Preparing for Single Sign-On

Configuring Single Sign-On enables a user to connect into their desktop having only authenticated once, and that authentication is used to provide them both their list of desktops and to log into the remote workstation.

Enrollment Options¶

In order to support Single Sign-On, the Connector must be able to obtain or generate a certificate to provide to the PCoIP Agent to log the user in. Two methods are available to enable this:

• By Active Directory Certification Authority Web Enrollment
• By private key and certificate of the Certification Authority

By Active Directory Certification Authority Web Enrollment¶

Create Certificate Authority Template¶

1. Log on to the Certificate Authority resource.
2. Open Certificate Authority MMC (certsrv.msc).

3. Right click the Certificate Templates and select Manage.

   

4. Certificates Templates Console window is now open. Right click Smartcard User and select Duplicate Template.

   

5. Navigate to the General tab and rename the template to a desired name and take note of the name as it is required during Connector installation. Change the Validity Period and Renewal Period to minimum such as 1 hours and 0 hours respectively.

   

6. Navigate to Request Handling tab and change the purpose to Signature and smartcard logon. The Certificate Templates information box appears. Click Yes to close it.

   

7. Navigate to Security tap and select Read and Enroll as Allow for Authenticated Users.

   

8. Navitage to Subject Name tab and select Supply in the request. A warning text box appears and click OK to close the warning text box.

   

9. Click Apply and then OK to finish creating the template.

10. Right click the Certificate Templates, select New and click Certificate Template to Issue.

    

11. Select the template created above and click OK to add the template to CA.

Create a user who will have the permission to request Certificate¶

1. Logon to Domain Controller, open Active Directory Users and Computers.
2. Go to $Domain and select Users.

3. Right click Users select New and click Use.

   

4. Enter the required information such as First name, Last name, User Logon name ...etc and click on Next.

5. Enter the Password for the user and click Next.
6. Note the username and password as it is required during Connector installation.
7. Click on Finish to create the user.

Grant user the permission to request Certificate¶

1. Log on to the Certificate Authority machine
2. Open Certificate Authority MMC (certsrv.msc)

3. Right click the CA and select Properties.

   

4. Navigate to Security tab and click Add... and add the user created above.

5. Ensure the user added is allowed to Request Certificates.

   

Set up Active Directory Certification Authority Web Enrollment¶

1. On a Windows Server machine where the Certification Authority is installed, select Add roles and features on the Server Manager window.

   

2. Click Next on the Before you begin window.

3. Select Role-based or feature-based installation on the Installation Type page.

   

4. Select a server from the server pool and press Next.

5. On the Server Roles page, expend Active Directory Certificate Services section, and select Certificate Authority Web Enrollment. Click Next.

   

6. On the Features page, Click Next.

7. On the Confirmation page, select Restart the destination server automatically if required and press Install.

8. After installation, go to the notification tab and click Configure Active Directory Certificate Services.

   

9. On the Credentials page, input the Credentials and click Next.

10. On the Role Services page, select Certification Authority Web Enrollment and Click Next.

    

11. On the Confirmation page, click Configure to finish configuration.

Single Sign-On is now configured.

By private key and certificate of the Certification Authority¶

Working with your Certification Authority (CA) you will need to obtain:

• Certificate of Intermediate CA
• Private Key of Intermediate CA
• Certificate Revocation List (CRL) file of the Intermediate CA

Export private key and certificate of the Intermediate Windows CA (Microsoft Windows Server 2019 Datacenter)¶

1. Log on to the Certificate Authority resource.
2. Open Certificate Authority MMC (certsrv.msc).

3. Right-click the CA in the tree, select All Tasks and click Back up CA....

   

4. In the Certification Authority Backup Wizard window, click Next.

5. In the Items to Back Up section, select Private key and CA certificate and click on Browse... to choose a location to save the file. Click on Next to go to next step.

   

6. Click Finish to finish exporting the private key and certificate of the CA. Note: The private key and certificate are in a single p12 file.

Extract the private key and certificate from p12 file:¶

On a resource such as Linux VM that has openssl available:

1. Export and copy the p12 file to a virtual machine that has the Connector/Connection Manager installed. You can transfer the file using a USB flash drive or SCP.

2. Run the following commands:

   • Extract private key with openssl. Run the following command and enter password when prompted:

     openssl pkcs12 -in <your .p12 file name>.p12 -nocerts -nodes -out <your private key file name>.key
     

   • Extract certificate with openssl. Run the following command and enter password when prompted:

     openssl pkcs12 -in <your .p12 file name>.p12 -clcerts -nokeys -out <your certificate file name>.crt
     

Locate Certificate Revocation List (CRL) file of the Intermediate Windows CA (Microsoft Windows Server 2019 Datacenter)¶

Perform the following steps:

1. Log on to the Certificate Authority resource, run certsrv.msc from command line to launch Certification Authority.

2. Right click the CA name and select Properties.

   

3. Select the Extensions tab, and take note of the .crl path. In this example, it is C:\Windows\System32\CertSrv\CertEnroll\<CA name>.crl.

   

After you have obtained the files, they should be uploaded via SFTP (using a tool such as SCP) to your Connector and ensure that they are available for future configurations.