The Connector acts as an identity provider within your network, creating an in-network federation authority that communicates with Horizon Workspace using SAML 2.0 assertions. The Connector authenticates the user with Active Directory within the enterprise network (using existing network security).

The following authentication methods are supported by Horizon Workspace: Active Directory username/password, Kerberos, and RSA SecurID.

Horizon Workspace Authentication Type

Description

Username/password

Active Directory username/password authentication is the default user authentication method. This method authenticates users directly against your Active Directory.

Kerberos

When properly configured, Kerberos authentication provides Windows users with single sign-on access to Horizon Workspace, eliminating the requirement for Windows users to log in to Horizon Workspace after they log in to the enterprise network. The Connector validates user desktop credentials using Kerberos tickets distributed by the key distribution center (KDC).

RSA SecurID

RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is the recommended authentication method for users accessing Horizon Workspace from outside the enterprise network.

Username/password authentication is the authentication method in use when you initially deploy Horizon Workspace. The username/password authentication method can authenticate users regardless of whether users are inside or outside the enterprise network. To provide user access to Horizon Workspace from outside the enterprise network, you can either require VPN access or you can install Horizon Workspace in a manner that allows Internet access.

If you decide to use username/password authentication to provide users outside the enterprise network access to Horizon Workspace, you can configure Horizon Workspace in one of the following ways:

Install a reverse proxy server in the DMZ pointing to the Gateway virtual appliance.

Configure firewall port forwarding or router port forwarding to point to the Gateway virtual appliance.

To implement Kerberos authentication or RSA SecurID authentication, you must deploy one or more additional Connector instances. To implement both Kerberos authentication and RSA SecurID authentication, you first deploy Horizon Workspace, which includes all the Horizon Workspace virtual appliances. See Multiple data-va Virtual Machines to create additional identity providers.

You can configure one or more Connector instances to handle Kerberos authentication and one or more Connector instances to handle RSA SecurID authentication. Configuring any single Connector instance to handle both Kerberos authentication and RSA SecurID authentication is not a best practice. When you use more than one Connector instance in your deployment, you must use the Administrator Web interface to configure IdP discovery.

If you decide to use Kerberos authentication to seamlessly authenticate Windows users (applies to users inside the enterprise network only) to Horizon Workspace, issue the hznAdminTool addvm command in the configurator-va virtual machine to add a new connector-va virtual machine. Since the Connector acts as an identity provider, when you add a new Connector instance you are adding a new identity provider instance.

If you decide to use RSA SecurID authentication to provide users outside the enterprise network access to Horizon Workspace, you must add the connector-va virtual machine using the addvm option of the hznAdminTool command. This command creates an additional identity provider. You can then configure the new identity provider using the Horizon Workspace Administrator Web interface.

The supported authentication types can be used in a variety of ways to provide users, both inside and outside the enterprise network, access to Horizon Workspace.

Overview of Providing User Access to Horizon Workspace

User Access From Inside the Enterprise Network

User Access From Outside the Enterprise Network

Username/password authentication: Functions by default. No additional Connector instances are required for this authentication method when users are inside the enterprise network.

Kerberos authentication: Requires an additional Connector instance.

RSA SecurID authentication: Not recommended. This authentication method is not recommended for authenticating users who are inside the enterprise network.

Username/password authentication: To implement username/password authentication for users outside the enterprise network, you must enable Internet access to the Gateway virtual appliance. VPN is an option, too.

Kerberos authentication: Not applicable. This authentication method is not an option for authenticating users outside the enterprise network.

RSA SecurID authentication: When practical, this authentication method is preferred for authenticating users outside the network. The best practice is to install a Connector instance dedicated to RSA SecurID authentication.

Note

Horizon Workspace handles RSA SecurID authentication and Kerberos authentication failures differently:

If Kerberos authentication fails for any reason, the Connector falls back to username/password authentication. In such cases, users are presented with a login page that prompts them for their username and password to access Horizon Workspace. The Connector then validates users against the directory server.

If RSA SecurID authentication fails, the Connector does not fall back to username/password authentication. Since RSA SecurID is only recommended for users outside the enterprise network, such users will not be able to access Horizon Workspace until the cause of failure is resolved.