How to Set Up 2-Factor Authentication in VMware Horizon View with TOTPRadius

VMware Horizon View enables you to access a virtual desktop from anywhere, anytime. Horizon offers you the possibility to move from one place to another: to work from your office or from a cybercafé, or from any other place, when you have a network connection that lets you connect to the Horizon View infrastructure.

This document describes how to secure your external connections and authorize only specific users or groups of users connecting to Horizon View from outside, using 2-Factor authentication with hardware tokens or mobile apps by integrating our TOTPRadius solution.

Prerequisites

• vSphere Infrastructure correctly configured for Horizon View

• Horizon View correctly configured (Connection Server, Security Server and Composer)

• At least one TOTPRadius appliance deployed and configured

• Administrative access to both TOTPRadius and Horizon View

View Connection Server setup

Select the Horizon View Connection Server you want to use:

On Authentication tab, select RADIUS as “Advanced Authentication”:

1. Check : “Enforce 2-Factor and Windows username matching”

2. Select: “Create New Authenticator”

3. Specify the Label : example : TOTPRadius

4. Specify the Hostname/Address : FQDN or IP address of your radius server

5. Specify the Shared Secret : the secret you specified in TOTPRadius settings

The shared secret should match the settings of your TOTPRadius appliance:

Note: For production usage, you can install and configure a secondary TOTPRadius server, in slave mode.

Adding users to RADIUS

LDAP self-enrollment

Guide your users to navigate to https://FQDN_of_TOTPRadius//ldap-enroll and follow the instructions. The process will look like shown in the video below:

Creating users via Admin panel

Login to TOTPRadius admin interface, and click on New User button. This will generate a QR code that should be used to provision the TOTP profile on a mobile authenticator app (Google Authenticator, Microsoft Authenticator, Token2 TOTP+ or any other RFC6238-compliant application). If a hardware token is to be used for this user, click on Edit profile or assign hardware token button and paste the secret key of the hardware token in Token key field in base32 format.

If a programmable hardware token is used, you can burn the secret onto the hardware token by scanning the QR code using one of the NFC Burner apps.

Logging in to Horizon View with 2FA enabled

If everything works fine, the second login screen appears and you have to type your AD password only again (this is a hard-coded design by Horizon View whatever 2-Factor authentication method you want to use, and is not caused by TOTPRadius)

TOTPRadius is free to use with up to 5 users. You need to obtain a license using the link below if you need to increase the number of allowed users. After completing the purchase you will receive an email containing the order URL. To generate the TOTPRadius user licenses, click on the “generate CAL” button on the order page and provide the Host ID. The license key will be generated and sent to your email address.

Purchase TOTPRadius client licenses

MFA Evangelist