Enabling Certificate-based Authentication

Prerequisites

To enable certificate-based authentication when interconnecting with an AD domain, ensure that the AD server has been configured with a valid domain controller certificate. Issue the certificate in either of the following ways:

• Issuing a Domain Controller Certificate via AD CS (Recommended)
• Issuing a Domain Controller Certificate via OpenSSL
  

  This document is for administrators to configure certificate-based authentication in Workspace. They should be familiar with AD and public key infrastructure (PKI).

Notes and Constraints

• Certificate-based authentication can be enabled only when AD is interconnected.
• Only HDA 25.2.0 and later are supported.
• Only Windows desktops and cloud applications are supported.

Procedure

1. Log in to the console.
2. In the navigation pane, choose Tenant Configuration > Basic Settings.
3. Click Edit under Basic Settings to go to the page for modifying a domain.
4. Select Enable certificate-based authentication.
5. Select the desired certification authority (CA) certificate from the Private CA certificate drop-down list box.
   

   If no CA certificate is available, click Creating a CA Certificate on the right. For details, see Creating a CA certificate.

6. Click OK.

7. Export the CA certificate and certificate revocation list (CRL) file from 5. For details, see Exporting a CA Certificate and Exporting a CRL File.
8. Import them to the AD domain server. For details, see Importing the Root/Subordinate CA Certificate and CRL File to the AD Server.
9. After the configuration is complete, certificate-based authentication is enabled. Users can access the cloud desktop at password-free login.
   

   • When the Windows desktop screen is locked, users need to manually enter the AD username and password to unlock the desktop.
   • When the AD is disconnected, users can still access the cloud desktop within 24 hours.