Configure VMware Horizon View to Interoperate with Okta via RADIUS

This guide details how to configure your Connection Servers to perform two-factor authentication against an Okta RADIUS Server Agent.

What’s covered in this guide

There are four parts to the configuration, including testing. A list of additional resources is also provided.

  1. Part 1 – Preconfiguration
  2. Part 2 – Configure the Okta RADIUS Agent
  3. Part 3 – Configure the View Connection Server to use the VMware Horizon View (RADIUS) OIN App.
  4. Part 4 – Test your Configuration

Configuring VMware Horizon View to use the Okta RADIUS Agent requires installation and pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent as described in Installing and Configuring the Okta RADIUS Server Agent.
Info

Note

For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
View Connection Servers Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

 

In this section we add the VMware Horizon View (RADIUS) app from the OIN and apply settings specific to your deployment.

And configure:

  • Authentication
  • UDP Port
  • Secret Key
  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

Optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. Sign in to your Okta Tenant as administrator.
  2. Navigate to Applications > Applications> Add Application, search for VMware Horizon View (RADIUS), and then click Add Application:

  3. Enter a unique name.

  4. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.
    • UDP Port: Enter the required RADIUS app port.
    • Secret Key: Enter the required secret key.
      Note: This key must be identical to what is configured on the VMware Horizon View (RADIUS) app.
    • Application username format:Determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
    • After completing the setup, assign the app to the users/groups that require access.
Tip

Tip

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In this section we specify the Okta RADIUS Server Agent as a RADIUS Authenticator in your VMware Horizon View Connection Server.

Step 1 – Define a RADIUS Authenticator

  1. Sign in to the VMware Horizon Administrator console with sufficient privileges.
  2. Navigate to View Configuration > Servers > Connection Servers, and highlight the connection server to work with.
  3. Click Edit in the top submenu.
  4. In the dialog that opens, select the Authentication tab.
  5. Scroll down to the Advanced Authentication section.
  6. Set the 2-factor authentication value to RADIUS.
  7. Click the Manage Authenticators button.
  8. In the dialog that opens, click Add. The screen below displays.

  9. Enter values, as shown:

    • Label: Enter a unique label.
    • Description: Enter an option description.
    • Hostname/Address: IP or Name of Okta RADIUS Server Agent
    • Authentication port: Port configured in step x (1812)
    • Accounting port: 0
    • Authentication type: PAP
    • Server timeout: 60
    • Max attempts: 1
    • Realm prefix: Optional see username assignment value
    • Realm suffix: Optional see username assignment value
  10. Click Next.
  11. Optionally, you can configure a Secondary Authentication Server, using the same settings in step 9 above with a different label and description.
  12. Click Finish to save all settings.

Step 2 – Configure Advanced Authentication Settings

Advanced authentication settings are used to control the behavior that the View Connection Server uses and enforces. Once enabled, the View Connection server performs authentication against the two-factor authentication first. User experiences can differ.

If you force two-factor and Windows user name matching, the VMware Horizon View (RADIUS) application username value (set in Part 2, above) must match your Active Directory username, including any Realm prefix and Realm suffix values.

  • Enforce two-factor and Windows user name matching

    This feature is usually enabled. One situation in which you may choose to disable this feature is to allow these usernames to differ so users can perform their initial authentications using their own Okta credentials and then sign in to Windows/AD using a shared or common account.

    The screen shot below uses this configuration.

    Info

    Note

    In this flow the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is unchecked.

    Tests 2 and 4 in the testing section.

  • Use the same user name and password for RADIUS and Windows authentication

    If you enable this setting, the Okta password and Windows/AD Password for the user must match, and the VMware Horizon View (RADIUS) application must be configured to perform primary authentication. You can use this setting when Okta is performing delegated authentication for users.

    If you disable this setting, the Okta username can be different than the Windows/AD username and the VMware Horizon View (RADIUS) application can be configured to NOT perform primary authentication making the Okta password irrelevant.

    The screen shown below uses this configuration. I

    Info

    Note

    In this flow the VMware Horizon View (RADIUS) application MUST have its RADIUS Authentication Behavior configured so that Okta performs primary authentication is checked.

    Tests 1 and 3, in the testing section.

Important Note

Important

The values you select for these two options change the sign in experience and dictate what settings you can configure in Okta.

There are four configuration tests to verify the VMware Horizon Client app and the VMware Horizon HTML access.
Each configuration is tested with both Okta Primary and MFA and Okta MFA only.

  1. Launch VMware Horizon Client and initiate connection to Server.

  2. Enter the Username and Okta/AD Password.

  3. Select an Okta factor from the list.

  4. Enter the response that corresponds to the selected factor.

    • For Push verification, accept the incoming push notification on the enrolled device.
    • For SMS, receive and enter the six-digit one-time password (OTP).
    • For a question, provide the answer to the enrolled security question.
    • For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
  5. Upon successful completion, access is granted.

 

  1. Launch VMware Horizon Client and initiate connection to Server.

  2. Enter the Username and Okta OTP value or keyword such as Push or SMS.

  3. Enter the AD password.

  4. Upon successful completion, access is granted.

 

  1. Navigate to Horizon HTML Access.

  2. Enter the Username and Okta/AD Password.

  3. Select an Okta factor from the list.

  4. Enter the response that corresponds to the selected factor.

    • For Push verification, accept the incoming push notification on the enrolled device.
    • For SMS, receive and enter the six-digit one-time password (OTP).
    • For a question, provide the answer to the enrolled security question.
    • For Okta or other OTP factors, enter the current six-digit code from Okta Verify, Google Authenticator, or from any other enrolled OTP factor; for example, a Yubikey in OAuth OTP mode.
  5. Upon successful completion, access is granted.

  1. Navigate to Horizon HTML Access.

  2. Enter Username and Okta OTP value or keyword such as Push or SMS.

  3. Enter the AD password.

  4. Enter the response that corresponds to the selected factor.

  5. Upon successful completion, access is granted.

 

Additional Resources