VMWare Horizon integration (using RADIUS Proxy) for 2FA

2020-09-22 5 minutes to read
Tutorial Index

Two-Factor Authentication for VMWare Horizon integration (using RADIUS Proxy) with the SecSign ID Two-Factor Authentication

Secure your VMWare Horizon setup with two-factor authentication without an additional Radius Server. Integrates with the SecSignIDRadiusProxy and the RADIUS interface.


Integration and setup

Before you start this integration the Horizon environment should be up and running, connected to an Active Directory (AD) as required by Horizon, and the login from an Horizon Client using the AD user name and password (without 2FA) should already be working.

The following components will be added and installed:

  • the SecSign ID on-premise server to provide 2FA confirmation of the login and
  • the SecSignIDRadiusProxy as interface between Horizon connection server and the SecSign ID on-premise server and
  • the SecSign ID Desktop app for the individual user to confirm their Horizon login
    (the SecSign ID app can also be used on a mobile device. The following example will focus on the Desktop App)

Install the SecSign ID on-premise server

For this setup you will need the SecSign ID on-premise server setup. Please contact us for more information.
This server may be installed on any Java enabled environment. It can be the same server running the Horizon connection server or run on its own VM.

If the end users are accessing the Horizon environment via the internet, the SecSign ID server will need to be accessed

  • from “outside” – over default Port 443 – (from end user SecSign ID app)
  • from “internal network” – over default ports 25100 and 28787 – (from SecSignIDRadiusProxy)
  • and it will need to reach out to the same AD used by Horizon – over the port required by the AD

If the end users are accessing the Horizon environment over a local network, there is no need for any access through the Firewall. In this case the SecSign ID on-premise server will still need to be accessed:

  • from “internal network” – over default Port 443 – (from end user SecSign ID app)
  • from “internal network” – over default ports 25100 and 28787 – (from SecSignIDRadiusProxy)
  • and it will need to reach out to the same AD used by Horizon – over the port required by the AD.

Perform the usual SecSignID on-premise installation using setup wizard and create at least one administrator using user-password, allowed to log in from local network only.

We will be setting up the general requirement to use the username and password that users already have in your AD. Before the LDAP connection is set up we need to have at least one administrator to access the dashboard.
This administrator with password created locally on the SecSign ID on-premise server may be used later also for debugging LDAP connection to AD if need should arise.
The location from where this local password login is allowed can be redefined in SecSign-ID-server.properties:


Comment out or extend this list as required for your local network. Users logging in from any other locations will be required to type in their username and password as defined in AD.
Open Dashboard, login as Administrator and navigate to LDAP configuration.

Set up LDAP connection to the AD running on the same domain controller as used by the Horizon environment.
Choose the use case “Check username/password on dashboard login” and fill out the parameters required for the LDAP connection.

Install SecSignIDRadiusProxy

This server application may be installed on any Java enabled environment. It may be the same server running the Horizon connection server or run on its own VM. It will need to be accessed

  • from the “internal network” – default port 2812 – (from Horizon connection server)
  • and it will need to reach out to the SecSign-ID-server – over the default ports 25100 and 28787 (or as defined in SecSign-ID-server.properties if modified there).

1 Copy the directory SecSignIDRadiusProxy to the location where you want it to run.

2 Use one of the delivered start scripts found in this directory to start it, depending on the Operation System. Under Windows use SecSignIDRadiusProxy.bat.

3 To make the start automatic with reboot under Linux use the start scripts found under SecSignIDRadiusProxy/etc.
Under Windows use Task Scheduler to automatically start SecSignIDRadiusProxy.bat at startup.

4 Adjust configuration in SecSignIDRadiusProxy.properties:
Note: for the SecSignIDRadiusProxy the Horizon connection server is the radiusclient

  • Define radius client
    # Host name or IP address of the first RADIUS client


    # Shared secret with the first RADIUS client


    # the text of the ReplyMessage to be sent back to the first RADIUS client answering his AccessRequest.

    secradiusproxy.radiusclient.0.challengereplymsg=To confirm login please start the SecSignapp\n\n1. Select the ID equal to your AD username  \n2. Click "Accept" \n3. Type any number as Tokencode below\n4. Click login button.
  • Comment out some properties not required here:
    all properties with name including “.radiusclient.1.”
    all properties with name including “.forwardradiusserver.”
    all properties with name including “.activedirectoryldapserver.”
    (except “secradiusproxy.noldapserver.idpattern” as described in next point)
  • Define username pattern (for automatic matching of SecSign-ID-server username and AD username):
  • Define SecSign-ID-Server to be used
    The SecSignIDRadiusProxy will need to access two different ports of SecSign-ID-Server.
    Both these ports to the SecSign-ID server only need access through an internal network, if the SecSign-ID server is running on the same local network. Nevertheless, both connections are encrypted with TLS and both will use the TLS Server Certificate of the SecSign-ID server for encryption of the communication.

    # Base URL of the first SecSign ID server for REST requests


    # first SecSign ID server host


    # first SecSign ID server port


Configure Horizon connection server to use SecSign-ID-server for 2FA

The Horizon connection server needs to use RADIUS as 2FA method and create an Authenticator to access the SecSignIDRadiusProxy.

1 In Horizon Admin select the desired “connection server” and click edit

2Select the Tab “Authentication” and scroll down until you find 2FA

3Activate 2FA selecting RADIUS and click on “Create New Authenticator”

4Type in the name of the Authenticator and then select Tab “Primary Authentication server”

5Input name or IP Address of SecSignIdRadiusProxy hostname

6Input port (default 1812) of SecSignIdRadiusProxy

7Input shared secret as defined before in SecSignIdRadiusProxy.properties (secradiusproxy.radiusclient.0.sharedsecret=…)

Press OK and check that the newly created Authenticator is being used for 2FA RADIUS Authentication.

Install SecSign ID App

You can choose between the default SecSign ID app for mobile or desktop use, or have our developers create a custom ID app for you in your corporate design. Install customized SecSign ID Desktop app on the same workstation where the Horizon Desktop Client is installed.

Note: The SecSign ID app can be used on a mobile device or desktop. The following example will focus on the Desktop App.

Use SecSign ID Desktop app to create an user with the same name and password as the user has on AD.

An alternative enrollment procedure is described here.

Login to Horizon using Desktop Client and 2FA using SecSign ID Desktop app

Login to Horizon using Desktop Client and 2FA confirmation using SecSign ID Desktop app (using Horizon HTML Client the procedure would be the same, here shown with Horizon Client).
Please follow these steps to set up the Desktop App:

1Start the Horizon Client.

2Choose the URL of the Horizon connection server.

3Type in AD username and password.

4Receive Dialog with text defined in SecSignIDRadiusProxy config (Parameter “challengereplymsg”)

5Start the SecSign ID app

6Click on username and type in AD password.
(as an example here the user name is “tara”)

7Confirm login on the SecSign ID app.

When the user (here “tara”) was registered using this instance of SecSign ID app, a private certificate was created which ensures only this instance of the SeSign ID app could receive the request to confirm the login of user “tara” so there is no need to send a code to be entered into the Horizon login Dialog. After confirming the login with this SecSign ID app, any character can be entered in the next dialog.

8Type in any number into the Horizon login Dialog and click on “Login”

9You are logged in and have access to all applications configured by the Horizon administrator for the user

Overview and Ports used

1 User logs in with VMWare Connection Server

2Horizon Connection Server uses the 2FA Radius Authenticator configured to send the 2FA request through the SecSignID Radius Proxy

3 The SecSignID RADIUS Proxy contacts the SecSignID Server. The proxy asks the SecSignID Server, if the ID is authenticated

4 The SecSignID Server validates the AD user and password against the Active Directory.

5The SecSignID Server starts an authentication session (and notifies the user’s mobile device if used) and waits for the user to proceed with the second factor authentication

6 The user authenticates with his key saved locally on the desktop or mobile device SecSign ID App and accepts the login request

7 The SecSignID RADIUS Proxy gets a response from the ID Server, that the second factor authentication was successful

8 The SecSignID RADIUS Proxy sends a RADIUS confirmation to the Horizon Connection Server, which activates the login button (user needs to enter any number and click login)

9 The authentication was successful. VMWare Horizon grants access to the client.

Assuming the users connecting to Horizon VDI externally access the System through the Internet:
The External Firewall needs to allow access to both VMware Horizon connection server and SecSign ID server, in both cases through Port 443.

All the other connections should take place within the internal network.

SecSignID Server main default HTTPS Port is 28787 and if running on Windows and no external firewall is used, change it to 443, in SecSign-ID-server.properties:


SecSignID Server will be accessed on this port from SecSign ID App and also over the internal Network from SecSignID RADIUS Proxy.
SecSignID Server will be accessed additionally over port 25100 from SecSignID RADIUS Proxy.

The SecSignID RADIUS Proxy will be accessed over default RADIUS port 1812
This port can be changed also in SecSignIDRadiusProxy.properties:
# server port for requests from RADIUS clients. Default: 1812.


Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

SecSign ID Server passed FIDO Certification

We are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...

Mehr Lesen

Two-Factor Authentication with Fido2 / WebAuth

The FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...

Mehr Lesen

Protecting the Home Office VPN with 2FA

In the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...

Mehr Lesen
SecSign 2FA