Install and Configure Horizon View Connection Server

Replace Self Signed Certificate

Prerequisites to replacing self signed certificate on connection/replica server you will need to have certificate authority in your environment. If you don’t already have CA in your environment. Please see my guide on how to Install Active Directory Certificate Services.

Create Certificate Template

Open Certificate Templates management console.

Right Click on Web Server and select duplicate template.

Template settings:

  • Compatibility
    • Certificate Authority: Windows Server 2008 R2
    • Certificate recipient : Windows 7/ Server 2008 R2
  • General (These settings we will based on environment requirements. I will be providing lab settings for now.)
    • Template Display name: Horizon View
    • Validity period: 2 Years
    • Renewal Period: 6 Weeks
  • Request Handling
    • Allow Private Key to be exported.
  • Extension
    • Edit Applications Policies
      • Click Add and Select “Client Authentication”
  • Security
    • Add Computer Object or Security group
    • Select allow for Read and Enroll permissions.

Note: I recommend creating a security group and nesting your connection server and replica servers inside the security group. Then adding the security group to security tab for read and enroll privileges.

Side Note: When adding a computer account to security group you might need to reset the whole cache of Kerberos tickets on a computer (local system) in order to update the computer memberships. See more about this at the bottom of the page.

Now that the template has been created we will need to issue the certificate template through Certificate Authority management console.

Open Certificate Authority management console again. Right click on Certificate Templates select new and then Certificate Templates to issue.

image-43

Select “Horizon View” template and click ok.

You have successfully configure the certificate template.

Quick Side note…

When adding a computer account to security group you might need to reset the whole cache of Kerberos tickets on a computer (local system) in order to update the computer memberships. If not the enrollment process might fail. You can reset whole cache the Kerberos tickets on a computer by running klist or rebooting the computer. Either way will reset the Kerberos cache on the computer.

To use klist method do the following:

  • Run command prompt as administrator
  • Type the following command
    • klist -lh 0 -li 0x3e7 purge
  • After running klist command run a group policy update
    • gpupdate /force
  • After running the klist command, run a gpresult to verify.
    • gpresult /r /scope computer
  • Look under “The computer is a part of the following security groups.” to verify the computer is now part of the new security group.

On the next page we will continue to replace connection/replica self signed certificates.

Leave a Reply