Acceptto MFA for VMware Horizon®

Introduction

Multi factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to. Acceptto MFA for VMware Horizon enables strong authentication and secure access via its RADIUS agent to your virtual desktops and digital workspace.

Initial Steps
  1. Sign up for an Acceptto account here, download the It’sMeTM mobile app and sign in with your account.
  2. From an Organizational Admin account, log in to the Acceptto Admin Panel and navigate to Applications.
  3. Click the New Application button to make an application for protecting the AD FS and get your UID and Secret codes (See Setting Up for help).

Treat your UID and Secret code like any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Deploy and Configure RADIUS agent
  1. Import Acceptto Radius OVA template into your virtual infrastructure and turn it on (Please contact support@acceptto.com for the download link)
  2. Login to the machine with username "acceptto" and password "acceptto"
  3. Edit IP address of network adapter based on your needs.
  4. vim /etc/sysconfig/network-scripts/ifcfg-eth0

  5. Edit LDAP module based on the following information.
  6. vim /etc/raddb/modules/ldap


    server IP Address or hostname of your Active Directory
    identity The username of a domain member account in DN (distinguished name) format that has permission to bind to your Active Directory and perform searches. We recommend creating a service account that has read-only access
    password The password corresponding to above account
    basedn The base DN path of Active Directory LDAP tree for searching users.

    To find out your user and group base DN, you can run a query from any member server on your Windows domain: dsquery user -name <known username>, dsquery group -name <known group name>.

  7. Edit the users file and set the group who should be able to log in.
  8. vim /etc/raddb/users


    DEFAULT Ldap-Group To further restrict access, specify the name of a security group that contains the users who should be able to log in. Others users will not pass primary authentication

  9. Specify IP or hostname of your VMware Horizon server and set the shared secret.
  10. vim /etc/raddb/clients.conf

  11. Edit acceptto.pl file and insert your UID and Secret codes that you obtained at Initial Steps when you created the application.
  12. vim /etc/raddb/acceptto.pl

  13. After all the changes you have made, you should reload RADIUS service.
  14. /etc/init.d/radiusd reload

Configure Horizon Connection Server
  1. Sign in to the Horizon Administrator Console.
  2. Go to “View Configuration”, “Servers” and “Connection Servers”.
  3. Highlight the connection server that you want to protect and click Edit.
  4. In the dialog window, select the Authentication tab. Scroll down to the "Advanced Authentication” section and select RADIUS in the "2-factor authentication" drop-down list.
  5. Enable both “Enforce 2-factor and Windows username matching” and “Use the same username and password for RADIUS and Windows authentication”.
  6. Choose “Create New Authenticator” in the Authenticator drop-down list and fill out the form based on the following table. Then, click Next and OK.

  7. Label An optional name for this authenticator
    Description An optional description of this authenticator.
    Hostname/Address IP or Name of Acceptto RADIUS Agent configured in previous section.
    Authentication Port The RADIUS port (default is 1812).
    Accounting Port 0
    Authentication Type PAP
    Shared Secret The RADIUS secret you configured in previous section
    Server Timeout 60

Test Your Setup
  1. Launch VMware Horizon Client and initiate connection to Server. Enter your primary credentials.
  2. Your It’sMe app shows a notification and after verification you will get access to your virtual desktop environment.
Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.

VMware, Horizon are registered or trademarks of ServiceNow, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.