Jason Pearce

For the past year, my primary project at work has been to engineer, develop, and deploy a VMware View virtual desktop infrastructure for the hospital and its dozen off site locations.

I realize that this parody video may be only funny to those who work with VDI solutions, but I just had to share. The best line of them all… “Don’t worry, he won’t get us Google Chromebooks.”

Hilarious. BTW. I wrote this via my work’s VMware View desktop running on my home laptop.

I have a vendor with a web-based SAS service that requires a password encrypted .PFX certificate to be imported into the user’s Personal certificate store.

For physical desktops, this is a one-time import procedure. But for VMware View VDI desktops that are non-persistent, users receive a new desktop every day and would thus have to import this certificate over and over again. I needed a way to automatically import the certificate into the vendor-required store automatically.

Group Policy

When I opened up Group Policy Management and navigated to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies, I found several certificate stores that I could import the .PFX file into. The Trusted Root Certification Authorities or Trusted Publishers stores would seem like good places to import this vendor certificate, but neither are the correct store that the vendor requires.

User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies also had a few stores I could target, but none contain the User’s Personal store. The correct store can be found via Internet Explorer -> Internet Options -> Content -> Certificates -> Personal. Unfortunately, Group Policy isn’t able to target this certificate store.

Scripts

Since Group Policy and Group Policy Preferences didn’t offer a way to import a .PFX certificate into a user’s Personal certificate store, I turned to scripting the solution.

I first placed the vendorcertificate.pfx on a network share (e.g. %LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx).

Next I created a .BAT script named import-certificate.bat which runs this command:

certutil -f -user -p "CertificatePassword" -importpfx "%LOGONSERVER%\netlogon\certificates\vendorcertificate.pfx"

I then created a .VBS script named import-certificate-silently.vbs that will run the import-certificate.bat script silently (so the user does not see a flash of the CMD window when this runs):

Set oShell = CreateObject ("Wscript.Shell")
Dim strArgs
strArgs = "cmd /c %LOGONSERVER%\netlogon\certificates\import-certificate.bat"
oShell.Run strArgs, 0, false

Group Policy Preference Schedule Tasks

Since I want my script to run only for subset of my VMware View users, I created an Active Directory Security Group that contains the users who need access to this SAS web-based application (e.g. APP-InstallVendorCertificate).

I then returned to Group Policy Management and navigated to User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks. I created a Scheduled Task that runs 30 seconds after the user logs in if they are a member of the APP-InstallVendorCertificate security group. The schedule task runs %LOGONSERVER%\netlogon\certificates\import-certificate-silently.bat.

The result is that when a VMware View user who belongs to the APP-InstallVendorCertificate security group in Active Directory logs into their virtual desktop, the required SSL Certificate is automatically installed in their User -> Personal certificate store.

In my previous article “Using BgInfo with VMware View,” I discuss how to use Microsoft’s BgInfo utility within a VMware View desktop pool to write the following information to a user’s wallpaper:

• Username
• Physical and Virtual PC name
• Physical and Virtual IP address
• Physical and Virtual MAC address

Example of BgInfo wallpaper for my VMware View environment

Problem

My BgInfo solution is great. It helps users know they are accessing their own virtual desktop (nurses and doctors frequently move from one PC to the next) and helps the Help Desk identify who is working where (by computer name, IP, or MAC address).

The primary problem is that my initial solution ran BgInfo only at logon. When nurses and doctors switch from one physical client to another (typically stationary thin or zero clients), BgInfo’s values are not updated and were now displaying stale IP/MAC values for the physical client.

The secondary problem was that monitor resolutions vary, sometimes forcing the BgInfo content out of view.

Solution

The solution was to leverage Group Policy Preferences, Scheduled Tasks, and Event Logs. I wanted to use these three tools to trigger BgInfo to run whenever a user moved their VMware View virtual desktop from one location to another. Here’s how I did it.

Open your Group Policy Management Editor, create a new Group Policy, and click Edit. Navigate to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks. Right-click > New > Scheduled Task for Windows Vista or greater.

General Tab

Give it a useful name and then stick with the defaults.

Trigger: At Logon

Create a new Trigger to run GpUpdate 30 seconds after logon. When using the PCoIP protocol, I’ve found that some zero and thin clients resize shortly after logging the user into their desktop. Having BgInfo run 30 seconds after login makes sure it appears in the right spot.

Trigger: On an Event, after Group Policy update

This was my first solution. If I could get BgInfo to randomly run several times a day, I’d have more accurate information. Since Group Policy updates occur about every 90 minutes, I configured this Scheduled Task to run after EventID 5315 (Log: Microsoft-Windows-GroupPolicy/Operational; Source: Microsoft-Windows-GroupPolicy) appeared in the virtual machine’s Event Logs. Additionally, the Help Desk could ask a user to run “gpupdate” to refresh BgInfo at will.

Trigger: On an Event, after Terminal Services logon

This proved to be the better solution. When a user logs into their VMware View desktop from another location, EventID 25 (Log: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational; Source: Microsoft-Windows-TerminalServices-LocalSessionManager) appears in the virtual machine’s Event Logs. If I could get BgInfo to run every time this event occurred in the logs, then the BgInfo would remain accurate as the user moves from one location to another.

Actions Tab

Create a new Action that silently runs BgInfo from a network share. I use a VB Script that silently launches a BAT file.

VB Script

Set oShell = CreateObject ("Wscript.Shell") Dim strArgs strArgs = "cmd /c \%LOGONSERVER%\netlogon\Bginfo-nonpersistent.bat" oShell.Run strArgs, 0, false

BAT file

@echo off %logonserver%\netlogon\bginfo.exe %logonserver%\netlogon\Bginfo-nonpersistent.bgi /Timer:0 /NoLicPrompt /silent

Conditions, Settings, and Common tabs

I’m not using these tabs.

Closing

By using Group Policy Preferences to create a Scheduled Task that monitors specific Event Logs, we’re able to have BgInfo run and update a user’s VMware View desktop wallpaper each time they move from one location to another.

VMware View Security Servers require an SSL certificate to be installed for mobile VMware View clients to function properly. It’s also a good practice.

Chapter 7 of the VMware View 4.6 Installation manual attempts to document the procedure of how to export a certificate from a Windows 2008 IIS server and import it into a Windows 2008 VMware View Security Server, which happens to rely on Apache Tomcat.

The instructions and examples of the VMware View Installation manual are incomplete and its examples are sometimes misleading. After spending days of experimentation, all while working with VMware Support, I finally figured out how to properly perform this procedure.

In my example, I’m using a wildcard certificate from GoDaddy (*.example.com) that has been pre-installed on a Windows 2008 R2 IIS server in our domain. My objective was to export this wildcard certificate from our IIS server and use it for our VMware View Security Server at desktops.example.com.

Add keytool to the System Path

By adding the “keytool” folder to the system environment Path variable, we will be able to run this utility from any directory on the host.

Procedure

• On your View Security Server host, right-click My Computer and select Properties
• On the Advanced tab, click Environment Variables
• In the System variables group, select Path and click Edit
• Type the path to the JRE directory in the Variable Value text box. Use a semicolon (;) to separate each entry from other entries in the text box. Example: “;c:\Program Files\VMware\VMware View\Server\jre\bin”
• Click OK until the Windows System Properties dialog box closes

Export existing certificate from IIS

We already own a GoDaddy wildcard SSL certificate (*.example.com) that is installed on a Windows 2008 server running IIS. We want to export this certificate from IIS and install it on the VMware View Security Server.

IIS exports certificates in the .pfx format, which is a PKCS#12 file format. The PKCS#12 format includes both the server certificate and the private key, but not the intermediate certificates.

Procedure

• On your IIS server, click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager to open the Internet Information Services (IIS) Manager
• To view the list of sites hosted by the server, expand the local computer entry and click Web Sites
• Right-click the Web site entry that contains the certificate you want to export and select Properties (e.g. *.example.com)
• On the Directory Security tab, click Server Certificate
• When the Web Server Certificate wizard appears, click Next
• Select “Export the current certificate to a .pfx file” and click Next
• Specify a filename for the certificate file and click Next (e.g. desktops.example.com.pfx)
• Type and confirm a password to be used to encrypt the .pfx file (e.g. P@ssw0rd) and click Next. The system displays summary information about the certificate you are about export.
• Verify the summary information and click Next > Finish.
• Copy this desktops.example.com.pfx certificate from your IIS server to your VMware View Security Server, placing it in this folder: “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”

Import an Intermediate Certificate into a Keystore File

GoDaddy wildcard certificates are signed by an intermediate GoDaddy CA rather than by a GoDaddy root CA. Before doing anything with our “desktops.example.com.pfx” certficate, we must first add the intermediate certificate to a keystore file. This process will also create our Tomcat keystore file for us.

Prerequisites

Visit https://certs.godaddy.com/anonymous/repository.seam to find a list of GoDaddy intermediate certificates. In our case we want “Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only)”, which is the file “gd_bundle.crt.”

Procedure

• Download “gd_bundle.crt” from https://certs.godaddy.com/anonymous/repository.seam
• Save “gd_bundle.crt” to “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”
• Import “gd_bundle.crt” into the keystore file, and create the keystore “keystore.jks” while you are at it by using this command
• CMD > keytool -importcert -keystore keystore.jks -trustcacerts -alias intermediateCA -file gd_bundle.crt
• When prompted to create a password for your keystore.jks, do so (e.g. P@ssw0rd)

Import your Wildcard Server Certificate into the Keystore File

Once you have the intermediate GoDaddy certificate in place, it’s time to import the “desktop.example.com.pfx” server certificate you exported from your ISS server. Your .pfx export contains both the server certificate and the private key.

Procedure

• Add the IIS server certificate and private key from the PKCS#12 file to the JKS keystore you just created by using this command
• CMD > keytool -importkeystore -destkeystore keystore.jks -deststorepass P@ssw0rd -srckeystore desktops.example.com.pfx -srcstoretype PKCS12 -srcstorepass P@ssw0rd

Configure the View Security Server to Use the Wildcard Microsoft IIS SSL server certificate

To configure a View Security Server to use the SSL certificate, we must create a “locked.properties” file on the View Security Server and provide it some values.

Prerequisites

If you have been following along, your “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” folder on your VMware View Security Server should have these newly added files:

• desktops.example.com.pfx (the wildcard SSL certificate you exported from your ISS server)
• gd_bundle.crt (the GoDaddy intermediate certificate you downloaded from https://certs.godaddy.com/anonymous/repository.seam)
• keystore.jks (the Apache Tomcat keystore you created by importing both intermediate and server certificates)

Procedure

• Create a “locked.properties” file by right clicking in “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” > New > Text Document
• Rename your .txt file to “locked.properties”, making sure to remove the .txt extension
• Open “locked.properties” in a text editor and give it the following properties

  keyfile=keystore.jks
  keypass=P@ssw0rd
  storetype=jks
  

• Save and close “locked.properties”
• Restart the View Security Server service to make your changes take effect

Test to see if everything is installed correctly

GoDaddy offers a “SSL Installation Tool” that will remotely check to see if a publicly facing web server has its certificates properly installed.

Procedure

• Visit https://certs.godaddy.com/ccp/tools/sslinstallvalidator.seam
• Log in with your GoDaddy credentials
• Tools > SSL Installation Tool
• Enter your URL and click Validate Install
• If all went well, you’ll see “Results:No issues found.”

External Resources

• http://www.vmware.com/pdf/view-46-installation.pdf
• https://certs.godaddy.com/anonymous/repository.seam
• http://www.computer-howto.com/2011/06/exporting-godaddy-wildcard-certificate-iis-tomcat/
• http://kb.vmware.com/kb/2009311