware Horizon environment and click VMware Horizon HTML Access.
11. Enter your domain credentials and click Login.
12. On your registered mobile device, note the pop-up, and click Approve.
13. Once approved, you will be passed through to the VMware Horizon launch dashboard.
This concludes the process of integrating VMware Horizon with the Azure Multi-Factor Authentication Server.