Enabling and Troubleshooting VMware Horizon True SSO

True SSO was introduced by VMware Horizon back in 2016. It allows users to authenticate with Workspace ONE Access using non-AD credentials (such as authenticating with Azure AD) and then single sign-on to the desktop or remoted application without providing any further credentials. True SSO delivers a fast, secure, streamlined experience for the end user.

The following diagram by my colleague Shrestha Upendra (Sr. Staff EUC Architect, VMware) outlines how True SSO removes the requirement for AD password:

True SSO Resources

There are numerous articles on True SSO that I have listed here for your reference:

• Introducing True SSO (Single Sign-On) in VMware Horizon 7 – link
• VMware True SSO overview video by Upendra Shrestha – link
• Determining an Architecture for True SSO – link
• Horizon View True SSO – link
• Horizon in the Field: Unraveling the Truth about TrueSSO (video) – link
• VMware Horizon 7 True SSO: Setting Up In a Lab – link

Installing True SSO

You will need to create a new Windows Server to install the Horizon enrollment server. As I’ve outlined in previous articles, to setup True SSO, follow Carl Stalhood’s excellent step by step instructions in VMware Horizon True SSO with UAG SAML

Once True SSO setup, check that it’s all showing up as health in the Horizon console.

True SSO Diagnostics Utility Fling

I’d recommending downloaded the True SSO Diagnostic Utility Fling to check everything is setup ok. You can run this command from your enrollment server.

Start by using the following:

es_daig /?

Next list that True SSO is running correctly by issuing this command:

es_diag /ListEnvironment

I’d recommend you perform an enrollment test using this command (change to the settings for your environment):

es_diag.exe /enrollmenttest /domain:lab.int /requester:lab\testuser1 /template:HorizonTrueSSO /caserver:lab-dc1-ca

Not that a certificate is issued from your CA if things are working correctly:

Enabling TrueSSO in Access and Horizon

With all of the above working correctly, you should be able to login to your Windows desktops or applications without being prompted with a password. However, it’s important to check a couple of other settings within Access and Horizon as well.

Horizon Pod True SSO setting in Workspace ONE Access

When you attempt to launch a Windows desktop or application within Access and you’re immediately prompted for a password as follows. Let’s check True SSO is enabled.

Within Workspace ONE Access, go to Resources – Virtual Apps Collections – Click the Horizon pod and click Edit – click on Pod and Federation – Click the Horizon Connection Server – ensure True SSO is enabled as shown:

True SSO Trigger Mode

If your Windows desktop successfully launches but then you’re prompted for a password (within the operating system screen) as shown, let’s check True SSO Trigger mode is set to Enabled.

Within your Horizon Admin console, select Servers – Connection Servers – select your Connection Server(s) and select Edit – Authentication – Manage SAML Authenticators – select your SAML Authenticator for your Access server – scroll down and ensure TrueSSO Trigger Mode is set to Enabled as shown.

In case you cannot set the TrueSSO Trigger mode within the Horizon admin UI, please see this kb.

With this setting changed, you should be able to successfully login to a Windows desktop or application from Access without needing to enter your userid/password!

I hope this blog article has giving you a few additional pointers to get True SSO working. Please comment below if some of these suggestions worked for you. I’d also recommend reviewing the posts on the VMware Horizon community forum too.