VMware Horizon Community
borjaesteban
Contributor
Contributor
‎04-12-2024 03:05 AM

Having 2 different auth methods, one with 2FA for some users and without for rest

In VMware Horizon 8.11.1 and we are trying to implement a 2FA authentication solution, so users will firstly authenticate with their domain credentials (as they are doing now) and then be prompted for the 2FA via RADIUS.

However, we were wondering if there is any way to have only a small group of users who might be redirected to the MFA auth for testing purposes, leaving the rest of users authenticate without the MFA. Basically this means that, for the same connection server (test1.com f,e), we need to have two different ways of authentication (because we are doing a demo of the workflow) so if we can test it for a limited number of users, where in case of success, implement the change for all the others users in a staggered way.

Is this possible in some way? If not, how can we make the tests without affect all the users?

0 Kudos
7 Replies
Mickeybyte
Hot Shot
Hot Shot
‎04-14-2024 12:55 PM

@borjaesteban 

Are you talking about users accessing Horizon from internal networks or from external (using UAGs)?

If internal: 

Add an additional conneciton server and configure it to use 2FA. Don't add it to the existing load balancer if you have that but let the test users connect directly to the newly configured connection server.

If External: 

Add an additional UAG appliance and configure it to use 2FA. Don't add it to the existing load balancer or HA group, but let the test users connect directly to the newly configured UAG.

Once you are satisfied with the new setup make the same changes to the existing connection servers or UAGs to enforce 2FA for all users and remove the extra installad connection server/UAG (or keep it for future testing)

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos
borjaesteban
Contributor
Contributor
‎04-15-2024 09:11 AM


‎Hi @Mickeybyte,
Thank you so much for your response!

So once we have an additional connection server we would like to know if, in the Authentication settings, we enable the 2-factor authentication using RADIUS will it only validate the OTP or will it also be used to check the LDAP credentials. We need to cover the use case of a validation of the OTP via RADIUS and then, get back to vmware to validate the ldap credentials (is the configuration we have now)

We need to make sure how the auth flow is when RADIUS option is checked.

Looking forward to your response.

Borja
0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎04-15-2024 11:09 AM

@borjaesteban 

A connection server will always validate the AD Credentials. If you also configure Radius for that specific connection server then it will also provide Radius authentication to users connecting to that connection server.


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos
borjaesteban
Contributor
Contributor
‎04-16-2024 12:19 AM

Hi @Mickeybyte

Thanks again for your response.

So if we add a RADIUS validation in advanced configuration for a connection server, can we achieve that the user is prompted for the OTP via RADIUS? and once satisfied that OTP via Radius, then validate the AD credentials outside Radius, in the same workflow as is configured now?

I look forward to your response.

Borja

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎04-16-2024 12:45 AM

@borjaesteban 

I'm not sure, but I think it will first validate AD credentials and then Radius OTP.

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos
borjaesteban
Contributor
Contributor
‎04-16-2024 01:02 AM

Hi @Mickeybyte,

Thank you very much for all the support.

Just to confirm and as a final point: regardless of whether it is done before or after, can you confirm that the RADIUS is an additional factor but that it will always validate the AD credentials, correct? In the same way as it is currently without radius.

Again, thank you very much,

Borja

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎04-16-2024 02:48 AM

@borjaesteban 

Yes, both will be validated.

 


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos