The Horizon Connection Server must require DoD PKI for client logins.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246903	HRZV-7X-000022	SV-246903r790557_rule		Medium

Description
Before clients can pick a desktop or app to access, they must first authenticate to the broker, the Connection Server itself. If the client is accessing the broker directly, then the allowed authentication methods must be specified. These include RADIUS, SecurID, user/pass and smart card. In the DoD, CAC login must be enforced at all times, for all client connections. If the client is connecting through a Security Server or the UAG appliance, this requirement does not apply.

Description

Before clients can pick a desktop or app to access, they must first authenticate to the broker, the Connection Server itself. If the client is accessing the broker directly, then the allowed authentication methods must be specified. These include RADIUS, SecurID, user/pass and smart card. In the DoD, CAC login must be enforced at all times, for all client connections. If the client is connecting through a Security Server or the UAG appliance, this requirement does not apply.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50335r790556_chk )
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the dropdown below "Smart card authentication for users". If "Smart card authentication for users" is set to "Optional" or "Not Allowed", a SAML Authenticator must be configured and that external IdP must be configured to require CAC authentication. If these requirements are not met, this is a finding. If "Smart card authentication for users" is set to "Required" on each of the listed Connection Servers, this is not a finding. Note: If the Connection Server is paired with a Security Server, this requirement is not applicable on the Connection Server but is applicable on the Security Server. NOTE: If another form of DoD approved PKI is used, and configured to be required for client logins, this is not a finding. If the Connection Server is paired with a Unified Access Gateway (UAG) that is performing authentication, this requirement is not applicable.

Check Text ( C-50335r790556_chk )

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the dropdown below "Smart card authentication for users".

If "Smart card authentication for users" is set to "Optional" or "Not Allowed", a SAML Authenticator must be configured and that external IdP must be configured to require CAC authentication. If these requirements are not met, this is a finding.

If "Smart card authentication for users" is set to "Required" on each of the listed Connection Servers, this is not a finding.

Note: If the Connection Server is paired with a Security Server, this requirement is not applicable on the Connection Server but is applicable on the Security Server.

NOTE: If another form of DoD approved PKI is used, and configured to be required for client logins, this is not a finding.

If the Connection Server is paired with a Unified Access Gateway (UAG) that is performing authentication, this requirement is not applicable.

Fix Text (F-50289r768668_fix)
Option One: Use Horizon's native CAC authentication. Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown below "Smart card authentication for users", select "Required". Click "OK". Option Two: Delegate CAC authentication to an external IdP. Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown next to "Smart card authentication for users", select "Optional" or "Not Allowed". In the dropdown under "Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)", select "Allowed" or "Required", depending on what you set the native capability to in the previous step. Click "Manage SAML Authenticators". Click "Add". Complete the necessary fields. Ensure "Enabled for Connection Server" is checked. Click "OK". Click "OK". Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.

Fix Text (F-50289r768668_fix)

Option One:

Use Horizon's native CAC authentication.

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown below "Smart card authentication for users", select "Required". Click "OK".

Option Two:

Delegate CAC authentication to an external IdP.

Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", in the dropdown next to "Smart card authentication for users", select "Optional" or "Not Allowed".

In the dropdown under "Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)", select "Allowed" or "Required", depending on what you set the native capability to in the previous step. Click "Manage SAML Authenticators". Click "Add". Complete the necessary fields. Ensure "Enabled for Connection Server" is checked. Click "OK". Click "OK".

Click "OK".

Restart the "VMware Horizon View Connection Server" service for changes to take effect.