VMware Horizon View - 7.0 Administrator’s Guide

Page 1

View Administration

VMware Horizon 7

Version 7.0

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-002001-00

Page 2

View Administration

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Page 3

View Administration 7

Using View Administrator 9

View Administrator and View Connection Server 9

Tips for Using the View Administrator Interface 10

Troubleshooting the Text Display in View Administrator 12

Configuring View Connection Server 13

Configuring vCenter Server and View Composer 13

Backing Up View Connection Server 25

Configuring Settings for Client Sessions 25

Disable or Enable View Connection Server 36

Edit the External URLs 37

Join or Withdraw from the Customer Experience Program 38

View LDAP Directory 38

Setting Up Smart Card Authentication 41

Logging In with a Smart Card 42

Configure Smart Card Authentication on View Connection Server 42

Configure Smart Card Authentication on Third-Party Solutions 47

Prepare Active Directory for Smart Card Authentication 47

Verify Your Smart Card Authentication Configuration 50

Using Smart Card Certificate Revocation Checking 51

VMware, Inc.

Setting Up Other Types of User Authentication 55

Using Two-Factor Authentication 55

Using SAML Authentication 59

Configure Biometric Authentication 63

Authenticating Users Without Requiring Credentials 65

Using the Log In as Current User Feature Available with Windows-Based Horizon Client 65

Allow Mobile Client Users to Save Credentials 66

Setting Up True SSO 67

Configuring Role-Based Delegated Administration 89

Understanding Roles and Privileges 89

Using Access Groups to Delegate Administration of Pools and Farms 90

Understanding Permissions 91

Manage Administrators 92

Manage and Review Permissions 93

Page 4

View Administration

Manage and Review Access Groups 95

Manage Custom Roles 97

Predefined Roles and Privileges 99

Required Privileges for Common Tasks 103

Best Practices for Administrator Users and Groups 105

Configuring Policies in View Administrator and Active Directory 107

Setting Policies in View Administrator 107

Using View Group Policy Administrative Template Files 109

Maintaining View Components 115

Backing Up and Restoring View Configuration Data 115

Monitor View Components 123

Monitor Machine Status 123

Understanding View Services 124

Change the Product License Key 126

Monitoring Product License Usage 126

Update General User Information from Active Directory 127

Migrate View Composer to Another Machine 128

Update the Certificates on a View Connection Server Instance, Security Server, or View Composer 133

Information Collected by the Customer Experience Improvement Program 134

Managing View Composer Linked-Clone Desktop Virtual Machines 151

Reduce Linked-Clone Size with Machine Refresh 151

Update Linked-Clone Desktops 153

Rebalance Linked-Clone Virtual Machines 157

Manage View Composer Persistent Disks 160

Managing Desktop Pools, Machines, and Sessions 165

Change the Image of an Instant-Clone Desktop Pool 165

Managing Desktop Pools 166

Managing Virtual Machine-Based Desktops 174

Managing Unmanaged Machines 179

Manage Remote Desktop and Application Sessions 182

Export View Information to External Files 183

Managing Application Pools, Farms, and RDS Hosts 185

Managing Application Pools 185

Managing Farms 186

Managing RDS Hosts 189

Configuring Load Balancing for RDS Hosts 193

Configure an Anti-Affinity Rule for an Application Pool 199

Managing ThinApp Applications in View Administrator 201

View Requirements for ThinApp Applications 201

Capturing and Storing Application Packages 202

Assigning ThinApp Applications to Machines and Desktop Pools 205

Maintaining ThinApp Applications in View Administrator 211

4 VMware, Inc.

Page 5

Monitoring and Troubleshooting ThinApp Applications in View Administrator 214

ThinApp Configuration Example 217

Contents

Setting Up Clients in Kiosk Mode 219

Configure Clients in Kiosk Mode 219

Troubleshooting View 229

Monitoring System Health 229

Monitor Events in View 230

Collecting Diagnostic Information for View 231

Update Support Requests 235

Troubleshooting an Unsuccessful Security Server Pairing with View Connection Server 235

Troubleshooting View Server Certificate Revocation Checking 236

Troubleshooting Smart Card Certificate Revocation Checking 237

Further Troubleshooting Information 237

Using the vdmadmin Command 239

vdmadmin Command Usage 241

Configuring Logging in Horizon Agent Using the -A Option 243

Overriding IP Addresses Using the -A Option 244

Setting the Name of a View Connection Server Group Using the -C Option 245

Updating Foreign Security Principals Using the -F Option 246

Listing and Displaying Health Monitors Using the -H Option 247

Listing and Displaying Reports of View Operation Using the -I Option 248

Generating View Event Log Messages in Syslog Format Using the -I Option 249

Assigning Dedicated Machines Using the -L Option 250

Displaying Information About Machines Using the -M Option 251

Reclaiming Disk Space on Virtual Machines Using the -M Option 252

Configuring Domain Filters Using the -N Option 253

Configuring Domain Filters 255

Displaying the Machines and Policies of Unentitled Users Using the -O and -P Options 259

Configuring Clients in Kiosk Mode Using the -Q Option 260

Displaying the First User of a Machine Using the -R Option 264

Removing the Entry for a View Connection Server Instance or Security Server Using the -S Option 264

Providing Secondary Credentials for Administrators Using the -T Option 265

Displaying Information About Users Using the -U Option 267

Unlocking or Locking Virtual Machines Using the -V Option 267

Detecting and Resolving LDAP Entry Collisions Using the -X Option 268

Index 271

VMware, Inc. 5

Page 6

View Administration

6 VMware, Inc.

Page 7

View Administration

View Administration describes how to configure and administer VMware Horizon® 7, including how to configure View Connection Server, create administrators, set up user authentication, configure policies, and manage VMware ThinApp® applications in View Administrator. This document also describes how to maintain and troubleshoot View components.

Intended Audience

This information is intended for anyone who wants to configure and administer VMware Horizon 7. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations.

VMware, Inc.

Page 8

View Administration

8 VMware, Inc.

Page 9

Using View Administrator 1

View Administrator is the Web interface through which you configure View Connection Server and manage your remote desktops and applications.

For a comparison of the operations that you can perform with View Administrator, View cmdlets, and

vdmadmin, see the View Integration document.

NOTE In Horizon 7, View Administrator is named Horizon Administrator. This document refers to Horizon Administrator as View Administrator.

This chapter includes the following topics:

“View Administrator and View Connection Server,” on page 9

“Log In to View Administrator,” on page 10

“Tips for Using the View Administrator Interface,” on page 10

“Troubleshooting the Text Display in View Administrator,” on page 12

View Administrator and View Connection Server

View Administrator provides a management interface for View.

VMware, Inc.

Depending on your View deployment, you use one or more View Administrator interfaces.

Use one View Administrator interface to manage the View components that are associated with a

single, standalone View Connection Server instance or a group of replicated View Connection Server instances.

You can use the host name or IP address of any replicated instance to log in to View Administrator.

You must use a separate View Administrator interface to manage the View components for each single,

standalone View Connection Server instance and each group of replicated View Connection Server instances.

You also use View Administrator to manage security servers associated with View Connection Server. Each security server is associated with one View Connection Server instance.

NOTE If you use Access Point appliances rather than security servers, you must use the Access Point REST API to manage the Access Point appliances. For more information, see Deploying and Configuring Access Point.

Page 10

View Administration

Log In to View Administrator

To perform initial configuration tasks, you must log in to View Administrator. You access View Administrator by using a secure (SSL) connection.

Prerequisites

Verify that View Connection Server is installed on a dedicated computer.

Verify that you are using a Web browser supported by View Administrator. For View Administrator

requirements, see the View Installation document.

Procedure

1 Open your Web browser and enter the following URL, where server is the host name of the View

Connection Server instance.

https://server/admin

NOTE You can use the IP address if you have to access a View Connection Server instance when the host name is not resolvable. However, the host that you contact will not match the SSL certificate that is configured for the View Connection Server instance, resulting in blocked access or access with reduced security.

Your access to View Administrator depends on the type of certificate that is configured on the View Connection Server computer.

If you open your Web browser on the View Connection Server host, use https://127.0.0.1 to connect, not https://localhost. This method improves security by avoiding potential DNS attacks on the

localhost resolution.

Option Description

You configured a certificate signed by a CA for View Connection Server.

The default, self-signed certificate supplied with View Connection Server is configured.

When you first connect, your Web browser displays View Administrator.

When you first connect, your Web browser might display a page warning that the security certificate associated with the address is not issued by a trusted certificate authority.

Click Ignore to continue using the current SSL certificate.

2 Log in as a user with credentials to access the View Administrators account.

You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.

After you log in to View Administrator, you can use View Configuration > Administrators to change the list of users and groups that have the View Administrators role.

Tips for Using the View Administrator Interface

You can use View Administrator user-interface features to navigate View Pages and to find, filter, and sort View objects.

View Administrator includes many common user interface features. For example, the navigation pane on the left side of each page directs you to other View Administrator pages. The search filters let you select filtering criteria that are related to the objects you are searching for.

10 VMware, Inc.

Page 11

Chapter 1 Using View Administrator

Table 1-1 describes a few additional features that can help you to use View Administrator.

Table 1‑1. View Administrator Navigation and Display Features

View Administrator Feature Description

Navigating backward and forward in View Administrator pages

Bookmarking View Administrator pages

Multicolumn sorting You can sort View objects in a variety of ways by using multicolumn sorting.

Customizing table columns You can customize the display of View Administrator table columns by hiding

Click your browser's Back button to go to the previously displayed View Administrator page. Click the Forward button to return to the current page.

If you click the browser's Back button while you are using a View Administrator wizard or dialog box, you return to the main View Administrator page. The information you entered in the wizard or dialog is lost.

In View versions that preceded the View 5.1 release, you could not use your browser's Back and Forward buttons to navigate within View Administrator. Separate Back and Forward buttons in the View Administrator window were provided for navigation. These buttons are removed in the View 5.1 release.

You can bookmark View Administrator pages in your browser.

Click a heading in the top row of a View Administrator table to sort the View objects in alphabetical order based on that heading.

For example, in the Resources > Machines page, you can click Desktop Pool to sort desktops by the pools that contain them.

The number 1 appears next to the heading to indicate that it is the primary sorting column. You can click the heading again to reverse the sorting order, indicated by an up or down arrow.

To sort the View objects by a secondary item, Ctrl+click another heading.

For example, in the Machines table, you can click Users to perform a secondary sort by users to whom the desktops are dedicated. A number 2 appears next to the secondary heading. In this example, desktops are sorted by pool and by users within each pool.

You can continue to Ctrl+click to sort all the columns in a table in descending order of importance.

Press Ctrl+Shift and click to deselect a sort item.

For example, you might want to display the desktops in a pool that are in a particular state and are stored on a particular datastore. You can select Resources > Machines, click the Datastore heading, and Ctrl+click the Status heading.

selected columns and locking the first column. This feature lets you control the display of large tables such as Catalog > Desktop Pools that contain many columns.

Right-click any column header to display a context menu that lets you take the following actions:

Hide the selected column.

Customize columns. A dialog displays all columns in the table. You can

select the columns to display or hide.

Lock the first column. This option forces the left-hand column to remain

displayed as you scroll horizontally across a table with many columns. For example, on the Catalog > Desktop Pools page, the desktop ID remains displayed as you scroll horizontally to see other desktop characteristics.

VMware, Inc. 11

Page 12

View Administration

Table 1‑1. View Administrator Navigation and Display Features (Continued)

View Administrator Feature Description

Selecting View objects and displaying View object details

Expanding dialog boxes to view details You can expand View Administrator dialog boxes to view details such as

Displaying context menus for View objects

In View Administrator tables that list View objects, you can select an object or display object details.

To select an object, click anywhere in the object's row in the table. At the

top of the page, menus and commands that manage the object become active.

To display object details, double-click the left cell in the object's row. A

new page displays the object's details.

For example, on the Catalog > Desktop Pools page, click anywhere in an individual pool's row to activate commands that affect the pool.

Double-click the ID cell in the left column to display a new page that contains details about the pool.

desktop names and user names in table columns.

To expand a dialog box, place your mouse over the dots in the lower right corner of the dialog box and drag the corner.

You can right-click View objects in View Administrator tables to display context menus. A context menu gives you access to the commands that operate on the selected View object.

For example, in the Catalog > Desktop Pools page, you can right-click a desktop pool to display commands such as Add, Edit, Delete, Disable (or Enable) Provisioning, and so on.

Troubleshooting the Text Display in View Administrator

If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text in View Administrator does not display properly.

Problem

The text in the View Administrator interface is garbled. For example, spaces occur in the middle of words.

Cause

View Administrator requires Microsoft-specific fonts.

Solution

Install Microsoft-specific fonts on your computer.

Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from independent Web sites.

12 VMware, Inc.

Page 13

Configuring View Connection Server 2

After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and View Composer services to your View deployment, set up roles to delegate administrator responsibilities, and schedule backups of your configuration data.

This chapter includes the following topics:

“Configuring vCenter Server and View Composer,” on page 13

“Backing Up View Connection Server,” on page 25

“Configuring Settings for Client Sessions,” on page 25

“Disable or Enable View Connection Server,” on page 36

“Edit the External URLs,” on page 37

“Join or Withdraw from the Customer Experience Program,” on page 38

“View LDAP Directory,” on page 38

Configuring vCenter Server and View Composer

To use virtual machines as remote desktops, you must configure View to communicate with vCenter Server. To create and manage linked-clone desktop pools, you must configure View Composer settings in View Administrator.

You can also configure storage settings for View. You can allow ESXi hosts to reclaim disk space on linkedclone virtual machines. To allow ESXi hosts to cache virtual machine data, you must enable View Storage Accelerator for vCenter Server.

Create a User Account for View Composer AD Operations

If you use View Composer, you must create a user account in Active Directory that allows View Composer to perform certain operations in Active Directory. View Composer requires this account to join linked-clone virtual machines to your Active Directory domain.

To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.

Procedure

1 In Active Directory, create a user account in the same domain as your View Connection Server host or

in a trusted domain.

VMware, Inc.

Page 14

View Administration

2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to

the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.

The following list shows all the required permissions for the user account, including permissions that are assigned by default:

List Contents

Read All Properties

Write All Properties

Read Permissions

Reset Password

Create Computer Objects

Delete Computer Objects

NOTE Fewer permissions are required if you select the Allow reuse of pre-existing computer accounts setting for a desktop pool. Make sure that the following permissions are assigned to the user account:

List Contents

Read All Properties

Read Permissions

Reset Password

3 Make sure that the user account's permissions apply to the Active Directory container and to all child

objects of the container.

What to do next

Specify the account in View Administrator when you configure View Composer domains in the Add vCenter Server wizard and when you configure and deploy linked-clone desktop pools.

Add vCenter Server Instances to View

You must configure View to connect to the vCenter Server instances in your View deployment. vCenter Server creates and manages the virtual machines that View uses in desktop pools.

If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance to View separately.

View connects to the vCenter Server instance using a secure channel (SSL).

Prerequisites

Install the View Connection Server product license key.

Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are

necessary to support View. To use View Composer, you must give the user additional privileges.

For details about configuring a vCenter Server user for View, see the View Installation document.

Verify that a TLS/SSL server certificate is installed on the vCenter Server host. In a production

environment, install a valid certificate that is signed by a trusted Certificate Authority (CA).

In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View.

14 VMware, Inc.

Page 15

Chapter 2 Configuring View Connection Server

Verify that all View Connection Server instances in the replicated group trust the root CA certificate for

the server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the Trusted Root Certification Authorities > Certificates folder in the Windows local computer certificate stores on the View Connection Server hosts. If it is not, import the root CA certificate into the Windows local computer certificate stores.

See "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the View Installation document.

Verify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the vCenter

Server instance, you cannot add the instance to View.

If you upgrade to vSphere 5.5 or a later release, verify that the domain administrator account that you

use as the vCenter Server user was explicitly assigned permissions to log in to vCenter Server by a vCenter Server local user.

If you plan to use View in FIPS mode, verify that you have vCenter Server 6.0 or later and ESXi 6.0 or

later hosts.

For more information, see "Installing View in FIPS Mode," in the View Installation document.

Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server

and View Composer. See “Concurrent Operations Limits for vCenter Server and View Composer,” on page 20 and “Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon

Storms,” on page 21.

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the vCenter Servers tab, click Add.

3 In the vCenter Server Settings Server address text box, type the fully qualified domain name (FQDN) of

the vCenter Server instance.

The FQDN includes the host name and domain name. For example, in the FQDN

myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is the domain.

NOTE If you enter a server by using a DNS name or URL, View does not perform a DNS lookup to verify whether an administrator previously added this server to View by using its IP address. A conflict arises if you add a vCenter Server with both its DNS name and its IP address.

4 Type the name of the vCenter Server user.

For example: domain\user or user@domain.com

5 Type the vCenter Server user password.

6 (Optional) Type a description for this vCenter Server instance.

7 Type the TCP port number.

The default port is 443.

8 Under Advanced Settings, set the concurrent operations limits for vCenter Server and View Composer

operations.

9 Click Next to display the View Composer Settings page.

What to do next

Configure View Composer settings.

If the vCenter Server instance is configured with a signed SSL certificate, and View Connection Server

trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page.

VMware, Inc. 15

Page 16

View Administration

If the vCenter Server instance is configured with a default certificate, you must first determine whether

to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL

Certificate,” on page 22.

If View uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server instances.

Configure View Composer Settings

To use View Composer, you must configure settings that allow View to connect to the VMware Horizon View Composer service. View Composer can be installed on its own separate host or on the same host as vCenter Server.

There must be a one-to-one mapping between each VMware Horizon View Composer service and vCenter Server instance. A View Composer service can operate with only one vCenter Server instance. A vCenter Server instance can be associated with only one VMware Horizon View Composer service.

After the initial View deployment, you can migrate the VMware Horizon View Composer service to a new host to support a growing or changing View deployment. You can edit the initial View Composer settings in View Administrator, but you must perform additional steps to ensure that the migration succeeds. See

“Migrate View Composer to Another Machine,” on page 128.

Prerequisites

Verify that you created a user in Active Directory with permission to add and remove virtual machines

from the Active Directory domain that contains your linked clones. See “Create a User Account for

View Composer AD Operations,” on page 13.

Verify that you configured View to connect to vCenter Server. To do so, you must complete the vCenter

Server Information page in the Add vCenter Server wizard. See “Add vCenter Server Instances to

View,” on page 14.

Verify that this VMware Horizon View Composer service is not already configured to connect to a

different vCenter Server instance.

Procedure

1 In View Administrator, complete the vCenter Server Information page in the Add vCenter Server

wizard.

a Select View Configuration > Servers.

b On the vCenter Servers tab, click Add and provide the vCenter Server settings.

2 On the View Composer Settings page, if you are not using View Composer, select Do not use View

Composer.

If you select Do not use View Composer, the other View Composer settings become inactive. When you click Next, the Add vCenter Server wizard displays the Storage Settings page. The View Composer Domains page is not displayed.

16 VMware, Inc.

Page 17

Chapter 2 Configuring View Connection Server

3 If you are using View Composer, select the location of the View Composer host.

Option Description

View Composer is installed on the same host as vCenter Server.

View Composer is installed on its own separate host.

a Select View Composer co-installed with the vCenter Server.

b Make sure that the port number is the same as the port that you

specified when you installed the VMware Horizon View Composer service on vCenter Server. The default port number is 18443.

a Select Standalone View Composer Server.

b In the View Composer server address text box, type the fully qualified

domain name (FQDN) of the View Composer host.

c Type the name of the View Composer user.

For example: domain.com\user or user@domain.com

d Type the password of the View Composer user.

e Make sure that the port number is the same as the port that you

specified when you installed the VMware Horizon View Composer service. The default port number is 18443.

4 Click Next to display the View Composer Domains page.

What to do next

Configure View Composer domains.

If the View Composer instance is configured with a signed SSL certificate, and View Connection Server

trusts the root certificate, the Add vCenter Server wizard displays the View Composer Domains page.

If the View Composer instance is configured with a default certificate, you must first determine

whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default

SSL Certificate,” on page 22.

Configure View Composer Domains

You must configure an Active Directory domain in which View Composer deploys linked-clone desktops. You can configure multiple domains for View Composer. After you first add vCenter Server and View Composer settings to View, you can add more View Composer domains by editing the vCenter Server instance in View Administrator.

Prerequisites

Your Active Directory administrator must create a View Composer user for AD operations. This

domain user must have permission to add and remove virtual machines from the Active Directory domain that contains your linked clones. For information about the required permissions for this user, see “Create a User Account for View Composer AD Operations,” on page 13.

In View Administrator, verify that you completed the vCenter Server Information and View Composer

Settings pages in the Add vCenter Server wizard.

Procedure

1 On the View Composer Domains page, click Add to add the View Composer user for AD operations

account information.

2 Type the domain name of the Active Directory domain.

For example: domain.com

3 Type the domain user name, including the domain name, of the View Composer user.

For example: domain.com\admin

4 Type the account password.

VMware, Inc. 17

Page 18

View Administration

5 Click OK.

6 To add domain user accounts with privileges in other Active Directory domains in which you deploy

linked-clone pools, repeat the preceding steps.

7 Click Next to display the Storage Settings page.

What to do next

Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.

Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines

In vSphere 5.1 and later, you can enable the disk space reclamation feature for View. Starting in vSphere 5.1, View creates linked-clone virtual machines in an efficient disk format that allows ESXi hosts to reclaim unused disk space in the linked clones, reducing the total storage space required for linked clones.

As users interact with linked-clone desktops, the clones' OS disks grow and can eventually use almost as much disk space as full-clone desktops. Disk space reclamation reduces the size of the OS disks without requiring you to refresh or recompose the linked clones. Space can be reclaimed while the virtual machines are powered on and users are interacting with their remote desktops.

Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving strategies such as refresh on logoff. For example, knowledge workers who install user applications on dedicated remote desktops might lose their personal applications if the remote desktops were refreshed or recomposed. With disk space reclamation, View can maintain linked clones at close to the reduced size they start out with when they are first provisioned.

This feature has two components: space-efficient disk format and space reclamation operations.

In a vSphere 5.1 or later environment, when a parent virtual machine is virtual hardware version 9 or later, View creates linked clones with space-efficient OS disks, whether or not space reclamation operations are enabled.

To enable space reclamation operations, you must use View Administrator to enable space reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the setting at the desktop pool level.

The following guidelines apply to the space reclamation feature:

It operates only on space-efficient OS disks in linked clones.

It does not affect View Composer persistent disks.

It works only with vSphere 5.1 or later and only on virtual machines that are virtual hardware version 9

or later.

It does not operate on full-clone desktops.

It operates on virtual machines with SCSI controllers. IDE controllers are not supported.

Native NFS snapshot technology (VAAI) is not supported in pools that contain virtual machines with spaceefficient disks.

Prerequisites

Verify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1

with ESXi 5.1 download patch ESXi510-201212001 or later.

18 VMware, Inc.

Page 19

Chapter 2 Configuring View Connection Server

Procedure

1 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage

Settings page.

a Select View Configuration > Servers.

b On the vCenter Servers tab, click Add.

c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains

pages.

2 On the Storage Settings page, make sure that Enable space reclamation is selected.

Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later. You must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or an earlier release.

What to do next

On the Storage Settings page, configure View Storage Accelerator.

To finish configuring disk space reclamation in View, set up space reclamation for desktop pools.

Configure View Storage Accelerator for vCenter Server

In vSphere 5.0 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature, called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts. View Storage Accelerator improves View performance during I/O storms, which can take place when many virtual machines start up or run anti-virus scans at once. The feature is also beneficial when administrators or users load applications or data frequently. Instead of reading the entire OS or application from the storage system over and over, a host can read common data blocks from cache.

By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the storage array, which lets you use less storage I/O bandwidth to support your View deployment.

You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter Server wizard in View Administrator, as described in this procedure.

Make sure that View Storage Accelerator is also configured for individual desktop pools. To operate on a desktop pool, View Storage Accelerator must be enabled for vCenter Server and for the individual desktop pool.

View Storage Accelerator is enabled for desktop pools by default. The feature can be disabled or enabled when you create or edit a pool. The best approach is to enable this feature when you first create a desktop pool. If you enable the feature by editing an existing pool, you must ensure that a new replica and its digest disks are created before linked clones are provisioned. You can create a new replica by recomposing the pool to a new snapshot or rebalancing the pool to a new datastore. Digest files can only be configured for the virtual machines in a desktop pool when they are powered off.

You can enable View Storage Accelerator on desktop pools that contain linked clones and pools that contain full virtual machines.

View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.

IMPORTANT If you plan to use this feature and you are using multiple View pods that share some ESXi hosts, you must enable the View Storage Accelerator feature for all pools that are on the shared ESXi hosts. Having inconsistent settings in multiple pods can cause instability of the virtual machines on the shared ESXi hosts.

VMware, Inc. 19

Page 20

View Administration

Prerequisites

Procedure

1 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage

2 On the Storage Settings page, make sure that the Enable View Storage Accelerator check box is

Verify that your vCenter Server and ESXi hosts are version 5.0 or later.

In an ESXi cluster, verify that all the hosts are version 5.0 or later.

Verify that the vCenter Server user was assigned the Host > Configuration > Advanced settings privilege in vCenter Server.

See the topics in the View Installation document that describe View and View Composer privileges required for the vCenter Server user.

Settings page.

a Select View Configuration > Servers.

b On the vCenter Servers tab, click Add.

c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains

pages.

selected.

This check box is selected by default.

3 Specify a default host cache size.

The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.

The default value is 1,024MB. The cache size must be between 100MB and 2,048MB.

4 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache

size.

a In the Host cache dialog box, check Override default host cache size.

b Type a Host cache size value between 100MB and 2,048MB and click OK.

5 On the Storage Settings page, click Next.

6 Click Finish to add vCenter Server, View Composer, and Storage Settings to View.

What to do next

Configure settings for client sessions and connections. See “Configuring Settings for Client Sessions,” on page 25.

To complete View Storage Accelerator settings in View, configure View Storage Accelerator for desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in the Setting Up Desktop and Application Pools in View document.

Concurrent Operations Limits for vCenter Server and View Composer

When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer.

You configure these options in the Advanced Settings panel on the vCenter Server Information page.

20 VMware, Inc.

Page 21

Chapter 2 Configuring View Connection Server

Table 2‑1. Concurrent Operations Limits for vCenter Server and View Composer

Setting Description

Max concurrent vCenter provisioning operations

Max concurrent power operations

Max concurrent View Composer maintenance operations

Max concurrent View Composer provisioning operations

Determines the maximum number of concurrent requests that View Connection Server can make to provision and delete full virtual machines in this vCenter Server instance.

The default value is 20.

This setting applies to full virtual machines only.

Determines the maximum number of concurrent power operations (startup, shutdown, suspend, and so on) that can take place on virtual machines managed by View Connection Server in this vCenter Server instance.

The default value is 50.

For guidelines for calculating a value for this setting, see “Setting a Concurrent Power

Operations Rate to Support Remote Desktop Logon Storms,” on page 21.

This setting applies to full virtual machines and linked clones.

Determines the maximum number of concurrent View Composer refresh, recompose, and rebalance operations that can take place on linked clones managed by this View Composer instance.

The default value is 12.

Remote desktops that have active sessions must be logged off before a maintenance operation can begin. If you force users to log off as soon as a maintenance operation begins, the maximum number of concurrent operations on remote desktops that require logoffs is half the configured value. For example, if you configure this setting as 24 and force users to log off, the maximum number of concurrent operations on remote desktops that require logoffs is 12.

This setting applies to linked clones only.

Determines the maximum number of concurrent creation and deletion operations that can take place on linked clones managed by this View Composer instance.

The default value is 8.

This setting applies to linked clones only.

Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms

The Max concurrent power operations setting governs the maximum number of concurrent power operations that can occur on remote desktop virtual machines in a vCenter Server instance. This limit is set to 50 by default. You can change this value to support peak power-on rates when many users log on to their desktops at the same time.

As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the View Architecture Planning document.

The required number of concurrent power operations is based on the peak rate at which desktops are powered on and the amount of time it takes for the desktop to power on, boot, and become available for connection. In general, the recommended power operations limit is the total time it takes for the desktop to start multiplied by the peak power-on rate.

For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute.

The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate. With a conservative approach, the default setting of 50 supports a peak power-on rate of 10 desktops per minute.

VMware, Inc. 21

Page 22

View Administration

Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and 40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM. If there are 2,000 users, 20% of whom have their desktops powered off, then 40% of the 400 desktop power-on operations occur in those 10 minutes. The peak power-on rate is 16 desktops per minute.

Accept the Thumbprint of a Default SSL Certificate

When you add vCenter Server and View Composer instances to View, you must ensure that the SSL certificates that are used for the vCenter Server and View Composer instances are valid and trusted by View Connection Server. If the default certificates that are installed with vCenter Server and View Composer are still in place, you must determine whether to accept these certificates' thumbprints.

If a vCenter Server or View Composer instance is configured with a certificate that is signed by a CA, and the root certificate is trusted by View Connection Server, you do not have to accept the certificate thumbprint. No action is required.

If you replace a default certificate with a certificate that is signed by a CA, but View Connection Server does not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.

NOTE If you install vCenter Server and View Composer on the same Windows Server host, they can use the same SSL certificate, but you must configure the certificate separately for each component.

For details about configuring SSL certificates, see "Configuring SSL Certificates for View Servers" in the View Installation document.

You first add vCenter Server and View Composer in View Administrator by using the Add vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server and View Composer.

After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.

NOTE You also must accept a certificate thumbprint when you upgrade from an earlier release and a vCenter Server or View Composer certificate is untrusted, or if you replace a trusted certificate with an untrusted certificate.

On the View Administrator dashboard, the vCenter Server or View Composer icon turns red and an Invalid Certificate Detected dialog box appears. You must click Verify and follow the procedure shown here.

Similarly, in View Administrator you can configure a SAML authenticator for use by a View Connection Server instance. If the SAML server certificate is not trusted by View Connection Server, you must determine whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the SAML authenticator in View. After a SAML authenticator is configured, you can reconfigure it in the Edit View Connection Server dialog box.

Procedure

1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate.

2 Examine the certificate thumbprint in the Certificate Information window.

22 VMware, Inc.

Page 23

Chapter 2 Configuring View Connection Server

3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer

instance.

a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows

Certificate Store.

b Navigate to the vCenter Server or View Composer certificate.

c Click the Certificate Details tab to display the certificate thumbprint.

Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the preceding steps on the SAML authenticator host.

4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for the

vCenter Server or View Composer instance.

Similarly, verify that the thumbprints match for a SAML authenticator.

5 Determine whether to accept the certificate thumbprint.

Option Description

The thumbprints match.

The thumbprints do not match.

Click Accept to use the default certificate.

Click Reject.

Troubleshoot the mismatched certificates. For example, you might have provided an incorrect IP address for vCenter Server or View Composer.

Remove a vCenter Server Instance from View

You can remove the connection between View and a vCenter Server instance. When you do so, View no longer manages the virtual machines created in that vCenter Server instance.

Prerequisites

Delete all the virtual machines that are associated with the vCenter Server instance. See “Delete a Desktop

Pool,” on page 172.

Procedure

1 Click View Configuration > Servers.

2 On the vCenter Servers tab, select the vCenter Server instance.

3 Click Remove.

A dialog warns you that View will no longer have access to the virtual machines that are managed by this vCenter Server instance.

4 Click OK.

View can no longer access the virtual machines created in the vCenter Server instance.

Remove View Composer from View

You can remove the connection between View and the VMware Horizon View Composer service that is associated with a vCenter Server instance.

Before you disable the connection to View Composer, you must remove from View all the linked-clone virtual machines that were created by View Composer. View prevents you from removing View Composer if any associated linked clones still exist. After the connection to View Composer is disabled, View cannot provision or manage new linked clones.

VMware, Inc. 23

Page 24

View Administration

Procedure

1 Remove the linked-clone desktop pools that were created by View Composer.

2 Select View Configuration > Servers.

3 On the vCenter Servers tab, select the vCenter Server instance with which View Composer is

4 Click Edit.

5 Under View Composer Server Settings, click Edit, select Do not use View Composer, and click OK.

a In View Administrator, select Catalog > Desktop Pools.

b Select a linked-clone desktop pool and click Delete.

A dialog box warns that you will permanently delete the linked-clone desktop pool from View. If the linked-clone virtual machines are configured with persistent disks, you can detach or delete the persistent disks.

c Click OK.

The virtual machines are deleted from vCenter Server. In addition, the associated View Composer database entries and the replicas that were created by View Composer are removed.

d Repeat these steps for each linked-clone desktop pool that was created by View Composer.

associated.

You can no longer create linked-clone desktop pools in this vCenter Server instance, but you can continue to create and manage full virtual-machine desktop pools in the vCenter Server instance.

What to do next

If you intend to install View Composer on another host and reconfigure View to connect to the new VMware Horizon View Composer service, you must perform certain additional steps. See “Migrate View

Composer Without Linked-Clone Virtual Machines,” on page 131.

Conflicting vCenter Server Unique IDs

If you have multiple vCenter Server instances configured in your environment, an attempt to add a new instance might fail because of conflicting unique IDs.

Problem

You try to add a vCenter Server instance to View, but the unique ID of the new vCenter Server instance conflicts with an existing instance.

Cause

Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is randomly generated, but you can edit it.

Solution

1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.

2 Type a new unique ID and click OK.

For details about editing vCenter Server unique ID values, see the vSphere documentation.

24 VMware, Inc.

Page 25

Backing Up View Connection Server

After you complete the initial configuration of View Connection Server, you should schedule regular backups of your View and View Composer configuration data.

For information about backing up and restoring your View configuration, see “Backing Up and Restoring

View Configuration Data,” on page 115.

Configuring Settings for Client Sessions

You can configure global settings that affect the client sessions and connections that are managed by a View Connection Server instance or replicated group. You can set the session timeout length, display prelogin and warning messages, and set security-related client connection options.

Set Options for Client Sessions and Connections

You configure global settings to determine the way client sessions and connections work.

The global settings are not specific to a single View Connection Server instance. They affect all client sessions that are managed by a standalone View Connection Server instance or a group of replicated instances.

Chapter 2 Configuring View Connection Server

You can also configure View Connection Server instances to use direct, nontunneled connections between Horizon clients and remote desktops. See “Configure the Secure Tunnel and PCoIP Secure Gateway,” on page 32 for information about configuring direct connections.

Prerequisites

Familiarize yourself with the global settings. See “Global Settings for Client Sessions,” on page 26 and

“Global Security Settings for Client Sessions and Connections,” on page 28.

Procedure

1 In View Administrator, select View Configuration > Global Settings.

2 Choose whether to configure general settings or security settings.

Option Description

General global settings

Global security settings

3 Configure the global settings.

4 Click OK.

What to do next

You can change the data recovery password that was provided during installation. See “Change the Data

Recovery Password,” on page 25.

In the General pane, click Edit.

In the Security pane, click Edit.

Change the Data Recovery Password

You provide a data recovery password when you install View Connection Server version 5.1 or later. After installation, you can change this password in View Administrator. The password is required when you restore the View LDAP configuration from a backup.

When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup View configuration, you must provide the data recovery password.

VMware, Inc. 25

Page 26

View Administration

The password must contain between 1 and 128 characters. Follow your organization's best practices for generating secure passwords.

Procedure

1 In View Administrator, select View Configuration > Global Settings.

2 In the Security pane, click Change data recovery password.

3 Type and retype the new password.

4 (Optional) Type a password reminder.

NOTE You can also change the data recovery password when you schedule your View configuration data to be backed up. See “Schedule View Configuration Backups,” on page 116.

What to do next

When you use the vdmimport utility to restore a backup View configuration, provide the new password.

Global Settings for Client Sessions

General global settings determine session timeout lengths, SSO enablement and timeout limits, status updates in View Administrator, whether prelogin and warning messages are displayed, and whether View Administrator treats Windows Server as a supported operating system for remote desktops.

Changes to any of the settings in the table below take effect immediately. You do not need to restart View Connection Server or Horizon Client.

Table 2‑2. General Global Settings for Client Sessions

Setting Description

View Administrator session timeout

Forcibly disconnect users Disconnects all desktops and applications after the specified number of minutes

Determines how long an idle View Administrator session continues before the session times out.

IMPORTANT Setting the View Administrator session timeout to a high number of minutes increases the risk of unauthorized use of View Administrator. Use caution when you allow an idle session to persist a long time.

By default, the View Administrator session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes (72 hours).

has passed since the user logged in to View. All desktops and applications will be disconnected at the same time regardless of when the user opened them.

For clients that do not support application remoting, a maximum timeout value of 1200 minutes applies if the value of this setting is Never or greater than 1200 minutes.

The default is After 600 minutes.

26 VMware, Inc.

Page 27

Chapter 2 Configuring View Connection Server

Table 2‑2. General Global Settings for Client Sessions (Continued)

Setting Description

Single sign-on (SSO) If SSO is enabled, View caches a user's credentials so that the user can launch

For clients that support applications.

If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials:

Other clients.

Discard SSO credentials:

Enable automatic status updates Determines if status updates appear in the global status pane in the upper-left

Display a pre-login message Displays a disclaimer or another message to Horizon Client users when they log

remote desktops or applications without having to provide credentials to log in to the remote Windows session. The default is Enabled.

If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be enabled. With True SSO, if a user logs in using some other form of authentication than Active Directory credentials, the True SSO feature generates short-term certificates to use, rather than cached credentials, after users log in to VMware Identity Manager.

NOTE If a desktop is launched from Horizon Client, and the desktop is locked, either by the user or by Windows based on a security policy, and if the desktop is running View Agent 6.0 or later or Horizon Agent 7.0 or later, View Connection Server discards the user's SSO credentials. The user must provide login credentials to launch a new desktop or a new application, or reconnect to any disconnected desktop or application. To enable SSO again, the user must disconnect from View Connection Server or exit Horizon Client, and reconnect to View Connection Server. However, if the desktop is launched from Workspace Portal or VMware Identity Manager and the desktop is locked, SSO credentials are not discarded.

Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are not disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application.

This setting also applies to the True SSO feature. After SSO credentials are discarded, users are prompted for Active Directory credentials. If users logged in to VMware Identity Manager without using AD credentials and do not know what AD credentials to enter, users can log out and log in to VMware Identity Manager again to access their remote desktops and applications.

IMPORTANT Users must be aware that when they have both applications and desktops open, and their applications are disconnected because of this timeout, their desktops remain connected. Users must not rely on this timeout to protect their desktops.

If set to Never, View never disconnects applications or discards SSO credentials due to user inactivity.

The default is Never.

Discards SSO credentials after the specified number of minutes. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to View, regardless of any user activity on the client device.

If set to Never, View stores SSO credentials until the user closes Horizon Client, or the Forcibly disconnect users timeout is reached, whichever comes first.

The default is After 15 minutes.

corner of View Administrator every few minutes. The dashboard page of View Administrator is also updated every few minutes.

By default, this setting is not enabled.

in.

Type your information or instructions in the text box in the Global Settings dialog box.

To display no message, leave the check box unselected.

VMware, Inc. 27

Page 28

View Administration

Table 2‑2. General Global Settings for Client Sessions (Continued)

Setting Description

Display warning before forced logoff

Enable Windows Server desktops Determines whether you can select available Windows Server 2008 R2 and

Mirage Server configuration Allows you to specify the URL of a Mirage server, using the format

Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off.

Check the box to display a warning message.

Type the number of minutes to wait after the warning is displayed and before logging off the user. The default is 5 minutes.

Type your warning message. You can use the default message:

Your desktop is scheduled for an important update and will be shut down in 5 minutes. Please save any unsaved work now.

Windows Server 2012 R2 machines for use as desktops. When this setting is enabled, View Administrator displays all available Windows Server machines, including machines on which View server components are installed.

NOTE The Horizon Agent software cannot coexist on the same virtual or physical machine with any other View server software component, including a security server, View Connection Server, or View Composer.

mirage://server-name:port or mirages://server-name:port. Here server- name is the fully qualified domain name. If you do not specify the port number,

the default port number 8000 is used.

NOTE You can override this global setting by specifying a Mirage server in the desktop pool settings.

Specifying the Mirage server in View Administrator is an alternative to specifying the Mirage server when installing the Mirage client. To find out which versions of Mirage support having the server specified in View Administrator, see the Mirage documentation, at

https://www.vmware.com/support/pubs/mirage_pubs.html.

Global Security Settings for Client Sessions and Connections

Global security settings determine whether clients are reauthenticated after interruptions, message security mode is enabled, and IPSec is used for security server connections.

SSL is required for all Horizon Client connections and View Administrator connections to View. If your View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to them and then configure non-SSL connections on individual View Connection Server instances and security servers. See “Off-load SSL Connections to Intermediate Servers,” on page 34.

28 VMware, Inc.

Page 29

Chapter 2 Configuring View Connection Server

Table 2‑3. Global Security Settings for Client Sessions and Connections

Setting Description

Reauthenticate secure tunnel connections after network interruption

Message security mode Determines the security mechanism used for sending JMS messages between

Enhanced Security Status (Read-

only)

Use IPSec for Security Server connections

Determines if user credentials must be reauthenticated after a network interruption when Horizon clients use secure tunnel connections to remote desktops.

When you select this setting, if a secure tunnel connection is interrupted, Horizon Client requires the user to reauthenticate before reconnecting.

This setting offers increased security. For example, if a laptop is stolen and moved to a different network, the user cannot automatically gain access to the remote desktop without entering credentials.

When this setting is not selected, the client reconnects to the remote desktop without requiring the user to reauthenticate.

This setting has no effect when the secure tunnel is not used.

components

When the mode is set to Enabled, signing and verification of the JMS messages

passed between View components takes place.

When the mode is set to Enhanced, security is provided by mutually

authenticated SSL JMS connections and access control on JMS topics.

For details, see “Message Security Mode for View Components,” on page 30.

For new installations, by default, message security mode is set to Enhanced. If you upgrade from a previous version, the setting used in the previous version is retained.

Read-only field that appears when Message security mode is changed from Enabled to Enhanced. Because the change is made in phases, this field shows the progress through the phases:

Waiting for Message Bus restart is the first phase. This state is displayed until

you manually restart either all View Connection Server instances in the pod or the VMware Horizon View Message Bus Component service on all View Connection Server hosts in the pod.

Pending Enhanced is the next state. After all View Message Bus Component

services have been restarted, the system begins changing the message security mode to Enhanced for all desktops and security servers.

Enhanced is the final state, indicating that all components are now using

Enhanced message security mode.

You can also use the vdmutil command-line utility to monitor progress. See

“Using the vdmutil Utility to Configure the JMS Message Security Mode,” on

page 31.

Determines whether to use Internet Protocol Security (IPSec) for connections between security servers and View Connection Server instances.

By default, secure connections (using IPSec) for security server connections is enabled.

NOTE If you upgrade to View 5.1 or later from an earlier View release, the global setting Require SSL for client connections is displayed in View Administrator, but only if the setting was disabled in your View

configuration before you upgraded. Because SSL is required for all Horizon Client connections and View Administrator connections to View, this setting is not displayed in fresh installations of View 5.1 or later versions and is not displayed after an upgrade if the setting was already enabled in the previous View configuration.

After an upgrade, if you do not enable the Require SSL for client connections setting, HTTPS connections from Horizon clients will fail, unless they connect to an intermediate device that is configured to make onward connections using HTTP. See “Off-load SSL Connections to Intermediate Servers,” on page 34.

VMware, Inc. 29

Page 30

View Administration

Message Security Mode for View Components

You can set the message security mode to specify the security mechanism used when JMS messages pass among View components.

Table 2-4 shows the options you can select to configure the message security mode. To set an option, select it

from the Message security mode list in the Global Settings dialog window.

Table 2‑4. Message Security Mode Options

Option Description

Disabled Message security mode is disabled.

Mixed Message security mode is enabled but not enforced.

You can use this mode to detect components in your View environment that predate View 3.0. The log files generated by View Connection Server contain references to these components. This setting is not recommended. Use this setting only to discover components that need to be upgraded.

Enabled Message security mode is enabled, using a combination of message signing and encryption. JMS messages

are rejected if the signature is missing or invalid, or if a message was modified after it was signed.

Some JMS messages are encrypted because they carry sensitive information such as user credentials. If you use the Enabled setting, you can also use IPSec to encrypt all JMS messages between View Connection Server instances, and between View Connection Server instances and security servers.

NOTE View components that predate View 3.0 are not allowed to communicate with other View components.

Enhanced SSL is used for all JMS connections. JMS access control is also enabled so that desktops, security servers,

and View Connection Server instances can only send and receive JMS messages on certain topics.

View components that predate Horizon 6 version 6.1 cannot communicate with a View Connection Server

6.1 instance.

NOTE Using this mode requires opening TCP port 4002 between DMZ-based security servers and their paired View Connection Server instances.

When you first install View on a system, the message security mode is set to Enhanced. If you upgrade View from a previous release, the message security mode remains unchanged from its existing setting.

IMPORTANT If you plan to change an upgraded View environment from Enabled to Enhanced, you must first upgrade all View Connection Server instances, security servers, and View desktops to Horizon 6 version 6.1 or a later release. After you change the setting to Enhanced, the new setting takes place in stages.

1 You must manually restart the VMware Horizon View Message Bus Component service on all View

Connection Server hosts in the pod, or restart the View Connection Server instances.

2 After the services are restarted, the View Connection Server instances reconfigure the message security

mode on all desktops and security servers, changing the mode to Enhanced.

3 To monitor the progress in View Administrator, go to View Configuration > Global Settings.

On the Security tab, the Enhanced Security Status item will show Enhanced when all components have made the transition to Enhanced mode.

Alternatively, you can use the vdmutil command-line utility to monitor progress. See “Using the

vdmutil Utility to Configure the JMS Message Security Mode,” on page 31.

View components that predate Horizon 6 version 6.1 cannot communicate with a View Connection Server

6.1 instance that uses Enhanced mode

If you plan to change an active View environment from Disabled to Enabled, or from Enabled to Disabled, change to Mixed mode for a short time before you make the final change. For example, if your current mode is Disabled, change to Mixed mode for one day, then change to Enabled. In Mixed mode, signatures are attached to messages but not verified, which allows the change of message mode to propagate through the environment.

30 VMware, Inc.

Page 31

Chapter 2 Configuring View Connection Server

Using the vdmutil Utility to Configure the JMS Message Security Mode

You can use the vdmutil command-line interface to configure and manage the security mechanism used when JMS messages are passed between View components.

Syntax and Location of the Utility

The vdmutil command can perform the same operations as the lmvutil command that was included with earlier versions of View. In addition, the vdmutil command has options for determining the message security mode being used and monitoring the progress of changing all View components to Enhanced mode. Use the following form of the vdmutil command from a Windows command prompt.

vdmutil command_option [additional_option argument] ...

The additional options that you can use depend on the command option. This topic focuses on the options for message security mode. For the other options, which relate to Cloud Pod Architecture, see the Administering View Cloud Pod Architecture document.

By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware

View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH

environment variable.

Authentication

You must run the command as a user who has the Administrators role. You can use View Administrator to assign the Administrators role to a user. See Chapter 6, “Configuring Role-Based Delegated

Administration,” on page 89.

The vdmutil command includes options to specify the user name, domain, and password to use for authentication.

Table 2‑5. vdmutil Command Authentication Options

Option Description

--authAs

--authDomain Fully qualified domain name for the View administrator user specified in the --authAs

--authPassword Password for the View administrator user specified in the --authAs option. Entering "*"

Name of a View administrator user. Do not use domain\username or user principal name (UPN) format.

option.

instead of a password causes the vdmutil command to prompt for the password and does not leave sensitive passwords in the command history on the command line.

You must use the authentication options with all vdmutil command options except for --help and

--verbose.

Options Specific to JMS Message Security Mode

The following table lists only the vdmutil command-line options that pertain to viewing, setting, or monitoring the JMS message security mode. For a list of the arguments you can use with a specific option, use the --help command-line option.

The vdmutil command returns 0 when an operation succeeds and a failure-specific non-zero code when an operation fails. The vdmutil command writes error messages to standard error. When an operation produces output, or when verbose logging is enabled by using the --verbose option, the vdmutil command writes output to standard output, in US English.

VMware, Inc. 31

Page 32

View Administration

Table 2‑6. vdmutil Command Options

Option Description

--activatePendingConnectionServerCertificates

--countPendingMsgSecStatus

--createPendingConnectionServerCertificates

--getMsgSecLevel

--getMsgSecMode

--help Lists the vdmutil command options. You can also use --help on a

--listMsgBusSecStatus

--listPendingMsgSecStatus

--setMsgSecMode

--verbose

Activates a pending security certificate for a View Connection Server instance in the local pod.

Counts the number of machines preventing a transition to or from Enhanced mode.

Creates a new pending security certificate for a View Connection Server instance in the local pod.

Gets the enhanced message security status for the local pod. This status pertains to the process of changing the JMS message security mode from Enabled to Enhanced for all the components in a View environment.

Gets the message security mode for the local pod.

particular command, such as --setMsgSecMode --help.

Lists the message bus security status for all connection servers in the local pod.

List machines preventing a transition to or from Enhanced mode. Limited to 25 entries by default.

Sets the message security mode for the local pod.

Enables verbose logging. You can add this option to any other option to obtain detailed command output. The vdmutil command writes to standard output.

Configure the Secure Tunnel and PCoIP Secure Gateway

When the secure tunnel is enabled, Horizon Client makes a second HTTPS connection to the View Connection Server or security server host when users connect to a remote desktop.

When the PCoIP Secure Gateway is enabled, Horizon Client makes a further secure connection to the View Connection Server or security server host when users connect to a remote desktop with the PCoIP display protocol.

NOTE With Horizon 6 version 6.2 and later releases, you can use Access Point appliances, rather than security servers, for secure external access to Horizon 6 servers and desktops. If you use Access Point appliances, you must disable the secure gateways on View Connection Server instances and enable these gateways on the Access Point appliances. For more information, see Deploying and Configuring Access Point.

When the secure tunnel or PCoIP Secure Gateway is not enabled, a session is established directly between the client system and the remote desktop virtual machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection.

IMPORTANT A typical network configuration that provides secure connections for external clients includes a security server. To use View Administrator to enable or disable the secure tunnel and PCoIP Secure Gateway on a security server, you must edit the View Connection Server instance that is paired with the security server.

In a network configuration in which external clients connect directly to a View Connection Server host, you enable or disable the secure tunnel and PCoIP Secure Gateway by editing that View Connection Server instance in View Administrator.

32 VMware, Inc.

Page 33

Chapter 2 Configuring View Connection Server

Prerequisites

If you intend to enable the PCoIP Secure Gateway, verify that the View Connection Server instance and

paired security server are View 4.6 or later.

If you pair a security server to a View Connection Server instance on which you already enabled the

PCoIP Secure Gateway, verify that the security server is View 4.6 or later.

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select a View Connection Server instance and click Edit.

3 Configure use of the secure tunnel.

Option Description

Enable the secure tunnel

Disable the secure tunnel

Select Use Secure Tunnel connection to machine.

Deselect Use Secure Tunnel connection to machine.

The secure tunnel is enabled by default.

4 Configure use of the PCoIP Secure Gateway.

Option Description

Enable the PCoIP Secure Gateway

Disable the PCoIP secure Gateway

Select Use PCoIP Secure Gateway for PCoIP connections to machine

Deselect Use PCoIP Secure Gateway for PCoIP connections to machine

The PCoIP Secure Gateway is disabled by default.

5 Click OK to save your changes.

Configure the Blast Secure Gateway

In View Administrator, you can configure the use of the Blast Secure Gateway to provide secure access to remote desktops and applications, either through HTML Access or through client connections that use the VMware Blast display protocol.

NOTE You can also use Access Point appliances, rather than security servers, for secure external access to Horizon 7 servers and desktops. If you use Access Point appliances, you must disable the secure gateways on View Connection Server instances and enable these gateways on the Access Point appliances. For more information, see Deploying and Configuring Access Point.

When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the VMware Blast Extreme protocol to establish direct connections to remote desktop virtual machines and applications, bypassing the Blast Secure Gateway.

IMPORTANT A typical network configuration that provides secure connections for external users includes a security server. To enable or disable the Blast Secure Gateway on a security server, you must edit the View Connection Server instance that is paired with the security server. If external users connect directly to a View Connection Server host, you enable or disable the Blast Secure Gateway by editing that View Connection Server instance.

Prerequisites

If users select remote desktops by using VMware Identity Manager, verify that VMware Identity Manager is installed and configured for use with View Connection Server and that View Connection Server is paired with a SAML 2.0 Authentication server.

VMware, Inc. 33

Page 34

View Administration

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select a View Connection Server instance and click Edit.

3 Configure use of the Blast Secure Gateway.

Option Description

Enable the Blast Secure Gateway

Disable the Blast secure Gateway

Select Use Blast Secure Gateway for Blast connections to machine

Deselect Use Blast Secure Gateway for Blast connections to machine

The Blast Secure Gateway is enabled by default.

4 Click OK to save your changes.

Off-load SSL Connections to Intermediate Servers

Horizon Client must use HTTPS to connect to View. If your Horizon clients connect to load balancers or other intermediate servers that pass on the connections to View Connection Server instances or security servers, you can off-load SSL to the intermediate servers.

Import SSL Off-loading Servers' Certificates to View Servers

If you off-load SSL connections to an intermediate server, you must import the intermediate server's certificate onto the View Connection Server instances or security servers that connect to the intermediate server. The same SSL server certificate must reside on both the off-loading intermediate server and each offloaded View server that connects to the intermediate server.

If you deploy security servers, the intermediate server and the security servers that connect to it must have the same SSL certificate. You do not have to install the same SSL certificate on View Connection Server instances that are paired to the security servers and do not connect directly to the intermediate server.

If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, the intermediate server and any View Connection Server instances that connect to it must have the same SSL certificate.

If the intermediate server's certificate is not installed on the View Connection Server instance or security server, clients cannot validate their connections to View. In this situation, the certificate thumbprint sent by the View server does not match the certificate on the intermediate server to which Horizon Client connects.

Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices.

For information about importing certificates to View servers, see "Import a Signed Server Certificate into a Windows Certificate Store" in the View Installation document.

Set View Server External URLs to Point Clients to SSL Off-loading Servers

If SSL is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to View, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server.

You configure the external URL settings on the View Connection Server instance or security server that connects to the intermediate server.

If you deploy security servers, external URLs are required for the security servers but not for the View Connection Server instances that are paired with the security servers.

34 VMware, Inc.

Page 35

Chapter 2 Configuring View Connection Server

If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, External URLs are required for any View Connection Server instances that connect to the intermediate server.

NOTE You cannot off-load SSL connections from a PCoIP Secure Gateway (PSG) or Blast Secure Gateway. The PCoIP external URL and Blast Secure Gateway external URL must allow clients to connect to the computer that hosts the PSG and Blast Secure Gateway. Do not reset the PCoIP external URL and Blast external URL to point to the intermediate server unless you plan to require SSL connections between the intermediate server and the View server.

For information about configuring External URLs, see “Configuring External URLs for PCoIP Secure Gateway and Tunnel Connections” in the View Installation document.

Allow HTTP Connections From Intermediate Servers

When SSL is off-loaded to an intermediate server, you can configure View Connection Server instances or security servers to allow HTTP connections from the client-facing, intermediate devices. The intermediate devices must accept HTTPS for Horizon Client connections.

To allow HTTP connections between View servers and intermediate devices, you must configure the

locked.properties file on each View Connection Server instance and security server on which HTTP

connections are allowed.

Even when HTTP connections between View servers and intermediate devices are allowed, you cannot disable SSL in View. View servers continue to accept HTTPS connections as well as HTTP connections.

NOTE If your Horizon clients use smart card authentication, the clients must make HTTPS connections directly to View Connection Server or security server. SSL off-loading is not supported with smart card authentication.

Procedure

1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View

Connection Server or security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties

2 To configure the View server's protocol, add the serverProtocol property and set it to http.

The value http must be typed in lower case.

3 (Optional) Add properties to configure a non-default HTTP listening port and a network interface on

the View server.

To change the HTTP listening port from 80, set serverPortNonSSL to another port number to which

the intermediate device is configured to connect.

If the View server has more than one network interface, and you intend the server to listen for

HTTP connections on only one interface, set serverHostNonSSL to the IP address of that network interface.

4 Save the locked.properties file.

5 Restart the View Connection Server service or security server service to make your changes take effect.

VMware, Inc. 35

Page 36

View Administration

Example: locked.properties file

This file allows non-SSL HTTP connections to a View server. The IP address of the View server's clientfacing network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP connections. The value http must be lower case.

serverProtocol=http serverHostNonSSL=10.20.30.40

Configure the Gateway Location for a View Connection Server or Security Server Host

By default, View Connection Server instances set the gateway location to Internal and security servers set the gateway location to External. You can change the default gateway location by setting the

gatewayLocation property in the locked.properties file.

The gateway location determines the value of the ViewClient_Broker_GatewayLocation registry key in a remote desktop. You can use this value with Smart Policies to create a policy that takes effect only if a user connects to a remote desktop from inside or outside your corporate network. For more information, see "Using Smart Policies" in the Setting Up Desktop and Application Pools in View document.

Procedure

1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View

Connection Server or security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties

The properties in the locked.properties file are case sensitive.

2 Add the following line to the locked.properties file:

gatewayLocation=value

value can be either External or Internal. External indicates that the gateway is available for users outside the corporate network. Internal indicates that the gateway is available only for users inside the corporate network.

For example: gatewayLocation=External

3 Save the locked.properties file.

4 Restart the VMware Horizon View Connection Server service or the VMware Horizon View Security

Server service to make your changes take effect.

Disable or Enable View Connection Server

You can disable a View Connection Server instance to prevent users from logging in to their remote desktops and applications. After you disable an instance, you can enable it again.

When you disable a View Connection Server instance, users who are currently logged in to remote desktops and applications are not affected.

Your View deployment determines how users are affected by disabling an instance.

If this is a single, standalone View Connection Server instance, users cannot log in to their remote

desktops or applications. They cannot connect to View Connection Server.

If this is a replicated View Connection Server instance, your network topology determines whether

users can be routed to another replicated instance. If users can access another instance, they can log in to their remote desktops and applications.

36 VMware, Inc.

Page 37

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select the View Connection Server instance.

3 Click Disable.

You can enable the instance again by clicking Enable.

Edit the External URLs

You can use View Administrator to edit external URLs for View Connection Server instances and security servers.

By default, a View Connection Server or security server host can be contacted only by tunnel clients that reside within the same network. Tunnel clients that run outside of your network must use a clientresolvable URL to connect to a View Connection Server or security server host.

When users connect to remote desktops with the PCoIP display protocol, Horizon Client can make a further connection to the PCoIP Secure Gateway on the View Connection Server or security server host. To use the PCoIP Secure Gateway, a client system must have access to an IP address that allows the client to reach the View Connection Server or security server host. You specify this IP address in the PCoIP external URL.

A third URL allows users to make secure connections through the Blast Secure Gateway.

Chapter 2 Configuring View Connection Server

The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this host.

NOTE You cannot edit the external URLs for a security server that has not been upgraded to View Connection Server 4.5 or later.

Procedure

1 In View Administrator, select View Configuration > Servers.

Option Action

View Connection Server instance

Security server

Select the View Connection Server instance on the Connection Servers tab and click Edit.

Select the security server on the Security Servers tab and click Edit.

2 Type the secure tunnel external URL in the External URL text box.

The URL must contain the protocol, client-resolvable host name and port number.

For example: https://view.example.com:443

NOTE You can use the IP address if you have to access a View Connection Server instance or security server when the host name is not resolvable. However, the host that you contact will not match the SSL certificate that is configured for the View Connection Server instance or security server, resulting in blocked access or access with reduced security.

3 Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box.

Specify the PCoIP external URL as an IP address with the port number 4172. Do not include a protocol name.

For example: 10.20.30.40:4172

The URL must contain the IP address and port number that a client system can use to reach this security server or View Connection Server instance.

VMware, Inc. 37

Page 38

View Administration

4 Type the Blast Secure Gateway external URL in the Blast External URL text box.

The URL must contain the HTTPS protocol, client-resolvable host name, and port number.

For example: https://myserver.example.com:8443

By default, the URL includes the FQDN of the secure tunnel external URL and the default port number,

8443. The URL must contain the FQDN and port number that a client system can use to reach this host.

5 Verify that all addresses in this dialog allow client systems to reach this host.

6 Click OK to save your changes.

The external URLs are updated immediately. You do not need to restart the View Connection Server service or the security server service for the changes to take effect.

Join or Withdraw from the Customer Experience Program

When you install View Connection Server with a new configuration, you can choose to participate in a customer experience improvement program. If you change your mind about participating after the installation, you can join or withdraw from the program by using View Administrator.

If you participate in the program, VMware collects anonymous data about your deployment in order to improve VMware's response to user requirements. No data that identifies your organization is collected.

To review the list of fields from which data is collected, including the fields that are made anonymous, see

“Information Collected by the Customer Experience Improvement Program,” on page 134.

Procedure

1 In View Administrator, select View Configuration > Product Licensing and Usage.

2 In the Customer Experience Program pane, click Edit Settings.

3 Decide whether to participate in or withdraw from the program by selecting or deselecting the Send

anonymous data to VMware checkbox.

4 (Optional) If you participate, you can select the geographic location, type of business, and number of

employees in your organization.

5 Click OK.

View LDAP Directory

View LDAP is the data repository for all View configuration information. View LDAP is an embedded Lightweight Directory Access Protocol (LDAP) directory that is provided with the View Connection Server installation.

View LDAP contains standard LDAP directory components that are used by View.

View schema definitions

Directory information tree (DIT) definitions

Access control lists (ACLs)

View LDAP contains directory entries that represent View objects.

Remote desktop entries that represent each accessible desktop. Each entry contains references to the

Foreign Security Principal (FSP) entries of Windows users and groups in Active Directory who are authorized to use the desktop.

Remote desktop pool entries that represent multiple desktops managed together

Virtual machine entries that represent the vCenter Server virtual machine for each remote desktop

38 VMware, Inc.

Page 39

Chapter 2 Configuring View Connection Server

View component entries that store configuration settings

View LDAP also contains a set of View plug-in DLLs that provide automation and notification services for other View components.

NOTE Security server instances do not contain a View LDAP directory.

LDAP Replication

When you install a replicated instance of View Connection Server, View copies the View LDAP configuration data from the existing View Connection Server instance. Identical View LDAP configuration data is maintained on all View Connection Server instances in the replicated group. When a change is made on one instance, the updated information is copied to the other instances.

If a replicated instance fails, the other instances in the group continue to operate. When the failed instance resumes activity, its configuration is updated with the changes that took place during the outage. With Horizon 7 and later releases, a replication status check is performed every 15 minutes to determine whether each instance can communicate with the other servers in the replicated group and whether each instance can fetch LDAP updates from the other servers in the group.

You can use the dashboard in View Administrator to check the replication status. If any View Connection Server instances have a red icon in the dashboard, click the icon to see the replication status. Replication might be impaired for any of the following reasons:

A firewall might be blocking communication

The VMware VDMDS service might be stopped on a View Connection Server instance

The VMware VDMDS DSA options might be blocking the replications

A network problem has occurred

By default, the replication check occurs every 15 minutes. You can use ADSI Edit on a View Connection Server instance to change the interval. To set the number of minutes, connect to

DC=vdi,DC=vmware,DC=int and edit the pae-ReplicationStatusDataExpiryInMins attribute on the CN=Common,OU=Global,OU=Properties object.

The pae-ReplicationStatusDataExpiryInMins attribute value should be between 10 minutes and 1440 minutes (one day). If the attribute value is less than 10 minutes, View treats it as 10 minutes. If the attribute value is greater than 1440, View treats it as 1440 minutes.

VMware, Inc. 39

Page 40

View Administration

40 VMware, Inc.

Page 41

Setting Up Smart Card Authentication 3

For added security, you can configure a View Connection Server instance or security server so that users and administrators can authenticate by using smart cards.

A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).

With smart card authentication, a user or administrator inserts a smart card into a smart card reader attached to the client computer and enters a PIN. Smart card authentication provides two-factor authentication by verifying both what the person has (the smart card) and what the person knows (the PIN).

See the View Installation document for information about hardware and software requirements for implementing smart card authentication. The Microsoft TechNet Web site includes detailed information on planning and implementing smart card authentication for Windows systems.

To use smart cards, client machines must have smart card middleware and a smart card reader. To install certificates on smart cards, you must set up a computer to act as an enrollment station. For information about whether a particular type of Horizon Client supports smart cards, see the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.

This chapter includes the following topics:

VMware, Inc.

“Logging In with a Smart Card,” on page 42

“Configure Smart Card Authentication on View Connection Server,” on page 42

“Configure Smart Card Authentication on Third-Party Solutions,” on page 47

“Prepare Active Directory for Smart Card Authentication,” on page 47

“Verify Your Smart Card Authentication Configuration,” on page 50

“Using Smart Card Certificate Revocation Checking,” on page 51

Page 42

View Administration

Logging In with a Smart Card

When a user or administrator inserts a smart card into a smart card reader, the user certificates on the smart card are copied to the local certificate store on the client system if the client operating system is Windows. The certificates in the local certificate store are available to all of the applications running on the client computer, including Horizon Client.

When a user or administrator initiates a connection to a View Connection Server instance or security server that is configured for smart card authentication, the View Connection Server instance or security server sends a list of trusted certificate authorities (CAs) to the client system. The client system checks the list of trusted CAs against the available user certificates, selects a suitable certificate, and then prompts the user or administrator to enter a smart card PIN. If there are multiple valid user certificates, the client system prompts the user or administrator to select a certificate.

The client system sends the user certificate to the View Connection Server instance or security server, which verifies the certificate by checking the certificate trust and validity period. Typically, users and administrators can successfully authenticate if their user certificate is signed and valid. If certificate revocation checking is configured, users or administrators who have revoked user certificates are prevented from authenticating.

Display protocol switching is not supported with smart card authentication in Horizon Client. To change display protocols after authenticating with a smart card in Horizon Client, a user must log off and log on again.

Configure Smart Card Authentication on View Connection Server

To configure smart card authentication, you must obtain a root certificate and add it to a server truststore file, modify View Connection Server configuration properties, and configure smart card authentication settings. Depending on your particular environment, you might need to perform additional steps.

Procedure

1 Obtain the Certificate Authority Certificates on page 43

You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the smart cards presented by your users and administrators. These certificates include root certificates and can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

2 Obtain the CA Certificate from Windows on page 43

If you have a CA-signed user certificate or a smart card that contains one, and Windows trusts the root certificate, you can export the root certificate from Windows. If the issuer of the user certificate is an intermediate certificate authority, you can export that certificate.

3 Add the CA Certificate to a Server Truststore File on page 44

You must add root certificates, intermediate certificates, or both to a server truststore file for all users and administrators that you trust. View Connection Server instances and security servers use this information to authenticate smart card users and administrators.

4 Modify View Connection Server Configuration Properties on page 44

To enable smart card authentication, you must modify View Connection Server configuration properties on your View Connection Server or security server host.

5 Configure Smart Card Settings in View Administrator on page 45

You can use View Administrator to specify settings to accommodate different smart card authentication scenarios.

42 VMware, Inc.

Page 43

Chapter 3 Setting Up Smart Card Authentication

Obtain the Certificate Authority Certificates

If you do not have the root or intermediate certificate of the CA that signed the certificates on the smart cards presented by your users and administrators, you can export the certificates from a CA-signed user certificate or a smart card that contains one. See “Obtain the CA Certificate from Windows,” on page 43.

Procedure

Obtain the CA certificates from one of the following sources.

A Microsoft IIS server running Microsoft Certificate Services. See the Microsoft TechNet Web site

for information on installing Microsoft IIS, issuing certificates, and distributing certificates in your organization.

The public root certificate of a trusted CA. This is the most common source of a root certificate in

environments that already have a smart card infrastructure and a standardized approach to smart card distribution and authentication.

What to do next

Add the root certificate, intermediate certificate, or both to a server truststore file. See “Add the CA

Certificate to a Server Truststore File,” on page 44.

Obtain the CA Certificate from Windows

Procedure

1 If the user certificate is on a smart card, insert the smart card into the reader to add the user certificate

to your personal store.

If the user certificate does not appear in your personal store, use the reader software to export the user certificate to a file. This file will be used in Step 4.

2 In Internet Explorer, select Tools > Internet Options.

3 On the Content tab, click Certificates.

4 On the Personal tab, select the certificate you want to use and click View.

If the user certificate does not appear on the list, click Import to manually import it from a file. After the certificate is imported, you can select it from the list.

5 On the Certification Path tab, select the certificate at the top of the tree and click View Certificate.

If the user certificate is signed as part of a trust hierarchy, the signing certificate might be signed by another higher-level certificate. Select the parent certificate (the one that actually signed the user certificate) as your root certificate. In some cases, the issuer might be an intermediate CA.

6 On the Details tab, click Copy to File.

The Certificate Export Wizard appears.

7 Click Next > Next and type a name and location for the file that you want to export.

8 Click Next to save the file as a root certificate in the specified location.

VMware, Inc. 43

Page 44

View Administration

What to do next

Add the CA certificate to a server truststore file.

Add the CA Certificate to a Server Truststore File

Prerequisites

Obtain the root or intermediate certificates that were used to sign the certificates on the smart cards

presented by your users or administrators. See “Obtain the Certificate Authority Certificates,” on page 43 and “Obtain the CA Certificate from Windows,” on page 43.

IMPORTANT These certificates can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

Verify that the keytool utility is added to the system path on your View Connection Server or security

server host. See the View Installation document for more information.

Procedure

1 On your View Connection Server or security server host, use the keytool utility to import the root

certificate, intermediate certificate, or both into the server truststore file.

For example: keytool -import -alias alias -file root_certificate -keystore truststorefile.key

In this command, alias is a unique case-sensitive name for a new entry in the truststore file, root_certificate is the root or intermediate certificate that you obtained or exported, and truststorefile.key is the name of the truststore file that you are adding the root certificate to. If the file does not exist, it is created in the current directory.

NOTE The keytool utility might prompt you to create a password for the truststore file. You will be asked to provide this password if you need to add additional certificates to the truststore file at a later time.

2 Copy the truststore file to the SSL gateway configuration folder on the View Connection Server or

security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\truststorefile.key

What to do next

Modify View Connection Server configuration properties to enable smart card authentication.

Modify View Connection Server Configuration Properties

To enable smart card authentication, you must modify View Connection Server configuration properties on your View Connection Server or security server host.

Prerequisites

Add the CA (certificate authority) certificates for all trusted user certificates to a server truststore file. These certificates include root certificates and can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority.

44 VMware, Inc.

Page 45

Chapter 3 Setting Up Smart Card Authentication

Procedure

1 Create or edit the locked.properties file in SSL gateway configuration folder on the View Connection

Server or security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties

2 Add the trustKeyfile, trustStoretype, and useCertAuth properties to the locked.properties file.

a Set trustKeyfile to the name of your truststore file.

b Set trustStoretype to jks.

c Set useCertAuth to true to enable certificate authentication.

3 Restart the View Connection Server service or security server service to make your changes take effect.

Example: locked.properties File

The file shown specifies that the root certificate for all trusted users is located in the file lonqa.key, sets the trust store type to jks, and enables certificate authentication.

trustKeyfile=lonqa.key trustStoretype=jks useCertAuth=true

What to do next

If you configured smart card authentication for a View Connection Server instance, configure smart card authentication settings in View Administrator. You do not need to configure smart card authentication settings for a security server. Settings that are configured on a View Connection Server instance are also applied to a paired security server.

Configure Smart Card Settings in View Administrator

You can use View Administrator to specify settings to accommodate different smart card authentication scenarios.

When you configure these settings on a View Connection Server instance, the settings are also applied to paired security servers.

Prerequisites

Modify View Connection Server configuration properties on your View Connection Server host.

Verify that Horizon clients make HTTPS connections directly to your View Connection Server or

security server host. Smart card authentication is not supported if you off-load SSL to an intermediate device.

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select the View Connection Server instance and click Edit.

VMware, Inc. 45

Page 46

View Administration

3 To configure smart card authentication for remote desktop and application users, perform these steps.

a On the Authentication tab, select a configuration option from the Smart card authentication for

users drop-down menu in the View Authentication section.

Option Action

Not allowed

Optional

Required

Smart card authentication is disabled on the View Connection Server instance.

Users can use smart card authentication or password authentication to connect to the View Connection Server instance. If smart card authentication fails, the user must provide a password.

Users are required to use smart card authentication when connecting to the View Connection Server instance.

When smart card authentication is required, authentication fails for users who select the Log in as current user check box when they connect to the View Connection Server instance. These users must reauthenticate with their smart card and PIN when they log in to View Connection Server.

NOTE Smart card authentication replaces Windows password authentication only. If SecurID is enabled, users are required to authenticate by using both SecurID and smart card authentication.

b Configure the smart card removal policy.

You cannot configure the smart card removal policy when smart card authentication is set to Not Allowed.

Option Action

Disconnect users from View Connection Server when they remove their smart cards

Keep users connected to View Connection Server when they remove their smart cards and let them start new desktop or application sessions without reauthenticating

Select the Disconnect user sessions on smart card removal check box.

Deselect the Disconnect user sessions on smart card removal check box.

The smart card removal policy does not apply to users who connect to the View Connection Server instance with the Log in as current user check box selected, even if they log in to their client system with a smart card.

4 To configure smart card authentication for administrators logging in to View Administrator, click the

Authentication tab and select a configuration option from the Smart card authentication for administrators drop-down menu in the View Administration Authentication section.

Option Action

Not allowed

Optional

Required

Smart card authentication is disabled on the View Connection Server instance.

Administrators can use smart card authentication or password authentication to log in to the View Administrator. If smart card authentication fails, the administrator must provide a password.

Administrators are required to use smart card authentication when they log in to View Administrator.

5 Click OK.

46 VMware, Inc.

Page 47

Chapter 3 Setting Up Smart Card Authentication

6 Restart the View Connection Server service.

You must restart the View Connection Server service for changes to smart card settings to take effect, with one exception. You can change smart card authentication settings between Optional and Required without having to restart the View Connection Server service.

Currently logged in user and administrators are not affected by changes to smart card settings.

What to do next

Prepare Active Directory for smart card authentication, if required. See “Prepare Active Directory for Smart

Card Authentication,” on page 47.

Verify your smart card authentication configuration. See “Verify Your Smart Card Authentication

Configuration,” on page 50.

Configure Smart Card Authentication on Third-Party Solutions

Third-party solutions such as load balancers and gateways can perform smart card authentication by passing a SAML assertion that contains the smart card's X.590 certificate and encrypted PIN.

This topic outlines the tasks involved in setting up third-party solutions to provide the relevant X.590 certificate to View Connection Server after the certificate has been validated by the partner device. Because this feature uses SAML authentication, one of the tasks is to create a SAML authenticator in View Administrator.

For information about configuring smart card authentication on Access Point, see Deploying and Configuring Access Point.

Procedure

1 Create a SAML authenticator for the third-party gateway or load balancer.

See “Configure a SAML Authenticator in View Administrator,” on page 60.

2 Extend the expiration period of the View Connection Server metadata so that remote sessions are not

terminated after only 24 hours.

See “Change the Expiration Period for Service Provider Metadata on View Connection Server,” on page 62.

3 If necessary, configure the third-party device to use service provider metadata from View Connection

Server.

See the product documentation for the third-party device.

4 Configure smart card settings on the third-party device.

See the product documentation for the third-party device.

Prepare Active Directory for Smart Card Authentication

You might need to perform certain tasks in Active Directory when you implement smart card authentication.

Add UPNs for Smart Card Users on page 48

Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.

Add the Root Certificate to the Enterprise NTAuth Store on page 48

If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

VMware, Inc. 47

Page 48

View Administration

Add the Root Certificate to Trusted Root Certification Authorities on page 49

If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.

Add an Intermediate Certificate to Intermediate Certification Authorities on page 49

If you use an intermediate certification authority (CA) to issue smart card login or domain controller certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

Add UPNs for Smart Card Users

Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.

If the domain a smart card user resides in is different from the domain that your root certificate was issued from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate of the trusted CA. If your root certificate was issued from a server in the smart card user's current domain, you do not need to modify the user's UPN.

NOTE You might need to set the UPN for built-in Active Directory accounts, even if the certificate is issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set by default.

Prerequisites

Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.

If the ADSI Edit utility is not present on your Active Directory server, download and install the

appropriate Windows Support Tools from the Microsoft Web site.

Procedure

1 On your Active Directory server, start the ADSI Edit utility.

2 In the left pane, expand the domain the user is located in and double-click CN=Users.

3 In the right pane, right-click the user and then click Properties.

4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.

5 Click OK to save the attribute setting.

Add the Root Certificate to the Enterprise NTAuth Store

Procedure

On your Active Directory server, use the certutil command to publish the certificate to the Enterprise

NTAuth store.

For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA

The CA is now trusted to issue certificates of this type.

48 VMware, Inc.

Page 49

Chapter 3 Setting Up Smart Card Authentication

Add the Root Certificate to Trusted Root Certification Authorities

Procedure

1 On the Active Directory server, navigate to the Group Policy Management plug-in.

AD Version Navigation Path

Windows 2003

Windows 2008

2 Expand the Computer Configuration section and open Windows Settings\Security Settings\Public

Key.

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

3 Right-click Trusted Root Certification Authorities and select Import.

4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.

5 Close the Group Policy window.

All of the systems in the domain now have a copy of the root certificate in their trusted root store.

What to do next

If an intermediate certification authority (CA) issues your smart card login or domain controller certificates, add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. See “Add an Intermediate Certificate to Intermediate Certification Authorities,” on page 49.

Add an Intermediate Certificate to Intermediate Certification Authorities

Procedure

1 On the Active Directory server, navigate to the Group Policy Management plug-in.

AD Version Navigation Path

Windows 2003

Windows 2008

a Select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

b Right-click your domain and click Properties.

c On the Group Policy tab, click Open to open the Group Policy

Management plug-in.

d Right-click Default Domain Policy, and click Edit.

a Select Start > Administrative Tools > Group Policy Management.

b Expand your domain, right-click Default Domain Policy, and click

Edit.

VMware, Inc. 49

Page 50

View Administration

2 Expand the Computer Configuration section and open the policy for Windows Settings\Security

Settings\Public Key.

3 Right-click Intermediate Certification Authorities and select Import.

4 Follow the prompts in the wizard to import the intermediate certificate (for example,

intermediateCA.cer) and click OK.

5 Close the Group Policy window.

All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store.

Verify Your Smart Card Authentication Configuration

After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration.

Procedure

Verify that each client system has smart card middleware, a smart card with a valid certificate, and a

smart card reader. For end users, verify that they have Horizon Client.

See the documentation provided by your smart card vendor for information on configuring smart card software and hardware.

On each client system, select Start > Settings > Control Panel > Internet Options > Content >

Certificates > Personal to verify that certificates are available for smart card authentication.

When a user or administrator inserts a smart card into the smart card reader, Windows copies certificates from the smart card to the user's computer. Applications on the client system, including Horizon Client, can use these certificates.

In the locked.properties file on the View Connection Server or security server host, verify that the

useCertAuth property is set to true and is spelled correctly.

The locked.properties file is located in install_directory\VMware\VMware

View\Server\sslgateway\conf. The useCertAuth property is commonly misspelled as userCertAuth.

If you configured smart card authentication on a View Connection Server instance, check the smart card

authentication setting in View Administrator.

a Select View Configuration > Servers.

b On the Connection Servers tab, select the View Connection Server instance and click Edit.

c If you configured smart card authentication for users, on the Authentication tab, verify that Smart

card authentication for users is set to either Optional or Required.

d If you configured smart card authentication for administrators, on the Authentication tab, verify

that Smart card authentication for administrators is set to either Optional or Required.

You must restart the View Connection Server service for changes to smart card settings to take effect.

If the domain a smart card user resides in is different from the domain your root certificate was issued

from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA.

a Find the SAN contained in the root certificate of the trusted CA by viewing the certificate

properties.

b On your Active Directory server, select Start > Administrative Tools > Active Directory Users and

Computers.

c Right-click the user in the Users folder and select Properties.

The UPN appears in the User logon name text boxes on the Account tab.

50 VMware, Inc.

Page 51

Chapter 3 Setting Up Smart Card Authentication

If smart card users select the PCoIP display protocol or the VMware Blast display protocol to connect to

single-session desktops, verify that the View Agent or Horizon Agent component called Smartcard Redirection is installed on the single-user machines. The smart card feature lets users log in to singlesession desktops with smart cards. RDS hosts, which have the Remote Desktop Services role installed, support the smart card feature automatically and you do not need to install the feature.

Check the log files in drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs

on the View Connection Server or security server host for messages stating that smart card authentication is enabled.

Using Smart Card Certificate Revocation Checking

You can prevent users who have revoked user certificates from authenticating with smart cards by configuring certificate revocation checking. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.

View supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.

You can configure certificate revocation checking on a View Connection Server instance or on a security server. When a View Connection Server instance is paired with a security server, you configure certificate revocation checking on the security server. The CA must be accessible from the View Connection Server or security server host.

You can configure both CRL and OCSP on the same View Connection Server instance or security server. When you configure both types of certificate revocation checking, View attempts to use OCSP first and falls back to CRL if OCSP fails. View does not fall back to OCSP if CRL fails.

Logging in with CRL Checking on page 52

When you configure CRL checking, View constructs and reads a CRL to determine the revocation status of a user certificate.

Logging in with OCSP Certificate Revocation Checking on page 52

When you configure OCSP certificate revocation checking, View sends a request to an OCSP Responder to determine the revocation status of a specific user certificate. View uses an OCSP signing certificate to verify that the responses it receives from the OCSP Responder are genuine.

Configure CRL Checking on page 52

When you configure CRL checking, View reads a CRL to determine the revocation status of a smart card user certificate.

Configure OCSP Certificate Revocation Checking on page 53

When you configure OCSP certificate revocation checking, View sends a verification request to an OCSP Responder to determine the revocation status of a smart card user certificate.

Smart Card Certificate Revocation Checking Properties on page 53

You set values in the locked.properties file to enable and configure smart card certificate revocation checking.

VMware, Inc. 51

Page 52

View Administration

Logging in with CRL Checking

When you configure CRL checking, View constructs and reads a CRL to determine the revocation status of a user certificate.

If a certificate is revoked and smart card authentication is optional, the Enter your user name and password dialog box appears and the user must provide a password to authenticate. If smart card authentication is required, the user receives an error message and is not allowed to authenticate. The same events occur if View cannot read the CRL.

Logging in with OCSP Certificate Revocation Checking

If the user certificate is revoked and smart card authentication is optional, the Enter your user name and password dialog box appears and the user must provide a password to authenticate. If smart card authentication is required, the user receives an error message and is not allowed to authenticate.

View falls back to CRL checking if it does not receive a response from the OCSP Responder or if the response is invalid.

Configure CRL Checking

When you configure CRL checking, View reads a CRL to determine the revocation status of a smart card user certificate.

Prerequisites

Familiarize yourself with the locked.properties file properties for CRL checking. See “Smart Card

Certificate Revocation Checking Properties,” on page 53.

Procedure

1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View

Connection Server or security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties

2 Add the enableRevocationChecking and crlLocation properties to the locked.properties file.

a Set enableRevocationChecking to true to enable smart card certificate revocation checking.

b Set crlLocation to the location of the CRL. The value can be a URL or a file path.

3 Restart the View Connection Server service or security server service to make your changes take effect.

Example: locked.properties File

The file shown enables smart card authentication and smart card certificate revocation checking, configures CRL checking, and specifies a URL for the CRL location.

trustKeyfile=lonqa.key trustStoretype=jks useCertAuth=true enableRevocationChecking=true crlLocation=http://root.ocsp.net/certEnroll/ocsp-ROOT_CA.crl

52 VMware, Inc.

Page 53

Chapter 3 Setting Up Smart Card Authentication

Configure OCSP Certificate Revocation Checking

When you configure OCSP certificate revocation checking, View sends a verification request to an OCSP Responder to determine the revocation status of a smart card user certificate.

Prerequisites

Familiarize yourself with the locked.properties file properties for OCSP certificate revocation checking. See

“Smart Card Certificate Revocation Checking Properties,” on page 53.

Procedure

1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View

Connection Server or security server host.

For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties

2 Add the enableRevocationChecking, enableOCSP, ocspURL, and ocspSigningCert properties to the

locked.properties file.

a Set enableRevocationChecking to true to enable smart card certificate revocation checking.

b Set enableOCSP to true to enable OCSP certificate revocation checking.

c Set ocspURL to the URL of the OCSP Responder.

d Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing

certificate.

3 Restart the View Connection Server service or security server service to make your changes take effect.

Example: locked.properties File

The file shown enables smart card authentication and smart card certificate revocation checking, configures both CRL and OCSP certificate revocation checking, specifies the OCSP Responder location, and identifies the file that contains the OCSP signing certificate.

trustKeyfile=lonqa.key trustStoretype=jks useCertAuth=true enableRevocationChecking=true enableOCSP=true allowCertCRLs=true ocspSigningCert=te-ca.signing.cer ocspURL=http://te-ca.lonqa.int/ocsp

Smart Card Certificate Revocation Checking Properties

You set values in the locked.properties file to enable and configure smart card certificate revocation checking.

Table 3-1 lists the locked.properties file properties for certificate revocation checking.

VMware, Inc. 53

Page 54

View Administration

Table 3‑1. Properties for Smart Card Certificate Revocation Checking

Property Description

enableRevocationChecking Set this property to true to enable certificate revocation

crlLocation

allowCertCRLs When this property is set to true, View extracts a list of

enableOCSP Set this property to true to enable OCSP certificate

ocspURL

ocspResponderCert

ocspSendNonce When this property is set to true, a nonce is sent with

ocspCRLFailover When this property is set to true, View uses CRL checking

checking. When this property is set to false, certificate revocation

checking is disabled and all other certificate revocation checking properties are ignored.

The default value is false.

Specifies the location of the CRL, which can be either a URL or a file path.

If you do not specify a URL, or if the specified URL is invalid, View uses the list of CRLs on the user certificate if allowCertCRLs is set to true or is not specified.

If View cannot access a CRL, CRL checking fails.

CRLs from the user certificate. The default value is true.

revocation checking. The default value is false.

Specifies the URL of an OCSP Responder.

Specifies the file that contains the OCSP Responder's signing certificate. View uses this certificate to verify that the OCSP Responder's responses are genuine.

OCSP requests to prevent repeated responses. The default value is false.

if OCSP certificate revocation checking fails. The default value is true.

54 VMware, Inc.

Page 55

Setting Up Other Types of User

Authentication 4

View uses your existing Active Directory infrastructure for user and administrator authentication and management. You can also integrate View with other forms of authentication besides smart cards, such as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to authenticate remote desktop and application users.

This chapter includes the following topics:

“Using Two-Factor Authentication,” on page 55

“Using SAML Authentication,” on page 59

“Configure Biometric Authentication,” on page 63

Using Two-Factor Authentication

You can configure a View Connection Server instance so that users are required to use RSA SecurID authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.

RADIUS support offers a wide range of alternative two-factor token-based authentication options.

View also provides an open standard extension interface to allow third-party solution providers to

integrate advanced authentication extensions into View.

Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication managers, installed on separate servers, you must have those servers configured and accessible to the View Connection Server host. For example, if you use RSA SecurID, the authentication manager would be RSA Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS server.

To use two-factor authentication, each user must have a token, such as an RSA SecurID token, that is registered with its authentication manager. A two-factor authentication token is a piece of hardware or software that generates an authentication code at fixed intervals. Often authentication requires knowledge of both a PIN and an authentication code.

If you have multiple View Connection Server instances, you can configure two-factor authentication on some instances and a different user authentication method on others. For example, you can configure twofactor authentication only for users who access remote desktops and applications from outside the corporate network, over the Internet.

View is certified through the RSA SecurID Ready program and supports the full range of SecurID capabilities, including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load balancing.

Logging in Using Two-Factor Authentication on page 56

When a user connects to a View Connection Server instance that has RSA SecurID authentication or RADIUS authentication enabled, a special login dialog box appears in Horizon Client.

VMware, Inc.

Page 56

View Administration

Enable Two-Factor Authentication in View Administrator on page 56

You enable a View Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying View Connection Server settings in View Administrator.

Troubleshooting RSA SecurID Access Denial on page 58

Access is denied when Horizon Client connects with RSA SecurID authentication.

Troubleshooting RADIUS Access Denial on page 58

Access is denied when Horizon Client connects with RADIUS two-factor authentication.

Logging in Using Two-Factor Authentication

When a user connects to a View Connection Server instance that has RSA SecurID authentication or RADIUS authentication enabled, a special login dialog box appears in Horizon Client.

Users enter their RSA SecurID or RADIUS authentication user name and passcode in the a special login dialog box. A two-factor authentication passcode typically consists of a PIN followed by a token code.

If RSA Authentication Manager requires users to enter a new RSA SecurID PIN after entering their RSA

SecurID username and passcode, a PIN dialog box appears. After setting a new PIN, users are prompted to wait for the next token code before logging in. If RSA Authentication Manager is configured to use system-generated PINs, a dialog box appears to confirm the PIN.

When logging in to View, RADIUS authentication works much like RSA SecurID. If the RADIUS server

issues an access challenge, Horizon Client displays a dialog box similar to the RSA SecurID prompt for the next token code. Currently support for RADIUS challenges is limited to prompting for text input. Any challenge text sent from the RADIUS server is not displayed. More complex forms of challenge, such as multiple choice and image selection, are currently not supported.

After a user enters credentials in Horizon Client, the RADIUS server can send an SMS text message or email, or text using some other out-of-band mechanism, to the user's cell phone with a code. The user can enter this text and code into Horizon Client to complete the authentication.

Because some RADIUS vendors provide the ability to import users from Active Directory, end users

might first be prompted to supply Active Directory credentials before being prompted for a RADIUS authentication user name and passcode.

Enable Two-Factor Authentication in View Administrator

You enable a View Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying View Connection Server settings in View Administrator.

Prerequisites

Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.

For RSA SecurID authentication, export the sdconf.rec file for the View Connection Server instance

from RSA Authentication Manager. See the RSA Authentication Manager documentation.

For RADIUS authentication, follow the vendor's configuration documentation. Make a note of the

RADIUS server's host name or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2) and the shared secret. You will enter these values in View Administrator. You can enter values for a primary and a secondary RADIUS authenticator.

Procedure

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select the server and click Edit.

56 VMware, Inc.

Page 57

Chapter 4 Setting Up Other Types of User Authentication

3 On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced

Authentication section, select RSA SecureID or RADIUS.

4 To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce

SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching.

If you select this option, users must use the same RSA SecurID or RADIUS user name for Active Directory authentication. If you do not select this option, the names can be different.

5 For RSA SecurID, click Upload File, type the location of the sdconf.rec file, or click Browse to search

for the file.

6 For RADIUS authentication, complete the rest of the fields:

a Select Use the same username and password for RADIUS and Windows authentication if the

initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.

If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.

b From the Authenticator drop-down list, select Create New Authenticator and complete the page.

Set Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-

zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in authentication.

Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.

If you specify a realm prefix string, the string is placed at the beginning of the username when

it is sent to the RADIUS server. For example, if the username entered in Horizon Client is jdoe and the realm prefix DOMAIN-A\ is specified, the username DOMAIN-A\jdoe is sent to the RADIUS server. Similarly if you use the realm suffix, or postfix, string @mycorp.com, the username

jdoe@mycorp.com is sent to the RADIUS server.

7 Click OK to save your changes.

You do not need to restart the View Connection Server service. The necessary configuration files are distributed automatically and the configuration settings take effect immediately.

When users open Horizon Client and authenticate to View Connection Server, they are prompted for twofactor authentication. For RADIUS authentication, the login dialog box displays text prompts that contain the token label you specified.

Changes to RADIUS authentication settings affect remote desktop and application sessions that are started after the configuration is changed. Current sessions are not affected by changes to RADIUS authentication settings.

What to do next

If you have a replicated group of View Connection Server instances and you want to also set up RADIUS authentication on them, you can re-use an existing RADIUS authenticator configuration.

VMware, Inc. 57

Page 58

View Administration

Troubleshooting RSA SecurID Access Denial

Access is denied when Horizon Client connects with RSA SecurID authentication.

Problem

A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication Manager Log Monitor displays the error Node Verification Failed.

Cause

The RSA Agent host node secret needs to be reset.

Solution

1 In View Administrator, select View Configuration > Servers.

2 On the Connection Servers tab, select the View Connection Server and click Edit.

3 On the Authentication tab, select Clear node secret.

4 Click OK to clear the node secret.

5 On the computer that is running RSA Authentication Manager, select Start > Programs > RSA Security

> RSA Authentication Manager Host Mode.

6 Select Agent Host > Edit Agent Host.

7 Select View Connection Server from the list and deselect the Node Secret Created check box.

Node Secret Created is selected by default each time you edit it.

8 Click OK.

Troubleshooting RADIUS Access Denial

Access is denied when Horizon Client connects with RADIUS two-factor authentication.

Problem

A Horizon Client connection using RADIUS two-factor authentication displays Access Denied.

Cause

RADIUS does not receive a reply from the RADIUS server, causing View to time out.

Solution

The following common configuration mistakes most often lead to this situation:

The RADIUS server has not been configured to accept the View Connection Server instance as a

RADIUS client. Each View Connection Server instance using RADIUS must be set up as a client on the RADIUS server. See the documentation for your RADIUS two-factor authentication product.

The shared secret values on the View Connection Server instance and the RADIUS server do not match.

58 VMware, Inc.

Page 59

Chapter 4 Setting Up Other Types of User Authentication

Using SAML Authentication

The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions.

You can use SAML authentication to integrate View with VMware Workspace Portal, VMware Identity Manager, or a third-party load balancer or gateway. When SSO is enabled, users who log in to VMware Identity Manager or a third-party device can launch remote desktops and applications without having to go through a second login procedure. You can also use SAML authentication to implement smart card authentication on VMware Access Point, or on third-party devices.

To delegate responsibility for authentication to Workspace Portal, VMware Identity Manager, or a thirdparty device, you must create a SAML authenticator in View. A SAML authenticator contains the trust and metadata exchange between View and Workspace Portal, VMware Identity Manager, or the third-party device. You associate a SAML authenticator with a View Connection Server instance.

Using SAML Authentication for VMware Identity Manager Integration

Integration between View and VMware Identity Manager (formerly called Workspace Portal) uses the SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality. When SSO is enabled, users who log in to VMware Identity Manager or Workspace Portal with Active Directory credentials can launch remote desktops and applications without having to go through a second login procedure.

When VMware Identity Manager and View are integrated, VMware Identity Manager generates a unique SAML artifact whenever a user logs in to VMware Identity Manager and clicks a desktop or application icon. VMware Identity Manager uses this SAML artifact to create a Universal Resource Identifier (URI). The URI contains information about the View Connection Server instance where the desktop or application pool resides, which desktop or application to launch, and the SAML artifact.

VMware Identity Manager sends the SAML artifact to the Horizon client, which in turn sends the artifact to the View Connection Server instance. The View Connection Server instance uses the SAML artifact to retrieve the SAML assertion from VMware Identity Manager.

After a View Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the user's password, and uses the decrypted password to launch the desktop or application.

Setting up VMware Identity Manager and View integration involves configuring VMware Identity Manager with View information and configuring View to delegate responsibility for authentication to VMware Identity Manager.

To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML authenticator in View. A SAML authenticator contains the trust and metadata exchange between View and VMware Identity Manager. You associate a SAML authenticator with a View Connection Server instance.

NOTE If you intend to provide access to your desktops and applications through VMware Identity Manager, verify that you create the desktop and application pools as a user who has the Administrators role on the root access group in View Administrator. If you give the user the Administrators role on an access group other than the root access group, VMware Identity Manager will not recognize the SAML authenticator you configure in View, and you cannot configure the pool in VMware Identity Manager.

VMware, Inc. 59

Page 60

View Administration

Configure a SAML Authenticator in View Administrator

To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in View Administrator. A SAML authenticator contains the trust and metadata exchange between View and the device to which clients connect.

You associate a SAML authenticator with a View Connection Server instance. If your deployment includes more than one View Connection Server instance, you must associate the SAML authenticator with each instance.

You can allow one static authenticator and multiple dynamic authenticators to go live at a time. You can configure vIDM (Dynamic) and Access Point (Static) authenticators and retain them in active state. You can make connections through either of these authenticators.

You can configure more than one SAML authenticator to a View Connection Server and all the authenticators can be active simultaneously. However, the entity-ID of each of these SAML authenticators configured on the View Connection Server must be different.

The status of the SAML authenticator in dashboard is always green as it is predefined metadata that is static in nature. The red and green toggling is only applicable for dynamic authenticators.

For information about configuring a SAML authenticator for VMware Access Point appliances, see Deploying and Configuring Access Point.

Prerequisites

Verify that Workspace Portal, VMware Identity Manager, or a third-party gateway or load balancer is

installed and configured. See the installation documentation for that product.

Verify that the root certificate for the signing CA for the SAML server certificate is installed on the

connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. For information about certificate authentication, see the View Installation document.

Make a note of the FQDN or IP address of the Workspace Portal server, VMware Identity Manager

server, or external-facing load balancer.

(Optional) If you are using Workspace Portal or VMware Identity Manager, make a note of the URL of

the connector Web interface.

If you are creating an authenticator for Access Point or a third-party appliance that requires you to

generate SAML metadata and create a static authenticator, perform the procedure on the device to generate the SAML metadata, and then copy the metadata.

Procedure

1 In View Administrator, select Configuration > Servers.

2 On the Connection Servers tab, select a server instance to associate with the SAML authenticator and

click Edit.

60 VMware, Inc.

Page 61

Chapter 4 Setting Up Other Types of User Authentication

3 On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon

(SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator.

Option Description

Disabled

Allowed

Required

SAML authentication is disabled. You can launch remote desktops and applications only from Horizon Client.

SAML authentication is enabled. You can launch remote desktops and applications from both Horizon Client and VMware Identity Manager or the third-party device.

SAML authentication is enabled. You can launch remote desktops and applications only from VMware Identity Manager or the third-party device. You cannot launch desktops or applications from Horizon Client manually.

You can configure each View Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.

4 Click Manage SAML Authenticators and click Add.

5 Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.

Option Description

Type

Label

Description

Metadata URL

Administration URL

SAML metadata

Enabled for Connection Server

For Access Point or a third-party device, select Static. For VMware Identity Manager select Dynamic. For dynamic authenticators, you can specify a metadata URL and an administration URL. For static authenticators, you must first generate the metadata on the Access Point or a third-party device, copy the metadata, and then paste it into the SAML metadata text box.

Unique name that identifies the SAML authenticator.

Brief description of the SAML authenticator. This value is optional.

(For dynamic authenticators) URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the View Connection Server instance. In the URL

https://<YOUR HORIZON SERVER NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR

HORIZON SERVER NAME> and replace it with the FQDN or IP address of the VMware Identity Manager server or external-facing load balancer (third-party device).

(For dynamic authenticators) URL for accessing the administration console of the SAML identity provider. For VMware Identity Manager, this URL should point to the VMware Identity Manager Connector Web interface. This value is optional.

(For static authenticators) Metadata text that you generated and copied from the Access Point or a third-party device.

Select this check box to enable the authenticator. You can enable multiple authenticators. Only enabled authenticators are displayed in the list.

6 Click OK to save the SAML authenticator configuration.

If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for View and VMware Identity Manager or the third-party device.

The Manage SAML Authenticators dialog box displays the newly created authenticator.

VMware, Inc. 61

Page 62

View Administration

7 In the System Health section on the View Administrator dashboard, select Other components > SAML

2.0 Authenticators, select the SAML authenticator that you added, and verify the details.

If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if VMware Identity Manager is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.

What to do next

Extend the expiration period of the View Connection Server metadata so that remote sessions are not terminated after only 24 hours. See “Change the Expiration Period for Service Provider Metadata on View

Connection Server,” on page 62.

Change the Expiration Period for Service Provider Metadata on View Connection Server

If you do not change the expiration period, View Connection Server will stop accepting SAML assertions from the SAML authenticator, such as Access Point or a third-party identity provider, after 24 hours, and the metadata exchange must be repeated.

Use this procedure to specify the number of days that can elapse before View Connection Server stops accepting SAML assertions from the identity provider. This number is used when the current expiration period ends. For example, if the current expiration period is 1 day and you specify 90 days, after 1 day elapses, View Connection Server generates metadata with an expiration period of 90 days.

Prerequisites

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows operating system version.

Procedure

1 Start the ADSI Edit utility on your View Connection Server host.

2 In the console tree, select Connect to.

3 In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name

DC=vdi, DC=vmware, DC=int.

4 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the

View Connection Server host followed by port 389.

For example: localhost:389 or mycomputer.example.com:389

5 Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click OU=Common

in the right pane.

6 In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values

cs-samlencryptionkeyvaliditydays=number-of-days cs-samlsigningkeyvaliditydays=number-of-days

In this example, number-of-days is the number of days that can elapse before a remote View Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated.

62 VMware, Inc.

Page 63

Chapter 4 Setting Up Other Types of User Authentication

Generate SAML Metadata So That View Connection Server Can Be Used as a Service Provider

After you create and enable a SAML authenticator for the identity provider you want to use, you might need to generate View Connection Server metadata. You use this metadata to create a service provider on the Access Point appliance or a third-party load balancer that is the identity provider.

Prerequisites

Verify that you have created a SAML authenticator for the identity provider: Access Point or a third-party load balancer or gateway. In the System Health section on the View Administrator dashboard, you can select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.

Procedure

1 Open a new browser tab and enter the URL for getting the View Connection Server SAML metadata.

https://connection-server.example.com/SAML/metadata/sp.xml

In this example, connection-server.example.com is the fully qualified domain name of the View Connection Server host.

This page displays the SAML metadata from View Connection Server.

2 Use a Save As command to save the Web page to an XML file.

For example, you could save the page to a file named connection-server-metadata.xml. The contents of this file begin with the following text:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...

What to do next

Use the appropriate procedure on the identity provider to copy in the View Connection Server SAML metadata. Refer to the documentation for Access Point or a third-party load balancer or gateway.

Response Time Considerations for Multiple Dynamic SAML Authenticators

If you configure SAML 2.0 Authentication as optional or required on a View Connection Server instance and you associate multiple dynamic SAML authenticators with the View Connection Server instance, if any of the dynamic SAML authenticators become unreachable, the response time to launch remote desktops from the other dynamic SAML authenticators increases.

You can decrease the response time for remote desktop launch on the other dynamic SAML authenticators by using View Administrator to disable the unreachable dynamic SAML authenticators. For information about disabling a SAML authenticator, see “Configure a SAML Authenticator in View Administrator,” on page 60.

Configure Biometric Authentication

You can configure biometric authentication by editing the pae-ClientConfig attribute in the LDAP database.

Prerequisites

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows server.

Procedure

1 Start the ADSI Edit utility on the View Connection Server host.

VMware, Inc. 63

Page 64

View Administration

2 In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int.

3 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the

4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and add

The new setting takes effect immediately. You do not need to restart the View Connection Server service or the client device.

View Connection Server host followed by port 389.

For example: localhost:389 or mycomputer.mydomain.com:389

the value BioMetricsTimeout=<integer>.

The following BioMetricsTimeout values are valid:

BioMetricsTimeout Value Description

-1

Any positive integer

Biometric authentication is not supported. This is the default.

Biometric authentication is supported without any time limit.

Biometric authentication is supported and can be used for the specified number of minutes.

64 VMware, Inc.

Page 65

Authenticating Users Without

Requiring Credentials 5

After users log in to a client device or to VMware Identity Manager, they can connect to a remote application or desktop without being prompted for Active Directory credentials.

For Windows clients, administrators can configure the setup so that users do not need to supply additional credentials to log in to a Horizon server after they log in to a Windows client with Active Directory (AD) credentials.

For mobile clients, administrators can configure the Horizon server to save credentials. With this feature, users do not need to remember AD credentials for SSO (single sign-on) after supplying them once to a mobile client.

For VMware Identity Manager, administrators can configure True SSO so that users who authenticate using some method other than AD credentials can then also log in to a remote desktop or application without being prompted for AD credentials.

This chapter includes the following topics:

“Using the Log In as Current User Feature Available with Windows-Based Horizon Client,” on

page 65

“Allow Mobile Client Users to Save Credentials,” on page 66

“Setting Up True SSO,” on page 67

Using the Log In as Current User Feature Available with WindowsBased Horizon Client

With Horizon Client for Windows, when users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the View Connection Server instance and to the remote desktop. No further user authentication is required.

To support this feature, user credentials are stored on both the View Connection Server instance and on the client system.

On the View Connection Server instance, user credentials are encrypted and stored in the user session

along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails. The session object resides in volatile memory and is not stored in View LDAP or in a disk file.

On the client system, user credentials are encrypted and stored in a table in the Authentication Package,

which is a component of Horizon Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory.

VMware, Inc.

Page 66

View Administration

Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user check box and to specify its default value. Administrators can also use group policy to specify

which View Connection Server instances accept the user identity and credential information that is passed when users select the Log in as current user check box in Horizon Client.

The Log in as current user feature has the following limitations and requirements:

When smart card authentication is set to Required on a View Connection Server instance, authentication fails for users who select the Log in as current user check box when they connect to the View Connection Server instance. These users must reauthenticate with their smart card and PIN when they log in to View Connection Server.

The time on the system where the client logs in and the time on the View Connection Server host must be synchronized.

If the default Access this computer from the network user-right assignments are modified on the client system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.

The client machine must be able to communicate with the corporate Active Directory server and not use cached credentials for authentication. For example, if users log in to their client machines from outside the corporate network, cached credentials are used for authentication. If the user then attempts to connect to a security server or a View Connection Server instance without first establishing a VPN connection, the user is prompted for credentials, and the Log in as Current User feature does not work.

Allow Mobile Client Users to Save Credentials

Administrators can configure View Connection Server to allow Horizon Client mobile devices to remember a user's user name, password, and domain information. If users choose to have their credentials saved, the credentials are added to the login fields in Horizon Client on subsequent connections.

On Windows-based Horizon clients, the feature for logging in as the current user avoids requiring users to supply credentials multiple times. With Horizon Client for mobile devices, such as Android and iPad, you can configure a feature that allows a Save Password check box to appear on the login dialog boxes.

You configure a timeout limit that indicates how long to save credential information by setting a value in View LDAP. The timeout limit is set in minutes. When you change View LDAP on a View Connection Server instance, the change is propagated to all replicated View Connection Server instances.

Prerequisites

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows operating system version.

Procedure

1 Start the ADSI Edit utility on your View Connection Server host.

2 In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int.

3 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the

View Connection Server host followed by port 389.

For example: localhost:389 or mycomputer.mydomain.com:389

4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and add

the value clientCredentialCacheTimeout=<integer>.

When clientCredentialCacheTimeout is not set or is set to 0, the feature is disabled. To enable this feature, you can set the number of minutes to retain the credential information, or set a value of -1, meaning that there is no timeout.

NOTE The parameter name clientCredentialCacheTimeout is case-sensitive.

66 VMware, Inc.

Page 67

On View Connection Server, the new setting takes effect immediately. You do not need to restart the View Connection Server service or the client computer.

Setting Up True SSO

With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory credentials in order to use a remote desktop or application.

If a user authenticates by using Active Directory credentials, the True SSO feature is not necessary, but you can configure True SSO to be used even in this case, so that the AD credentials that the user provides are ignored and True SSO is used.

When connecting to a virtual desktop or remote application, users can select to use either the native Horizon Client or HTML Access.

This feature has the following limitations:

This feature does not work for virtual desktops that are provided by using the View Agent Direct

Connection plug-in.

This feature is supported only in IPv4 environments.

Following is a list tasks you must perform to set up your environment for True SSO:

Chapter 5 Authenticating Users Without Requiring Credentials

1 “Determining an Architecture for True SSO,” on page 67

2 “Set Up an Enterprise Certificate Authority,” on page 70

3 “Create Certificate Templates Used with True SSO,” on page 71

4 “Install and Set Up an Enrollment Server,” on page 73

5 “Export the Enrollment Service Client Certificate,” on page 74

6 “Configure SAML Authentication to Work with True SSO,” on page 76

7 “Configure View Connection Server for True SSO,” on page 78

Determining an Architecture for True SSO

To use True SSO, you must have or add a certificate authority and create an enrollment server. These two servers communicate to create the short-lived Horizon virtual certificate that enables a password-free Windows logon. You can use True SSO in a single domain, in a single-forest with multiple domains, and in a multiple-forest, multiple-domain setup.

VMware recommends to have two CAs and two ESs deployed to use True SSO. The following examples illustrate True SSO in different architectures.

The following figure illustrates a simple True SSO architecture.

VMware, Inc. 67

Page 68

Certificate Authority

Very Simple True SSO Architecture

Enrollment Server

Connection Server

VMware Identity

Manager Appliance

Client

SAML Trust

Typical HA True SSO Architecture (Single Domain)

VMware Identity

Manager Appliance

Client

SAML Trust

CAs

Enrollment Servers

Connection Servers

Optionally; co-host Enrollment Server on CA

View Administration

The following figure illustrates True SSO in a single domain architecture.

The following figure illustrates True SSO in a single-forest with multiple domains architecture.

68 VMware, Inc.

Page 69

True SSO Single Forest Multiple Domain Architecture (non HA)

Client

VMware

Identity

Manager

Appliance

Enrollment Server

Connection Server

Domain #1 (Root Domain)Domain #2

Forest

ADAD

True SSO Multi-Forest Architecture (non HA)

Enrollment Server

Client

VMware

Identity

Manager

Appliance

Enrollment Server

Connection Server

Domain #1 (Root Domain)Domain #2

Forest #2 Forest #1

2-way, Forest Level,

Transitive Trust

ADAD

Chapter 5 Authenticating Users Without Requiring Credentials

The following figure illustrates True SSO in a multiple-forest architecture.

VMware, Inc. 69

Page 70

View Administration

Set Up an Enterprise Certificate Authority

If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.

If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure.

You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing. The enrollment server you will create for True SSO communicates with the enterprise CA. If you configure the enrollment server to use multiple enterprise CAs, the enrollment server will alternate between the CAs available. If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. This configuration is recommended for best performance.

Part of this procedure involves enabling non-persistent certificate processing. By default, certificate processing includes storing a record of each certificate request and issued certificate in the CA database. A sustained high volume of requests increases the CA database growth rate and could consume all available disk space if not monitored. Enabling non-persistent certificate processing and can help reduce the CA database growth rate and frequency of database management tasks.

Prerequisites

Create a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine.

Verify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.

Verify that you are using an IPv4 environment. This feature is currently not supported in an IPv6

environment.

Verify that the system has a static IP address.

Procedure

1 Log in to the virtual machine operating system as an administrator and start Server Manager.

2 Select the settings for adding roles.

Operating System Selections

Windows Server 2012 R2

Windows Server 2008 R2

a Select Add roles and features.

b On the Select Installation Type page, select Role-based or feature-

based installation.

c On the Select Destination Server page, select a server.

a Select Roles in the navigation tree.

b Click Add Roles to start the Add Role wizard.

3 On the Select Server Roles page, select Active Directory Certificate Services.

4 In the Add Roles and Features wizard, click Add Features, and leave the Include management tools

check box selected.

5 On the Select Features page, accept the defaults.

6 On the Select Role Services page, select Certification Authority.

7 Follow the prompts and finish the installation.

8 When installation is complete, on the Installation Progress page, click the Configure Active Directory

Certificate Services on destination server link to open the AD CS Configuration wizard.

70 VMware, Inc.

Page 71

Chapter 5 Authenticating Users Without Requiring Credentials

9 On the Credentials page, click Next and complete the AD CS Configuration wizard pages as described

in the following table.

Option Action

Role Services

Setup Type

CA Type

Private Key

Cryptography for CA

CA Name

Validity Period

Certificate Database

Select Certification Authority, and click Next (rather than Configure).

Select Enterprise CA.

Select Root CA or Subordinate CA. Some enterprises prefer two-tier PKI deployment. For more information, see

http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-stepby-step-guide-two-tier-pki-hierarchy-deployment.aspx.

Select Create a new private key.

For hash algorithm, you can select SHA1, SHA256, SHA384, or SHA512. For key length, you can select 1024, 2048, 3072, or 4096.

VMware recommends a minimum of SHA256 and a 2048 key.

Accept the default or change the name.

Accept the default of 5 years.

Accept the defaults.

10 On the Confirmation page, click Configure, and when the wizard reports a successful configuration,

close the wizard.

11 Open a command prompt and enter the following command to configure the CA for non-persistent

certificate processing:

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

12 Enter the following command to ignore offline CRL (certificate revocation list) errors on the CA:

certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This flag is required because the root certificate that True SSO uses will usually be offline, and thus revocation checking will fail, which is expected.

13 Enter the following commands to restart the service:

sc stop certsvc sc start certsvc

What to do next

Create a certificate template. See “Create Certificate Templates Used with True SSO,” on page 71.

Create Certificate Templates Used with True SSO

You must create a certificate template that can be used for issuing short-lived certificates, and you must specify which computers in the domain can request this type of certificate.

You can create more than one certificate template, but you can configure only one template to be used at any one time.

Prerequisites

Verify that you have an enterprise CA to use for creating the template described in this procedure. See

“Set Up an Enterprise Certificate Authority,” on page 70.

Create a security group in the domain and forest for the enrollment servers, and add the computer

accounts of the enrollment servers to that group.

VMware, Inc. 71

Page 72

View Administration

Procedure

1 On the machine that you are using for the certificate authority, log in to the operating system as an

2 Expand the tree in the left pane, right-click Certificate Templates and select Manage.

3 Right-click the Smartcard Logon template and select Duplicate.

4 Make the following changes on the following tabs:

5 Click OK in the Properties of New Template dialog box.

administrator and go to Administrative Tools > Certification Authority.

Tab Action

For Certificate Authority, select Windows Server 2008 R2.

Compatibility tab

General tab

For Certificate Recipient, select Windows 7/Windows Server 2008 R2.

Change the template display name to True SSO.

Change the validity period to a period that is as long as a typical

working day; that is, as long as he user is likely to remain logged into the system.

So that the user does not lose access to network resources while logged on, the validity period must be longer than the Kerberos TGT renewal time in the users domain.

(The default maximum lifetime of the ticket is 10 hours. To find the default domain policy, you can go to Computer Configuration >

Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy:Maximum lifetime for user ticket.)

Change the renewal period to 1 day.

For Purpose, select Signature and smartcard logon.

Request Handling tab

Cryptography tab

Server tab

Select Allow private key to be exported.

Select, For automatic renewal of smart cards, …

For Provider Category, select Key Storage Provider.

For Algorithm name, select RSA.

Select Do not store certificates and requests in the CA database.

IMPORTANT Make sure to deselect Do not include revocation information in issued certificates. (This box gets selected when you select the first one,

and you have to deselect (clear) it.)

Issuance Requirements tab

Select This number of authorized signatures, and type 1 in the box.

For Policy type, select Application Policy and set the policy to

Certificate Request Agent.

For, Require the following for reenrollment, select Valid existing

certificate.

Security tab

For the security group that you created for the enrollment server computer accounts, as described in the prerequisites, provide the following permissions: Read, Enroll

a Click Add.

b Specify which computers to allow to enroll for certificates.

c For these computers select the appropriate check boxes to give the

computers the following permissions: Read, Enroll.

6 Close the Certificate Templates Console window.

7 Right-click Certificate Templates and select New > Certificate Template to Issue.

NOTE This step is required for all certificate authorities that issue certificates based on this template.

8 In the Enable Certificate Templates window, select the template you just created (for example, True

SSO Template) and click OK.

72 VMware, Inc.

Page 73

Chapter 5 Authenticating Users Without Requiring Credentials

9 In the Enable Certificate Templates window, select Enrollment Agent Computer and click OK.

What to do next

Create an enrollment service. See “Install and Set Up an Enrollment Server,” on page 73.

Install and Set Up an Enrollment Server

You run the Connection Server installer and select the Horizon 7 Enrollment Server option to install an enrollment server. The enrollment server requests short-lived certificates on behalf of the users you specify. These short-term certificates are the mechanism True SSO uses for authentication to avoid prompting users for Active Directory credentials.

You must install and set up at least one enrollment server, and the enrollment server cannot be installed on the same host as View Connection Server. VMware recommends that you have two enrollment servers for purposes of failover and load balancing. If you have two enrollment servers, by default one is preferred and the other is used for failover. You can change this default, however, so that the connection server alternates sending certificate requests to both enrollment servers.

If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. For best performance, VMware recommends combining the configuration to prefer using the local CA with the configuration to load balance the enrollment servers. As a result, when certificate requests arrive, the connection server will use alternate enrollment servers, and each enrollment server will service the requests using the local CA. For information about the configuration settings to use, see “Enrollment Server Configuration Settings,” on page 84 and “Connection Server

Configuration Settings,” on page 85.

Prerequisites

Create a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine with at least 4GB of

memory, or use the virtual machine that hosts the enterprise CA. Do not use a machine that is a domain controller.

Verify that no other View component, including View Connection Server, View Composer, security

server, Horizon Client, or View Agent or Horizon Agent is installed on the virtual machine.

Verify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.

Verify that you are using an IPv4 environment. This feature is currently not supported in an IPv6

environment

VMware recommends that the system must have a static IP address.

Verify that you can log in to the operating system as a domain user with Administrator privileges. You

must log in as an administrator to run the installer.

Procedure

1 On the machine that you plan to use for the enrollment server, add the Certificate snap-in to MMC:

a Open the MMC console and select File > Add/Remove Snap-in

b Under Available snap-ins, select Certificates and click Add.

c In the Certificates snap-in window, select Computer account, click Next, and click Finish.

d In the Add or Remove Snap-in window, click OK.

VMware, Inc. 73

Page 74

View Administration

2 Issue an enrollment agent certificate:

3 Install the enrollment server:

a In the Certificates console, expand the console root tree, right-click the Personal folder, and select

All Tasks > Request New Certificate.

b In the Certificate Enrollment wizard, accept the defaults until you get to the Request Certificates

page.

c On the Request Certificates page, select the Enrollment Agent (Computer) check box and click

Enroll.

d Accept the defaults on the other wizard pages, and click Finish on the last page.

In the MMC console, if you expand the Personal folder and select Certificates in the left pane, you will see a new certificate listed in the right pane.

a Download the View Connection Server installer file from the VMware download site at

https://my.vmware.com/web/vmware/downloads.

Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes View Connection Server.

The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.

b Double-click the installer file to start the wizard, and follow the prompts until you get to the

Installation Options page.

c On the Installation Options page, select Horizon 7 Enrollment Server and click Next.

d Follow the prompts to finish the installation.

You must enable the incoming connections on Port 32111 (TCP) for enrollment server to be functional. The installer opens the port by default during installation.

What to do next

If you installed the enrollment server on the same machine that hosts an enterprise CA, configure the

enrollment server to prefer using the local CA. See “Enrollment Server Configuration Settings,” on page 84.

If you install and set up more than one enrollment server, configure connection servers to enable load

balancing between the enrollment servers. See “Connection Server Configuration Settings,” on page 85.

Pair connection servers with enrollment servers. See “Export the Enrollment Service Client Certificate,”

on page 74.

Export the Enrollment Service Client Certificate

To accomplish pairing, you can use the MMC Certificates snap-in to export automatically generated, selfsigned Enrollment Service Client certificate from one connection server in the cluster. This certificate is called a client certificate because the connection server is a client of the Enrollment Service provided by the enrollment server.

Enrollment Service must trust the VMware Horizon View Connection Server when it prompts the Enrollment Servers to issue the short lived certificates for Active Directory users. Hence, the VMware Horizon View Connection Server clusters or pods must be paired with Enrollment Servers.

74 VMware, Inc.

Page 75

Chapter 5 Authenticating Users Without Requiring Credentials

The Enrollment Service Client certificate is automatically created when a Horizon 7 or later connection server is installed and the VMware Horizon View Connection Server service starts. The certificate is distributed through View LDAP to other Horizon 7 connection servers that get added to the cluster later. The certificate is then stored in a custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the computer.

Prerequisites

Verify that you have a Horizon 7 or later connection server. For installation instructions, see View Installation. For upgrade instructions, see View Upgrades.

IMPORTANT Customers can use their own certificates for pairing, rather than using the self-generated certificate created by the connection server. To do so, place the preferred certificate (and the associated private key) in the custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the connection server machine. You must then set the friendly name of the certificate to

vdm.ec.new, and restart the server. The other servers in the cluster will fetch this certificate from LDAP. You

can then perform the steps in this procedure.

Procedure

1 On one of the connection server machines in the cluster, add the Certificates snap-in to MMC:

a Open the MMC console and select File > Add/Remove Snap-in

b Under Available snap-ins, select Certificates and click Add.

c In the Certificates snap-in window, select Computer account, click Next, and click Finish.

d In the Add or Remove Snap-in window, click OK.

2 In the MMC console, in the left pane, expand the VMware Horizon View Certificates folder and select

the Certificates folder.

3 In the right pane, right-click the certificate file with the friendly name vdm.ec, and select All Tasks >

Export.

4 In the Certificate Export wizard, accept the defaults, including leaving the No, do not export the

private key radio button selected.

5 When you are prompted to name the file, type a file name such as EnrollClient, for Enrollment Service

Client certificate, and follow the prompts to finish exporting the certificate.

What to do next

Import the certificate into the enrollment server. See “Import the Enrollment Service Client Certificate on the

Enrollment Server,” on page 75.

Import the Enrollment Service Client Certificate on the Enrollment Server

To complete the pairing process, you use the MMC Certificates snap-in to import the Enrollment Service Client certificate into the enrollment server. You must perform this procedure on every enrollment server.

Prerequisites

Verify that you have a Horizon 7 or later enrollment server. See “Install and Set Up an Enrollment

Server,” on page 73.

VMware, Inc. 75

Page 76

View Administration

Procedure

1 Copy the appropriate certificate file to the enrollment server machine.

2 On the enrollment server, add the Certificates snap-in to MMC:

Verify that you have the correct certificate to import. You can use either your own certificate or the automatically generated, self-signed Enrollment Service Client certificate from one connection server in the cluster, as described in “Export the Enrollment Service Client Certificate,” on page 74.

IMPORTANT To use your own certificates for pairing, place the preferred certificate (and the associated private key) in the custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the connection server machine. You must then set the friendly name of the certificate to vdm.ec.new, and restart the server. The other servers in the cluster will fetch this certificate from LDAP. You can then perform the steps in this procedure.

If you have your own client certificate, the certificate that you must copy to the enrollment server is the root certificate used to generate the client certificate.

To use the automatically generated certificate, copy the Enrollment Service Client certificate from the connection server. To use your own certificate, copy the root certificate that was used to generate the client certificate.

a Open the MMC console and select File > Add/Remove Snap-in

b Under Available snap-ins, select Certificates and click Add.

c In the Certificates snap-in window, select Computer account, click Next, and click Finish.

d In the Add or Remove Snap-in window, click OK.

3 In the MMC console, in the left pane, right-click the VMware Horizon View Enrollment Server

Trusted Roots folder and select All Tasks > Import.

4 In the Certificate Import wizard, follow the prompts to browse to and open the EnrollClient certificate

file.

5 Follow the prompts and accept the defaults to finish importing the certificate.

6 Right-click the imported certificate and add a friendly name such as vdm.ec (for Enrollment Client

certificate).

VMware recommends you use a friendly name that identifies the View cluster, but you can use any name that helps you easily identify the client certificate.

What to do next

Configure the SAML authenticator used for delegating authentication to VMware Identity Manager. See

“Configure SAML Authentication to Work with True SSO,” on page 76.

Configure SAML Authentication to Work with True SSO

With the True SSO feature introduced in Horizon 7, users can log in to VMware Identity Manager 2.6 and later releases using smart card, RADIUS, or RSA SecurID authentication, and they will no longer be prompted for Active Directory credentials, even when they launch a remote desktop or application for the first time.

With earlier releases, SSO (single sign-on) worked by prompting users for their Active Directory credentials the first time they launched a remote desktop or hosted application if they had not previously authenticated with their Active Directory credentials. The credentials were then cached so that subsequent launches would not require users to re-enter their credentials. With True SSO, short-term certificates are created and used instead of AD credentials.

76 VMware, Inc.

Page 77

Chapter 5 Authenticating Users Without Requiring Credentials

Although the process for configuring SAML authentication for VMware Identity Manager has not changed, one additional step has been added for True SSO. You must configure VMware Identity Manager so that password pop-ups are suppressed.

NOTE If your deployment includes more than one View Connection Server instance, you must associate the SAML authenticator with each instance.

Prerequisites

Verify that single sign-on is enabled as a global setting. In View Administrator, select Configuration >

Global Settings, and verify that Single sign-on (SSO) is set to Enabled.

Verify that VMware Identity Manager is installed and configured. See the VMware Identity Manager

documentation, available at https://www.vmware.com/support/pubs/vidm_pubs.html

Verify that the root certificate for the signing CA for the SAML server certificate is installed on the

connection server host. VMware does not recommend that you configure SAML authenticators to use self-signed certificates. See the topic "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the chapter "Configuring SSL Certificates for View Servers," in the View Installation document.

Make a note of the FQDN of the VMware Identity Manager server instance.

Procedure

1 In View Administrator, select Configuration > Servers.

2 On the Connection Servers tab, select a server instance to associate with the SAML authenticator and

click Edit.

3 On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0

Authenticator) drop-down menu, select Allowed or Required.

You can configure each View Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.

4 Click Manage SAML Authenticators and click Add.

5 Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.

Option Description

Label

Description

Metadata URL

Administration URL

You can use the FQDN of the VMware Identity Manager server instance.

(Optional) You can use the FQDN of the VMware Identity Manager server instance.

URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the View Connection Server instance. In the URL https://<YOUR HORIZON SERVER

NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON SERVER NAME> and replace it with the FQDN of the

VMware Identity Manager server instance.

URL for accessing the administration console of the SAML identity provider (VMware Identity Manager instance). This URL has the format

https://<Identity-Manager-FQDN>:8443.

6 Click OK to save the SAML authenticator configuration.

If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for View and VMware Identity Manager.

The SAML 2.0 Authenticator drop-down menu displays the newly created authenticator, which is now set as the selected authenticator.

VMware, Inc. 77

Page 78

View Administration

7 In the System Health section on the View Administrator dashboard, select Other components > SAML

2.0 Authenticators, select the SAML authenticator that you added, and verify the details.

If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if the VMware Identity Manager service is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.

8 Log in to the VMware Identity Manager administration console, go to the View Pools page, and select

the Suppress Password Popup check box.

What to do next

Extend the expiration period of the View Connection Server metadata so that remote sessions are not

terminated after only 24 hours. See “Change the Expiration Period for Service Provider Metadata on

View Connection Server,” on page 62.

Use the vdmutil command-line interface to configure True SSO on a connection server. See “Configure

View Connection Server for True SSO,” on page 78.

For more information about how SAML authentication works, see “Using SAML Authentication,” on page 59.

Configure View Connection Server for True SSO

You can use the vdmutil command-line interface to configure and enable or disable True SSO.

This procedure is required to be performed on only one connection server in the cluster.

IMPORTANT This procedure uses only the commands necessary for enabling True SSO. For a list of all the configuration options available for managing True SSO configurations, and a description of each option, see

“Command-line Reference for Configuring True SSO,” on page 80.

Prerequisites

Verify that you can run the command as a user who has the Administrators role. You can use View

Administrator to assign the Administrators role to a user. See Chapter 6, “Configuring Role-Based

Delegated Administration,” on page 89.

Verify that you have the fully qualified domain name (FQDN) for the following servers:

Connection server

Enrollment server

For more information, see “Install and Set Up an Enrollment Server,” on page 73.

Enterprise certificate authority

For more information, see “Set Up an Enterprise Certificate Authority,” on page 70.

Verify that you have the Netbios name or the FQDN of the domain.

Verify that you have created a certificate template. See “Create Certificate Templates Used with True

SSO,” on page 71.

Verify that you have created a SAML authenticator to delegate authentication to VMware Identity

Manager. See “Configure SAML Authentication to Work with True SSO,” on page 76.

78 VMware, Inc.

Page 79

Chapter 5 Authenticating Users Without Requiring Credentials

Procedure

1 On a connection server in the cluster, open a command prompt and enter the command to add an

enrollment server.

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password

--truesso --environment --add --enrollmentServer enroll-server-fqdn

The enrollment server is added to the global list.

2 Enter the command to list the information for that enrollment server.

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password

--truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority. To configure which domains the enrollment server can connect to, you can use a Windows Registry setting on the enrollment server. The default is to connect to all trusting domains.

IMPORTANT You will be required to specify the common name of the certificate authority in the next step.

3 Enter the command to create a True SSO connector, which will hold the configuration information, and

enable the connector.

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password

--truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name -primaryEnrollmentServer enroll-server-fqdn --certificateServer ca-common-name --mode enabled

In this command, TrueSSO-template-name is the name of the template shown in the output for the previous step, and ca-common-name is the common name of the enterprise certificate authority shown in that output.

The True SSO connector is enabled on a pool or cluster for the domain specified. To disable True SSO at the pool level, run vdmUtil --certsso --edit --connector <domain> --mode disabled. To disable true SSO for an individual virtual machine, you can use GPO (vdm_agent.adm).

4 Enter the command to discover which SAML authenticators are available.

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password

--truesso --list --authenticator

Authenticators are created when you configure SAML authentication between VMware Identity Manager and a connection server, using View Administrator.

The output shows the name of the authenticator and shows whether True SSO is enabled.

IMPORTANT You will be required to specify the authenticator name in the next step.

5 Enter the command to enable the authenticator to use True SSO mode.

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password

--truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}

For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager.

What to do next

In View Administrator, verify the health status of the True SSO configuration. For more information, see

“Using the System Health Dashboard to Troubleshoot Issues Related to True SSO,” on page 86.

VMware, Inc. 79

Page 80

View Administration

To configure advanced options, use Windows advanced settings on the appropriate system. See “Advanced

Configuration Settings for True SSO,” on page 83.

Command-line Reference for Configuring True SSO

You can use the vdmutil command-line interface to configure and manage the True SSO feature.

Location of the Utility

By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware

View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH

environment variable.

Syntax and Authentication

Use the following form of the vdmutil command from a Windows command prompt.

vdmutil authentication options --truesso additional options and arguments

The additional options that you can use depend on the command option. This topic focuses on the options for configuring True SSO (--truesso). Following is an example of a command for listing connectors that have been configured for True SSO:

vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password -truesso --list --connector

The vdmutil command includes authentication options to specify the user name, domain, and password to use for authentication.

Table 5‑1. vdmutil Command Authentication Options

Option Description

--authAs

--authDomain

--authPassword Password for the View administrator user specified in the --authAs option. Entering "*" instead of

Name of a View administrator user. Do not use domain\username or user principal name (UPN) format.

Fully qualified domain name or Netbios name of the domain for the View administrator user specified in the --authAs option.

a password causes the vdmutil command to prompt for the password and does not leave sensitive passwords in the command history on the command line.

You must use the authentication options with all vdmutil command options except for --help and

--verbose.

Command Output

80 VMware, Inc.

Page 81

Chapter 5 Authenticating Users Without Requiring Credentials

Commands for Managing Enrollment Servers

You must add one enrollment server for each domain. You can also add a second enrollment server and later designate that server to be used as a backup.

For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included. For example, one row shows the

--environment --list --enrollmentServers options, but the vdmUtil command you would actually enter also contains options for authentication and for specifying that you are configuring True SSO:

vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password -truesso --environment --list --enrollmentServers

For more information about the authentication options, see “Command-line Reference for Configuring True

SSO,” on page 80.

Table 5‑2. vdmutil truesso Command Options for Managing Enrollment Servers

Command and Options Description

--environment --add --enrollmentServer

enroll-server-fqdn

--environment --remove --enrollmentServer

enroll-server-fqdn

--environment --list --enrollmentServers

--environment --list --enrollmentServer

enroll-server-fqdn

--environment --list --enrollmentServer

enroll-server-fqdn --domain domain-fqdn

Adds the specified enrollment server to the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been added, when you run this command, nothing happens.

Removes the specified enrollment server from the environment, where enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment server has already been removed, when you run this command, nothing happens.

Lists the FQDNs of all enrollment servers in the environment.

List s the FQDNs of the domains and forests that are trusted by the domains and forests to which the enrollment server belongs, and the state of the enrollment certificate, which can be VALID or INVALID. VALID means the enrollment server has an Enrollment Agent certificate installed. The state might be INVALID for any of several reasons:

The certificate has not been installed.

The certificate Is not yet valid, or has expired.

The certificate was not issued by a trusted Enterprise CA.

The private key is not available.

The certificate has been corrupted.

The log file on the enrollment server can provide the reason for the INVALID state.

For the enrollment server in the specified domain, lists the CNs (common names) of the available certificate authorities, and provides the following information about each certificate template that can be used for True SSO: name, minimum key length, and hash algorithm.

Commands for Managing Connectors

You create one connector for each domain. The connector defines the parameters that are used for True SSO.

--list --connector options, but the vdmUtil command you would actually enter also contains options for authentication and for specifying that you are configuring True SSO:

vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password -truesso --list --connector

VMware, Inc. 81

Page 82

View Administration

For more information about the authentication options, see “Command-line Reference for Configuring True

SSO,” on page 80.

Table 5‑3. vdmutil truesso Command Options for Managing Connectors

Options Description

--create --connector --domain domain-fqdn

--template template-name

--primaryEnrollmentServer enroll-server1-

fqdn [--secondaryEnrollmentServer enrollserver2-fqdn] --certificateServer CAcommon-name --mode {enabled |disabled}

--list --connector

--list --connector --verbose

--edit --connector domain-fqdn [--template

template-name] [--mode {enabled |disabled] [--primaryEnrollmentServer enroll-server1-

fqdn] [--secondaryEnrollmentServer enrollserver2-fqdn] [--certificateServer CAcommon-name]

--delete --connector domain-fqdn

Creates a connector for the specified domain and configures the connector to use the following settings:

template-name is the name of the certificate template to use.

enroll-server1-fqdn is the FQDN of the primary enrollment server to

use.

enroll-server2-fqdn is the FQDN of the secondary enrollment server

to use. This setting is optional.

CA-common-name is the common name of the certificate authority

to use. This can be a comma-separated list of CAs.

To determine which certificate template and certificate authority are available for a particular enrollment server, you can run the vdmutil command with the

--truesso --environment --list --enrollmentServer enroll- server-fqdn --domain domain-fqdn options.

Lists the FQDNs of the domains that already have a connector created.

Lists all the domains that have connectors, and for each connector, provides the following information:

Primary enrollment server

Secondary enrollment server, if there is one

Name of the certificate template

Whether the connector is enabled or disabled

Common name of the certificate authority server or servers, if

there are more than one

For the connector created for the domain specified by domain-fqdn, allows you to change any of the following settings:

template-name is the name of the certificate template to use.

The mode can be either enabled or disabled.

enroll-server1-fqdn is the FQDN of the primary enrollment server to

use.

enroll-server2-fqdn is the FQDN of the secondary enrollment server

to use. This setting is optional.

CA-common-name is the common name of the certificate authority

to use. This can be a comma-separated list of CAs.

Deletes the connector that has been created for the domain specified by domain-fqdn.

Commands for Managing Authenticators

Authenticators are created when you configure SAML authentication between VMware Identity Manager and a connection server. The only management task is to enable or disable True SSO for the authenticator.

--list --authenticator options, but the vdmUtil command you would actually enter also contains options for authentication and for specifying that you are configuring True SSO:

vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password -truesso --list --authenticator

For more information about the authentication options, see “Command-line Reference for Configuring True

SSO,” on page 80.

82 VMware, Inc.

Page 83

Chapter 5 Authenticating Users Without Requiring Credentials

Table 5‑4. vdmutil truesso Command Options for Managing Authenticators

Command and Options Description

--list --authenticator [--verbose]

--list --authenticator --name label

--edit --authenticator --name label

--truessoMode mode-value

Lists the fully qualified domain names (FQDNs) of all SAML authenticators found in the domain. For each one, specifies whether True SSO is enabled. If you use the --verbose option, the FQDNs of the associated connection servers are also listed.

For the specified authenticator, lists whether True SSO is enabled, and lists the FQDNs of the associated connection servers. For label use one of the names listed when you use the --authenticator option without the --name option.

For the specified authenticator, sets the True SSO mode to the value you specify, where mode-value can be one of the following values:

ENABLED. True SSO is used only when the Active Directory credentials of the user is not available.

ALWAYS. True SSO is always used even if vIDM has the AD credentials of the user.

DISABLED. True SSO is disabled.

For label use one of the names listed when you use the

--authenticator option without the --name option.

Advanced Configuration Settings for True SSO

You can manage the True SSO advanced settings by using the GPO template on the Horizon Agent machine, registry settings on the enrollment server, and LDAP entries on the connection server. These settings include default timeout, configure load balancing, specify domains to be included, and more.

Horizon Agent Configuration Settings

You can use GPO template on the agent OS to turn off True SSO at the pool level or to change defaults for certificate settings such as key size and count and settings for reconnect attempts.

NOTE The following table shows the settings to use for configuring the agent on individual virtual machines, but you can alternatively use the Horizon Agent Configuration ADM template file (vdm_agent.adm) to make these policy settings apply to all the virtual machines in a desktop or application pool. If a policy is set the policy takes precedence over the registry settings

This ADM file is available in a bundled .zip file named VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, which you can download from the VMware download site at

https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the

VMware Horizon 7 download, which includes the bundled .zip file.

Table 5‑5. Keys for Configuring True SSO on Horizon Agent

Min &

Key

Disable True SSO

Certificate wait timeout

Minimum key size

All key sizes

Max Description

N/A

-120

1024 8192

N/A Comma-separated list of key sizes that can be used. Up to 5 sizes

Set this key to true to disable the feature on the agent. Use this setting in the group policy to disable True SSO at the pool level. The default is false.

Specifies timeout period of certificates to arrive on the agent, in seconds. The default is 40.

Minimum allowed size for a key. The default is 1024, meaning that by default, if the key size is below 1024, the key cannot be used.

can be specified; for example: 1024,2048,3072,4096. The default is 2048.

VMware, Inc. 83

Page 84

View Administration

Table 5‑5. Keys for Configuring True SSO on Horizon Agent (Continued)

Key

Number of keys to pre-create

Minimum validity period required for a certificate

Enrollment Server Configuration Settings

You can use Windows Registry settings on the enrollment server OS to configure which domains to connect to, various timeout periods, polling periods, and retries, and whether to prefer using the certificate authority that is installed on the same local server (recommended).

To change the advanced configuration settings, you can open the Windows Registry Editor (regedit.exe) on the enrollment server machine and navigate to the following registry key:

HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service

Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server

Registry Key

ConnectToDomains

ExcludeDomains

ConnectToDomainsInForest

ConnectToTrustingDomains

Min & Max Description

1-100 Number of keys to pre-create on RDS servers that provide remote

desktops and hosted Windows applications. The default is 5.

N/A Minimum validity period, in minutes, required for a certificate

when it is being reused to reconnect a user. The default is 5.

Min & Max Type Description

N/A REG_MUL

TI_SZ

N/A REG_MUL

TI_SZ

N/A REG_SZ Specifies whether to connect to and use all domains in the

N/A REG_SZ Specifies whether to connect to explicitly

List of domains the enrollment server attempts to connect to automatically. For this multi-string registry type, the DNS fully qualified domain name (FQDN) of each domain is listed on its own line.

The default is to trust all domains.

List of domains the enrollment server does not connect to automatically. If the connection server provides a configuration set with any of the domains, the enrollment server will attempt to connect to that domain or domains. For this multi-string registry type, the DNS FQDN of each domain is listed on its own line.

The default is to exclude no domains.

forest that the enrollment server is a member of. The default is TRUE.

Use one of the following values:

0 means false; do not connect to the domains of the forest being used.

!=0 means true.

trusting/incoming domains. The default is TRUE.

Use one of the following values:

0 means false; do not connect to explicitly trusting/incoming domains.

!=0 means true.

84 VMware, Inc.

Page 85

Chapter 5 Authenticating Users Without Requiring Credentials

Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server (Continued)

Min &

Registry Key

PreferLocalCa

MaxSubmitRetryTime

SubmitLatencyWarningTime

Max Type Description

N/A REG_SZ Specifies whether to prefer the locally installed CA, if

available, for performance benefits. If set to TRUE, the enrollment server will send requests to the local CA. If the connection to the local CA fails, the enrollment server will try to send certificates requests to alternate CAs. The default is FALSE.

Use one of the following values:

0 means false.

!=0 means true.

950059000

500 5000

DWORD Amount of time to wait before retrying to submit a

certificate signing request, in milliseconds. The default is

25000.

DWORD Submit latency warning time when the interface is

marked "Degraded" (in milliseconds). The default is 1500.

The enrollment server uses this setting to determine whether a CA should be considered to be in a degraded state. If the last three certificate requests took more milliseconds to complete than are specified by this setting, the CA is considered degraded, and this status appears in the View Administrator Health Status dashboard.

A CA usually issues a certificate within 20 ms, but if the CA has been idle for a few hours, any initial request might take longer to complete. This setting allows an administrator to find out that a CA is slow, without necessary having the CA marked as slow. Use this setting to configure the threshold for marking the CA as slow.

Connection Server Configuration Settings

You can edit View LDAP on View Connection Server to configure a timeout for generating certificates and whether to enable load balancing certificate requests between enrollment server (recommended).

To change the advanced configuration settings, you must use ADSI Edit on a View Connection Server host. You can connect by typing in the distinguished name DC=vdi, DC=vmware, DC=int as the connection point, and typing in the server name and port for the computer localhost:389. Expand OU=Properties, select OU=Global, and double-click CN=Common in the right pane.

You can then edit the pae-NameValuePair attribute to add one or more of the values listed in the following table. You must use the syntax name=value when adding values.

Table 5‑7. Advanced True SSO Settings for Connection Servers

Registry Key Description

cs-view-certsso-enable-esloadbalance=[true|false]

cs-view-certsso-certgen-timeoutsec=number

Specifies whether to enable load balancing CSR requests between two enrollment servers. The default is false.

For example, add cs-view-certsso-enable-es-loadbalance=true to enable load balancing so that when certificate requests arrive, the connection server will use alternate enrollment servers,. Each enrollment server can service the requests using the local CA, if you have the enrollment server and CA on the same host.

Amount of time to wait for generating a certificate after receiving a CSR, in seconds. The default is 35.

VMware, Inc. 85

Page 86

View Administration

Using the System Health Dashboard to Troubleshoot Issues Related to True SSO

You can use the system health dashboard in View Administrator to quickly see problems that might affect the operation of the True SSO feature.

For end users, if True SSO stops working, when the system attempts to log the user in to the remote desktop or application, the user sees the following message: "The user name or password is incorrect." After the user clicks OK, the user is taken to the login screen. On the Windows login screen the user sees an extra tile labeled VMware SSO User. If the user has the Active Directory credentials for an entitled user, the user can log in with AD credentials.

The system health dashboard in the top-left portion of the View Administrator display contains a couple of items that pertain to True SSO.

NOTE The True SSO feature provides information to the dashboard only once per minute. Click the refresh icon in the upper-right corner to refresh the information immediately.

You can click to expand View Components > True SSO to see a list of the domains that are using True

SSO.

You can click a domain name to see the following information: a list of enrollment servers configured for that domain, a list of enterprise certificate authorities, the name of the certificate template being used, and the status. If there is a problem, the Status field explains what it is.

To change any of the configuration settings shown in the True SSO Domain Details dialog box, use the

vdmutil command-line interface to edit the True SSO connector. For more information, see “Commands

for Managing Connectors,” on page 81.

You can click to expand Other Components > SAML 2.0 Authenticators to see a list of the SAML

authenticators that have been created for delegating authentication to VMware Identity Manager instances. You can click the authenticator name to examine the details and status.

NOTE In order for True SSO to be used, the global setting for SSO must be enabled. In View Administrator, select Configuration > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.

Table 5‑8. Broker to Enrollment Server Connection Status

Status Text Description

Failed to fetch True SSO health information.

The <FQDN> enrollment server cannot be contacted by the True SSO configuration service.

The <FQDN> enrollment server cannot be contacted to manage sessions on this connection server.

The dashboard is unable to retrieve the health information from the broker.

In a POD, one of the brokers is elected to send the configuration information to all enrollment servers used by the POD. This broker will refresh the enrollment server configuration once every minute. This message is displayed if the configuration task has failed to updated the enrollment server. For additional information, see the table for Enrollment Server Connectivity.

The current broker is unable to connect to the enrollment server. This status is only displayed for the broker that your browser is pointing to. If there are multiple brokers in the pod, you need to change your browser to point to the other brokers in order to check their status. For additional information, see the table for Enrollment Server Connectivity.

86 VMware, Inc.

Page 87

Table 5‑9. Enrollment Server Connectivity

Status Text Description

This domain <Domain Name> does not exist on the <FQDN> enrollment server.

The <FQDN> enrollment server's connection to the domain <Domain Name> is still being established.

The <FQDN> enrollment server's connection to the domain <Domain Name> is stopping or in a problematic state.

The <FQDN> enrollment server has not yet read the enrollment properties from a domain controller.

The <FQDN> enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time.

The <FQDN> enrollment server has read the enrollment properties at least once but either has not been able to reach a domain controller for an extended time or another issue exists.

The True SSO connector has been configured to use this enrollment server for this domain, but the enrollment server has not yet been configured to connect to this domain. If the state remains for longer than one minute, you need to check the state of the broker currently responsible for refreshing the enrollment configuration.

The enrollment server has not been able to connect to a domain controller in this domain. If this state remains for longer than a minute, you might have to verify that name resolution from the enrollment server to the domain is correct, and that there is network connectivity between the enrollment server and the domain.

The enrollment server has connected to a domain controller in the domain, but it has not been able to read the PKI information from the domain controller. If this happens, then there is likely a problem with the actual domain controller. This issue can also happen if DNS is not configured correctly. Check the log file on the enrollment server to see what domain controller the enrollment server is trying to use, and verify that the domain controller is fully operational.

This state is transitional, and is only displayed during startup of the enrollment server, or when a new domain has been added to the environment. This state usually lasts less than one minute. If this state lasts longer than a minute, either the network is extremely slow, or there is an issue causing difficulties accessing the domain controller.

As long as the enrollment server reads the PKI configuration from a domain controller, it keeps polling for changes once every two minutes. This status will be set if the domain controller (DC) has been unreachable for a short period of time. Typically this inability to contact the DC might mean the enrollment server cannot detect any changes in PKI configuration. As long the certificate servers can still access a domain controller, certificates can still be issued.

If the enrollment server has not been able to reach the domain controller for an extended period, then this state is displayed. The enrollment server will then try to discover an alternative domain controller for this domain. If a certificate server can still access a domain controller, then certificates can still be issued, but if this state remains for more than one minute, it means the enrollment server has lost access to all domain controllers for the domain, and it is likely that certificates can no longer be issued.

Chapter 5 Authenticating Users Without Requiring Credentials

Table 5‑10. Enrollment Certificate Status

Status Text Description

A valid enrollment certificate for this domain's <domain name> forest is not installed on the <FQDN> enrollment server, or it may have expired

VMware, Inc. 87

No enrollment certificate for this domain has been installed, or the certificate is invalid or has expired. The enrollment certificate must be issued by an enterprise CA that is trusted by the forest this domain is a member of. Verify that you have completed the steps in the View Administration document, which describes how to install the enrollment certificate on the enrollment server. You can also open the MMC, certificate management snap-in, opening the local computer store. Open the Personal certificate container and verify that the certificate is installed, and that it is valid. You can also open the enrollment server log file. The enrollment server will log additional information about the state of any certificate it located.

Page 88

View Administration

Table 5‑11. Certificate Template Status

Status Text Description

The template <name> does not exist on the <FQDN> enrollment server domain.

Certificates generated by this template can NOT be used to log on to windows.

The template <name> is smartcard logon enabled, but cannot be used.

Table 5‑12. Certificate Server Configuration Status

Status Text Description

The certificate server <CN of CA> does not exist in the domain.

The certificate is not in the NTAuth (Enterprise) store.

Check that you specified the correct template name.

This template does not have the smart card usage enabled and data signing enabled. Check that you specified the correct template name. Verify that you have .completed the steps described in “Create Certificate Templates Used with

True SSO,” on page 71.

This template is enabled for smart card logon, but the template cannot be used with True SSO. Check that you specified the correct template name, verify that you have gone through the steps described in “Create Certificate Templates Used

with True SSO,” on page 71. You can also check the enrollment server log file,

since it will log what setting in the template is preventing it from being used for True SSO.

Verify that you specified the correct name for the CA. You must specify the Common Name (CN).

This CA is not an enterprise CA or its CA certificate has not been added to the NTAUTH store. If this CA is not a member of the forest, you must manually add the CA certificate to the NTAUTH store of this forest.

Table 5‑13. Certificate Server Connection Status

Status Text Description

The <FQDN> enrollment server is not connected to the certificate server <CN of CA>.

The <FQDN> enrollment server has connected to the certificate server <CN of CA>, but the certificate server is in a degraded state

The <FQDN> enrollment server can connect to the certificate server <CN of CA>, but the service is unavailable.

The enrollment server is not connected to the certificate server. This state might be a transitional state if the enrollment server just started, or if the CA was recently added to a True SSO connector. If the state remains for longer than one minute, it means that the enrollment server failed to connect to the CA. Validate that name resolution is working correctly, and that you have network connectivity to the CA, and that the system account for the enrollment server has permission to access the CA.

This state is displayed if the CA is slow at issuing certificates. If the CA remains in this state, check the load of the CA or the domain controllers used by the CA.

NOTE If the CA has been marked as slow, it will retain this state until at least one certificate request has been completed successfully, and that certificate was issued within a normal time frame.

This state is issued if the enrollment server has an active connection to the CA but it is unable to issue certificates. This state is typically a transitional state. If the CA does not become available quickly, the state will be changed to disconnected.

88 VMware, Inc.

Page 89

Configuring Role-Based Delegated

Administration 6

One key management task in a View environment is to determine who can use View Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.

This chapter includes the following topics:

“Understanding Roles and Privileges,” on page 89

“Using Access Groups to Delegate Administration of Pools and Farms,” on page 90

“Understanding Permissions,” on page 91

“Manage Administrators,” on page 92

“Manage and Review Permissions,” on page 93

“Manage and Review Access Groups,” on page 95

“Manage Custom Roles,” on page 97

“Predefined Roles and Privileges,” on page 99

“Required Privileges for Common Tasks,” on page 103

“Best Practices for Administrator Users and Groups,” on page 105

Understanding Roles and Privileges

The ability to perform tasks in View Administrator is governed by an access control system that consists of administrator roles and privileges. This system is similar to the vCenter Server access control system.

An administrator role is a collection of privileges. Privileges grant the ability to perform specific actions, such as entitling a user to a desktop pool. Privileges also control what an administrator can see in View Administrator. For example, if an administrator does not have privileges to view or modify global policies, the Global Policies setting is not visible in the navigation panel when the administrator logs in to View Administrator.

Administrator privileges are either global or object-specific. Global privileges control system-wide operations, such as viewing and changing global settings. Object-specific privileges control operations on specific types of objects.

Administrator roles typically combine all of the individual privileges required to perform a higher-level administration task. View Administrator includes predefined roles that contain the privileges required to perform common administration tasks. You can assign these predefined roles to your administrator users and groups, or you can create your own roles by combining selected privileges. You cannot modify the predefined roles.

VMware, Inc.

Page 90

View Administration

To create administrators, you select users and groups from your Active Directory users and groups and assign administrator roles. Administrators obtain privileges through their role assignments. You cannot assign privileges directly to administrators. An administrator that has multiple role assignments acquires the sum of all the privileges contained in those roles.

Using Access Groups to Delegate Administration of Pools and Farms

By default, automated desktop pools, manual desktop pools, and farms are created in the root access group, which appears as / or Root(/) in View Administrator. RDS desktop pools and application pools inherit their farm's access group. You can create access groups under the root access group to delegate the administration of specific pools or farms to different administrators.

NOTE You cannot change the access group of an RDS desktop pool or an application pool directly. You must change the access group of the farm that the RDS desktop pool or the application pool belongs to.

A virtual or physical machine inherits the access group from its desktop pool. An attached persistent disk inherits the access group from its machine. You can have a maximum of 100 access groups, including the root access group.

You configure administrator access to the resources in an access group by assigning a role to an administrator on that access group. Administrators can access the resources that reside only in access groups for which they have assigned roles. The role that an administrator has on an access group determines the level of access that the administrator has to the resources in that access group.

Because roles are inherited from the root access group, an administrator that has a role on the root access group has that role on all access groups. Administrators who have the Administrators role on the root access group are super administrators because they have full access to all of the objects in the system.

A role must contain at least one object-specific privilege to apply to an access group. Roles that contain only global privileges cannot be applied to access groups.

You can use View Administrator to create access groups and to move existing desktop pools to access groups. When you create an automated desktop pool, a manual pool, or a farm, you can accept the default root access group or select a different access group.

Different Administrators for Different Access Groups on page 90

You can create a different administrator to manage each access group in your configuration.

Different Administrators for the Same Access Group on page 91

You can create different administrators to manage the same access group.

Different Administrators for Different Access Groups

You can create a different administrator to manage each access group in your configuration.

For example, if your corporate desktop pools are in one access group and your desktop pools for software developers are in another access group, you can create different administrators to manage the resources in each access group.

Table 6-1 shows an example of this type of configuration.

90 VMware, Inc.

Page 91

Chapter 6 Configuring Role-Based Delegated Administration

Table 6‑1. Different Administrators for Different Access Groups

Administrator Role Access Group

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin2 Inventory Administrators

/CorporateDesktops

/DeveloperDesktops

In this example, the administrator called Admin1 has the Inventory Administrators role on the access group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators role on the access group called DeveloperDesktops.

Different Administrators for the Same Access Group

You can create different administrators to manage the same access group.

For example, if your corporate desktop pools are in one access group, you can create one administrator that can view and modify those pools and another administrator that can only view them.

Table 6-2 shows an example of this type of configuration.

Table 6‑2. Different Administrators for the Same Access Group

Administrator Role Access Group

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin2 Inventory Administrators (Read

only)

/CorporateDesktops

Understanding Permissions

View Administrator presents the combination of a role, an administrator user or group, and an access group as a permission. The role defines the actions that can be performed, the user or group indicates who can perform the action, and the access group contains the objects that are the target of the action.

Permissions appear differently in View Administrator depending on whether you select an administrator user or group, an access group, or a role.

Table 6-3 shows how permissions appear in View Administrator when you select an administrator user or

group. The administrator user is called Admin 1 and it has two permissions.

Table 6‑3. Permissions on the Administrators and Groups Tab for Admin 1

Role Access Group

Inventory Administrators

Administrators (Read only)

The first permission shows that Admin 1 has the Inventory Administrators role on the access group called

MarketingDesktops. The second permission shows that Admin 1 has the Administrators (Read only) role on

the root access group.

MarketingDesktops

Table 6-4 shows how the same permissions appear in View Administrator when you select the

MarketingDesktops access group.

VMware, Inc. 91

Page 92

View Administration

Table 6‑4. Permissions on the Folders Tab for MarketingDesktops

Admin Role Inherited

view-domain.com\Admin1 Inventory Administrators

view-domain.com\Admin1 Administrators (Read only) Yes

The first permission is the same as the first permission shown in Table 6-3. The second permission is inherited from the second permission shown in Table 6-3. Because access groups inherit permissions from the root access group, Admin1 has the Administrators (Read only) role on the MarketingDesktops access group. When a permission is inherited, Yes appears in the Inherited column.

Table 6-5 shows how the first permission in Table 6-3 appears in View Administrator when you select the

Inventory Administrators role.

Table 6‑5. Permissions on the Role Tab for Inventory Administrators

Administrator Access Group

view-domain.com\Admin1

Manage Administrators

Users who have the Administrators role can use View Administrator to add and remove administrator users and groups.

/MarketingDesktops

The Administrators role is the most powerful role in View Administrator. Initially, members of the View Administrators account are given the Administrators role. You specify the View Administrators account when you install View Connection Server. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.

NOTE By default, the Domain Admins group is a member of the local Administrators group. If you specified the View Administrators account as the local Administrators group, and you do not want domain administrators to have full access to inventory objects and View configuration settings, you must remove the Domain Admins group from the local Administrators group.

Create an Administrator on page 92

To create an administrator, you select a user or group from your Active Directory users and groups in View Administrator and assign an administrator role.

Remove an Administrator on page 93

You can remove an administrator user or group. You cannot remove the last super administrator in the system. A super administrator is an administrator that has the Administrators role on the root access group.

Create an Administrator

To create an administrator, you select a user or group from your Active Directory users and groups in View Administrator and assign an administrator role.

Prerequisites

Become familiar with the predefined administrator roles. See “Predefined Roles and Privileges,” on

page 99.

Become familiar with the best practices for creating administrator users and groups. See “Best Practices

for Administrator Users and Groups,” on page 105.

92 VMware, Inc.

Page 93

Chapter 6 Configuring Role-Based Delegated Administration

To assign a custom role to the administrator, create the custom role. See “Add a Custom Role,” on

page 98.

To create an administrator that can manage specific desktop pools, create an access group and move the

desktop pools to that access group. See “Manage and Review Access Groups,” on page 95.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Administrators and Groups tab, click Add User or Group.

3 Click Add, select one or more search criteria, and click Find to filter Active Directory users or groups

based on your search criteria.

4 Select the Active Directory user or group that you want to be an administrator user or group, click OK

and click Next.

You can press the Ctrl and Shift keys to select multiple users and groups.

5 Select a role to assign to the administrator user or group.

The Applies to an access group column indicates whether a role applies to access groups. Only roles that contain object-specific privileges apply to access groups. Roles that contain only global privileges do not apply to access groups.

Option Action

The role you selected applies to access groups

You want the role to apply to all access groups

Select one or more access groups and click Next.

Select the root access group and click Next.

6 Click Finish to create the administrator user or group.

The new administrator user or group appears in the left pane and the role and access group that you selected appear in the right pane on the Administrators and Groups tab.

Remove an Administrator

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Administrators and Groups tab, select the administrator user or group, click Remove User or

Group, and click OK.

The administrator user or group no longer appears on the Administrators and Groups tab.

Manage and Review Permissions

You can use View Administrator to add, delete, and review permissions for specific administrator users and groups, for specific roles, and for specific access groups.

Add a Permission on page 94

You can add a permission that includes a specific administrator user or group, a specific role, or a specific access group.

VMware, Inc. 93

Page 94

View Administration

Delete a Permission on page 94

You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group.

Review Permissions on page 95

You can review the permissions that include a specific administrator or group, a specific role, or a specific access group.

Add a Permission

You can add a permission that includes a specific administrator user or group, a specific role, or a specific access group.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 Create the permission.

Option Action

Create a permission that includes a specific administrator user or group

Create a permission that includes a specific role

Create a permission that includes a specific access group

a On the Administrators and Groups tab, select the administrator or

group and click Add Permission.

b Select a role.

c If the role does not apply to access groups, click Finish.

d If the role applies to access groups, click Next, select one or more

access groups, and click Finish. A role must contain at least one objectspecific privilege to apply to an access group.

a On the Roles tab, select the role, click Permissions, and click Add

Permission.

b Click Add, select one or more search criteria, and click Find to find

administrator users or groups that match your search criteria.

c Select an administrator user or group to include in the permission and

click OK. You can press the Ctrl and Shift keys to select multiple users and groups.

d If the role does not apply to access groups, click Finish.

e If the role applies to access groups, click Next, select one or more

access groups, and click Finish. A role must contain at least one objectspecific privilege to apply to an access group.

a On the Access Groups tab, select the access group and click Add

Permission.

b Click Add, select one or more search criteria, and click Find to find

administrator users or groups that match your search criteria.

c Select an administrator user or group to include in the permission and

click OK. You can press the Ctrl and Shift keys to select multiple users and groups.

d Click Next, select a role, and click Finish. A role must contain at least

one object-specific privilege to apply to an access group.

Delete a Permission

You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group.

If you remove the last permission for an administrator user or group, that administrator user or group is also removed. Because at least one administrator must have the Administrators role on the root access group, you cannot remove a permission that would cause that administrator to be removed. You cannot delete an inherited permission.

94 VMware, Inc.

Page 95

Chapter 6 Configuring Role-Based Delegated Administration

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 Select the permission to delete.

Option Action

Delete a permission that applies to a specific administrator or group

Delete a permission that applies to a specific role

Delete a permission that applies to a specific access group

Select the administrator or group on the Administrators and Groups tab.

Select the role on the Roles tab.

Select the folder on the Access Groups tab.

3 Select the permission and click Delete Permission.

Review Permissions

You can review the permissions that include a specific administrator or group, a specific role, or a specific access group.

Procedure

1 Select View Configuration > Administrators.

2 Review the permissions.

Option Action

Review the permissions that include a specific administrator or group

Review the permissions that include a specific role

Review the permissions that include a specific access group

Select the administrator or group on the Administrators and Groups tab.

Select the role on the Roles tab and click Permissions.

Select the folder on the Access Groups tab.

Manage and Review Access Groups

You can use View Administrator to add and delete access groups and to review the desktop pools and machines in a particular access group.

Add an Access Group on page 96

You can delegate the administration of specific machines, desktop pools, or farms to different administrators by creating access groups. By default, desktop pools, application pools, and farms reside in the root access group.

Move a Desktop Pool or a Farm to a Different Access Group on page 96

After you create an access group, you can move automated desktop pools, manual pools, or farms to the new access group.

Remove an Access Group on page 96

You can remove an access group if it does not contain any object. You cannot remove the root access group.

Review the Desktop Pools, Application Pools, or Farms in an Access Group on page 97

You can see the desktop pools, the application pools, or the farms in a particular access group in View Administrator.

VMware, Inc. 95

Page 96

View Administration

Review the vCenter Virtual Machines in an Access Group on page 97

You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter virtual machine inherits the access group from its pool.

Add an Access Group

You can have a maximum of 100 access groups, including the root access group.

Procedure

1 In View Administrator, navigate to the Add Access Group dialog box.

Option Action

From Catalog

From Resources

From View Configuration

2 Type a name and description for the access group and click OK.

Select Catalog > Desktop Pools.

From the Access Group drop-down menu in the top window pane,

select New Access Group.

Select Resources > Farms.

From the Access Group drop-down menu in the top window pane,

select New Access Group.

Select View Configuration > Administrators.

From the Access Groups tab, select Add Access Group.

The description is optional.

What to do next

Move one or more objects to the access group.

Move a Desktop Pool or a Farm to a Different Access Group

After you create an access group, you can move automated desktop pools, manual pools, or farms to the new access group.

Procedure

1 In View Administrator, select Catalog > Desktop Pools or Resources > Farms.

2 Select a pool or a farm.

3 Select Change Access Group from the Access Group drop-down menu in the top window pane.

4 Select the access group and click OK.

View Administrator moves the pool to the access group that you selected.

Remove an Access Group

You can remove an access group if it does not contain any object. You cannot remove the root access group.

Prerequisites

If the access group contains objects, move the objects to another access group or to the root access group. See

“Move a Desktop Pool or a Farm to a Different Access Group,” on page 96.

96 VMware, Inc.

Page 97

Chapter 6 Configuring Role-Based Delegated Administration

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Access Groups tab, select the access group and click Remove Access Group.

3 Click OK to remove the access group.

Review the Desktop Pools, Application Pools, or Farms in an Access Group

You can see the desktop pools, the application pools, or the farms in a particular access group in View Administrator.

Procedure

1 In View Administrator, navigate to the main page for the objects.

Object Action

Desktop Pools

Application Pools

Farms

By default, the objects in all access groups are displayed.

Select Catalog > Desktop Pools.

Select Catalog > Application Pools.

Select Resources > Farms.

2 Select an access group from the Access Group drop-down menu in the main window pane.

The objects in the access group that you selected are displayed.

Review the vCenter Virtual Machines in an Access Group

You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter virtual machine inherits the access group from its pool.

Procedure

1 In View Administrator, select Resources > Machines.

2 Select the vCenter VMs tab.

By default, the vCenter virtual machines in all access groups are displayed.

3 Select an access group from the Access Group drop-down menu.

The vCenter virtual machines in the access group that you selected are displayed.

Manage Custom Roles

You can use View Administrator to add, modify, and delete custom roles.

Add a Custom Role on page 98

If the predefined administrator roles do not meet your needs, you can combine specific privileges to create your own roles in View Administrator.

Modify the Privileges in a Custom Role on page 98

You can modify the privileges in a custom role. You cannot modify the predefined administrator roles.

Remove a Custom Role on page 98

You can remove a custom role if it is not included in a permission. You cannot remove the predefined administrator roles.

VMware, Inc. 97

Page 98

View Administration

Add a Custom Role

If the predefined administrator roles do not meet your needs, you can combine specific privileges to create your own roles in View Administrator.

Prerequisites

Familiarize yourself with the administrator privileges that you can use to create custom roles. See

“Predefined Roles and Privileges,” on page 99.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Roles tab, click Add Role.

3 Type a name and description for the new role, select one or more privileges, and click OK.

The new role appears in the left pane.

Modify the Privileges in a Custom Role

You can modify the privileges in a custom role. You cannot modify the predefined administrator roles.

Prerequisites

Familiarize yourself with the administrator privileges that you can use to create custom roles. See

“Predefined Roles and Privileges,” on page 99.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Roles tab, select the role.

3 Click Privileges to display the privileges in the role and click Edit.

4 Select or deselect privileges.

5 Click OK to save your changes.

Remove a Custom Role

You can remove a custom role if it is not included in a permission. You cannot remove the predefined administrator roles.

Prerequisites

If the role is included in a permission, delete the permission. See “Delete a Permission,” on page 94.

Procedure

1 In View Administrator, select View Configuration > Administrators.

2 On the Roles tab, select the role and click Remove Role.

The Remove Role button is not available for predefined roles or for custom roles that are included in a permission.

3 Click OK to remove the role.

98 VMware, Inc.

Page 99

Predefined Roles and Privileges

View Administrator includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges.

Predefined Administrator Roles on page 99

The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

Global Privileges on page 101

Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups.

Object-Specific Privileges on page 102

Object-specific privileges control operations on specific types of inventory objects. Roles that contain object-specific privileges can be applied to access groups.

Internal Privileges on page 102

Some of the predefined administrator roles contain internal privileges. You cannot select internal privileges when you create custom roles.

Chapter 6 Configuring Role-Based Delegated Administration

Predefined Administrator Roles

The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.

Table 6-6 describes the predefined roles and indicates whether a role can be applied to an access group.

VMware, Inc. 99

Page 100

View Administration

Table 6‑6. Predefined Roles in View Administrator

Role User Capabilities

Administrators Perform all administrator operations, including creating

Administrators (Read only)

Agent Registration Administrators

Global Configuration and Policy Administrators

Global Configuration and Policy Administrators (Read only)

Inventory Administrators

Inventory Administrators (Read only)

additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.

Administrators that have the Administrators role on the root access group are super users because they have full access to all of the inventory objects in the system. Because the Administrators role contains all privileges, you should assign it to a limited set of users. Initially, members of the local Administrators group on your View Connection Server host are given this role on the root access group.

IMPORTANT An administrator must have the Administrators role on the root access group to perform the following tasks:

Add and delete access groups.

Manage ThinApp applications and configuration settings in

View Administrator.

Use the vdmadmin , vdmimport, and lmvutil commands.

View, but not modify, global settings and inventory objects.

View, but not modify, ThinApp applications and settings.

Run all PowerShell commands and command line utilities,

including vdmexport but excluding vdmadmin, vdmimport and lmvutil.

In a Cloud Pod Architecture environment, administrators that have this role can view inventory objects and settings in the Global Data Layer.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

View and modify global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings.

View, but not modify, global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings.

Perform all machine, session, and pool-related operations.

Manage persistent disks.

Resync, Refresh, and Rebalance linked-clone pools and

change the default pool image.

When administrators have this role on an access group, they can only perform these operations on the inventory objects in that access group.

View, but not modify, inventory objects.

When administrators have this role on an access group, they can only view the inventory objects in that access group.

Applies to an Access Group

Yes

100 VMware, Inc.

VMware Horizon View - 7.0 Administrator’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

View Administration

Using View Administrator 1

View Administrator and View Connection Server

Log In to View Administrator

Tips for Using the View Administrator Interface

Troubleshooting the Text Display in View Administrator

Configuring View Connection Server 2

Configuring vCenter Server and View Composer

Create a User Account for View Composer AD Operations

Add vCenter Server Instances to View

Configure View Composer Settings

Configure View Composer Domains

Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines

Configure View Storage Accelerator for vCenter Server

Concurrent Operations Limits for vCenter Server and View Composer

Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms

Accept the Thumbprint of a Default SSL Certificate

Remove a vCenter Server Instance from View

Remove View Composer from View

Conflicting vCenter Server Unique IDs

Backing Up View Connection Server

Configuring Settings for Client Sessions

Set Options for Client Sessions and Connections

Change the Data Recovery Password

Global Settings for Client Sessions

Global Security Settings for Client Sessions and Connections

Message Security Mode for View Components

Using the vdmutil Utility to Configure the JMS Message Security Mode

Configure the Secure Tunnel and PCoIP Secure Gateway

Configure the Blast Secure Gateway

Off-load SSL Connections to Intermediate Servers

Import SSL Off-loading Servers' Certificates to View Servers

Set View Server External URLs to Point Clients to SSL Off-loading Servers

Allow HTTP Connections From Intermediate Servers

Configure the Gateway Location for a View Connection Server or Security Server Host

Disable or Enable View Connection Server

Edit the External URLs

Join or Withdraw from the Customer Experience Program

View LDAP Directory

Setting Up Smart Card Authentication 3

Logging In with a Smart Card

Configure Smart Card Authentication on View Connection Server

Obtain the Certificate Authority Certificates

Obtain the CA Certificate from Windows

Add the CA Certificate to a Server Truststore File

Modify View Connection Server Configuration Properties

Configure Smart Card Settings in View Administrator

Configure Smart Card Authentication on Third-Party Solutions

Prepare Active Directory for Smart Card Authentication

Add UPNs for Smart Card Users

Add the Root Certificate to the Enterprise NTAuth Store

Add the Root Certificate to Trusted Root Certification Authorities

Add an Intermediate Certificate to Intermediate Certification Authorities

Verify Your Smart Card Authentication Configuration

Using Smart Card Certificate Revocation Checking

Logging in with CRL Checking

Logging in with OCSP Certificate Revocation Checking

Configure CRL Checking

Configure OCSP Certificate Revocation Checking

Smart Card Certificate Revocation Checking Properties

Using Two-Factor Authentication

Logging in Using Two-Factor Authentication

Enable Two-Factor Authentication in View Administrator

Troubleshooting RSA SecurID Access Denial

Troubleshooting RADIUS Access Denial

Using SAML Authentication

Using SAML Authentication for VMware Identity Manager Integration

Configure a SAML Authenticator in View Administrator

Change the Expiration Period for Service Provider Metadata on View Connection Server

Generate SAML Metadata So That View Connection Server Can Be Used as a Service Provider

Response Time Considerations for Multiple Dynamic SAML Authenticators

Configure Biometric Authentication

Allow Mobile Client Users to Save Credentials

Setting Up True SSO

Determining an Architecture for True SSO