View Administration VMware Horizon 7 7.3 73

User Manual: Pdf Horizon 7.3 - Administration User Guide for VMware Horizon Software, Free Instruction Manual

Open the PDF directly: View PDF PDF.
Page Count: 267 [warning: Documents this large are best viewed by clicking the View PDF Link!]

View Administration
Modified for Horizon 7 7.3.2
VMware Horizon 7 7.3
View Administration
VMware, Inc. 2
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
Copyright © 2014–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Contents
View Administration 6
1Using Horizon Administrator 7
Horizon Administrator and Horizon Connection Server 7
Log In to Horizon Administrator 8
Tips for Using the Horizon Administrator Interface 9
Troubleshooting the Text Display in Horizon Administrator 11
2Configuring View Connection Server 12
Configuring vCenter Server and View Composer 12
Backing Up View Connection Server 26
Configuring Settings for Client Sessions 26
Disable or Enable View Connection Server 42
Edit the External URLs 42
Join or Withdraw from the Customer Experience Program 44
View LDAP Directory 44
3Setting Up Smart Card Authentication 46
Logging In with a Smart Card 47
Configure Smart Card Authentication on View Connection Server 48
Configure Smart Card Authentication on Third-Party Solutions 55
Prepare Active Directory for Smart Card Authentication 56
Verify Your Smart Card Authentication Configuration 59
Using Smart Card Certificate Revocation Checking 60
4Setting Up Other Types of User Authentication 65
Using Two-Factor Authentication 65
Using SAML Authentication 70
Configure Biometric Authentication 77
5Authenticating Users Without Requiring Credentials 78
Providing Unauthenticated Access for Published Applications 78
Using the Log In as Current User Feature Available with Windows-Based Horizon Client 83
Saving Credentials in Mobile and Mac Horizon Clients 84
Setting Up True SSO 85
6Configuring Role-Based Delegated Administration 115
Understanding Roles and Privileges 115
VMware, Inc. 3
Using Access Groups to Delegate Administration of Pools and Farms 116
Understanding Permissions 118
Manage Administrators 119
Manage and Review Permissions 120
Manage and Review Access Groups 123
Manage Custom Roles 125
Predefined Roles and Privileges 127
Required Privileges for Common Tasks 131
Best Practices for Administrator Users and Groups 135
7Configuring Policies in Horizon Administrator and Active Directory 136
Setting Policies in Horizon Administrator 136
Using Horizon 7 Group Policy Administrative Template Files 139
8Maintaining View Components 146
Backing Up and Restoring View Configuration Data 146
Monitor View Components 155
Monitor Machine Status 156
Understanding View Services 157
Change the Product License Key 159
Monitoring Product License Usage 160
Update General User Information from Active Directory 161
Migrate View Composer to Another Machine 162
Update the Certificates on a View Connection Server Instance, Security Server, or View Composer 168
Customer Experience Improvement Program 169
9Managing ThinApp Applications in View Administrator 171
View Requirements for ThinApp Applications 171
Capturing and Storing Application Packages 172
Assigning ThinApp Applications to Machines and Desktop Pools 176
Maintaining ThinApp Applications in View Administrator 183
Monitoring and Troubleshooting ThinApp Applications in View Administrator 187
ThinApp Configuration Example 191
10 Setting Up Clients in Kiosk Mode 193
Configure Clients in Kiosk Mode 194
11 Troubleshooting Horizon 7 205
Using Horizon Help Desk Tool 205
Monitoring System Health 217
Monitor Events in Horizon 7 217
Collecting Diagnostic Information for Horizon 7 218
View Administration
VMware, Inc. 4
Update Support Requests 223
Troubleshooting an Unsuccessful Security Server Pairing with Horizon Connection Server 224
Troubleshooting View Server Certificate Revocation Checking 225
Troubleshooting Smart Card Certificate Revocation Checking 226
Further Troubleshooting Information 226
12 Using the vdmadmin Command 228
vdmadmin Command Usage 230
Configuring Logging in Horizon Agent Using the -A Option 233
Overriding IP Addresses Using the -A Option 235
Setting the Name of a View Connection Server Group Using the C Option 236
Updating Foreign Security Principals Using the F Option 237
Listing and Displaying Health Monitors Using the H Option 238
Listing and Displaying Reports of View Operation Using the I Option 239
Generating View Event Log Messages in Syslog Format Using the I Option 240
Assigning Dedicated Machines Using the L Option 242
Displaying Information About Machines Using the -M Option 243
Reclaiming Disk Space on Virtual Machines Using the M Option 245
Configuring Domain Filters Using the N Option 246
Configuring Domain Filters 249
Displaying the Machines and Policies of Unentitled Users Using the O and P Options 253
Configuring Clients in Kiosk Mode Using the Q Option 255
Displaying the First User of a Machine Using the -R Option 260
Removing the Entry for a View Connection Server Instance or Security Server Using the S Option 260
Providing Secondary Credentials for Administrators Using the T Option 262
Displaying Information About Users Using the U Option 264
Unlocking or Locking Virtual Machines Using the V Option 265
Detecting and Resolving LDAP Entry Collisions Using the -X Option 266
View Administration
VMware, Inc. 5
View Administration
View Administration describes how to configure and administer VMware Horizon® 7, including how to
configure Horizon Connection Server, create administrators, set up user authentication, configure
policies, and manage VMware ThinApp® applications in Horizon Administrator. This document also
describes how to maintain and troubleshoot Horizon 7 components.
Intended Audience
This information is intended for anyone who wants to configure and administer VMware Horizon 7. The
information is written for experienced Windows or Linux system administrators who are familiar with
virtual machine technology and datacenter operations.
VMware, Inc. 6
Using Horizon Administrator 1
Horizon Administrator is the Web interface through which you configure Horizon Connection Server and
manage your remote desktops and applications.
For a comparison of the operations that you can perform with View Administrator, View cmdlets, and
vdmadmin, see the View Integration document.
Note In Horizon 7, View Administrator is named Horizon Administrator. References in this document
might use View Administrator.
This section includes the following topics:
nHorizon Administrator and Horizon Connection Server
nLog In to Horizon Administrator
nTips for Using the Horizon Administrator Interface
nTroubleshooting the Text Display in Horizon Administrator
Horizon Administrator and Horizon Connection Server
Horizon Administrator provides a Web-based management interface for Horizon 7.
The Horizon Connection Server can have multiple instances that serve as replica servers or security
servers. Depending on your Horizon 7 deployment, you can get a Horizon Administrator interface with
each instance of a Connection Server.
Use the following best practices to use Horizon Administrator with a Connection Server:
nUse the host name and IP address of the Connection Server to log in to Horizon Administrator. Use
the Horizon Administrator interface to manage the Connection Server, and any associated security
server or replica server.
VMware, Inc. 7
nIn a pod environment, verify that all administrators use the host name and IP address of the same
Connection Server to log in to Horizon Administrator. Do not use the host name and IP address of the
load balancer to access a Horizon Administrator web page.
Note If you use Unified Access Gateway appliances rather than security servers, you must use the
Unified Access Gateway REST API to manage the Unified Access Gateway appliances. Earlier versions
of Unified Access Gateway are named Access Point. For more information, see Deploying and
Configuring Unified Access Gateway.
Log In to Horizon Administrator
To perform initial configuration tasks, you must log in to Horizon Administrator. You access Horizon
Administrator by using a secure (SSL) connection.
Prerequisites
nVerify that Horizon Connection Server is installed on a dedicated computer.
nVerify that you are using a Web browser supported by Horizon Administrator. For Horizon
Administrator requirements, see the View Installation document.
Procedure
1Open your Web browser and enter the following URL, where server is the host name of the
Connection Server instance.
https://server/admin
Note You can use the IP address if you have to access a Connection Server instance when the host
name is not resolvable. However, the host that you contact will not match the SSL certificate that is
configured for the Connection Server instance, resulting in blocked access or access with reduced
security.
Your access to Horizon Administrator depends on the type of certificate that is configured on the
Connection Server computer.
If you open your Web browser on the Connection Server host, use https://127.0.0.1 to connect,
not https://localhost. This method improves security by avoiding potential DNS attacks on the
localhost resolution.
Option Description
You configured a certificate signed by
a CA for View Connection Server.
When you first connect, your Web browser displays Horizon Administrator.
The default, self-signed certificate
supplied with View Connection Server
is configured.
When you first connect, your Web browser might display a page warning that the
security certificate associated with the address is not issued by a trusted
certificate authority.
Click Ignore to continue using the current SSL certificate.
View Administration
VMware, Inc. 8
2Log in as a user with credentials to access the Administrators account.
You specify the Administrators account when you install a standalone Connection Server instance or
the first Connection Server instance in a replicated group. The Administrators account can be the
local Administrators group (BUILTIN\Administrators) on the Connection Server computer or a domain
user or group account.
After you log in to Horizon Administrator, you can use View Configuration > Administrators to change
the list of users and groups that have the View Administrators role.
Tips for Using the Horizon Administrator Interface
You can use Horizon Administrator user-interface features to navigate Horizon Pages and to find, filter,
and sort Horizon objects.
Horizon Administrator includes many common user interface features. For example, the navigation pane
on the left side of each page directs you to other Horizon Administrator pages. The search filters let you
select filtering criteria that are related to the objects you are searching for.
Table 11 describes a few additional features that can help you to use Horizon Administrator.
Table 11. Horizon Administrator Navigation and Display Features
Horizon Administrator Feature Description
Navigating backward and forward in
Horizon Administrator pages
Click your browser's Back button to go to the previously displayed Horizon
Administrator page. Click the Forward button to return to the current page.
If you click the browser's Back button while you are using a Horizon Administrator
wizard or dialog box, you return to the main Horizon Administrator page. The
information you entered in the wizard or dialog is lost.
In versions earlier than View 5.1, you cannot use your browser's Back and Forward
buttons to navigate within Horizon Administrator. Separate Back and Forward
buttons in the Horizon Administrator window were provided for navigation. These
buttons are removed in the View 5.1 release.
Bookmarking Horizon Administrator pages You can bookmark Horizon Administrator pages in your browser.
View Administration
VMware, Inc. 9
Table 11. Horizon Administrator Navigation and Display Features (Continued)
Horizon Administrator Feature Description
Multicolumn sorting You can sort Horizon objects in a variety of ways by using multicolumn sorting.
Click a heading in the top row of a Horizon Administrator table to sort the Horizon
objects in alphabetical order based on that heading.
For example, in the Resources > Machines page, you can click Desktop Pool to
sort desktops by the pools that contain them.
The number 1 appears next to the heading to indicate that it is the primary sorting
column. You can click the heading again to reverse the sorting order, indicated by an
up or down arrow.
To sort the Horizon objects by a secondary item, Ctrl+click another heading.
For example, in the Machines table, you can click Users to perform a secondary sort
by users to whom the desktops are dedicated. A number 2 appears next to the
secondary heading. In this example, desktops are sorted by pool and by users within
each pool.
You can continue to Ctrl+click to sort all the columns in a table in descending order of
importance.
Press Ctrl+Shift and click to deselect a sort item.
For example, you might want to display the desktops in a pool that are in a particular
state and are stored on a particular datastore. You can select Resources >
Machines, click the Datastore heading, and Ctrl+click the Status heading.
Customizing table columns You can customize the display of Horizon Administrator table columns by hiding
selected columns and locking the first column. This feature lets you control the
display of large tables such as Catalog > Desktop Pools that contain many
columns.
Right-click any column header to display a context menu that lets you take the
following actions:
nHide the selected column.
nCustomize columns. A dialog displays all columns in the table. You can select
the columns to display or hide.
nLock the first column. This option forces the left-hand column to remain
displayed as you scroll horizontally across a table with many columns. For
example, on the Catalog > Desktop Pools page, the desktop ID remains
displayed as you scroll horizontally to see other desktop characteristics.
Selecting Horizon objects and displaying
Horizon object details
In Horizon Administrator tables that list Horizon objects, you can select an object or
display object details.
nTo select an object, click anywhere in the object's row in the table. At the top of
the page, menus and commands that manage the object become active.
nTo display object details, double-click the left cell in the object's row. A new page
displays the object's details.
For example, on the Catalog > Desktop Pools page, click anywhere in an individual
pool's row to activate commands that affect the pool.
Double-click the ID cell in the left column to display a new page that contains details
about the pool.
View Administration
VMware, Inc. 10
Table 11. Horizon Administrator Navigation and Display Features (Continued)
Horizon Administrator Feature Description
Expanding dialog boxes to view details You can expand Horizon Administrator dialog boxes to view details such as desktop
names and user names in table columns.
To expand a dialog box, place your mouse over the dots in the lower right corner of
the dialog box and drag the corner.
Displaying context menus for Horizon
objects
You can right-click Horizon objects in Horizon Administrator tables to display context
menus. A context menu gives you access to the commands that operate on the
selected Horizon object.
For example, in the Catalog > Desktop Pools page, you can right-click a desktop
pool to display commands such as Add, Edit, Delete, Disable (or Enable)
Provisioning, and so on.
Troubleshooting the Text Display in Horizon Administrator
If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac OS, the text
in Horizon Administrator does not display properly.
Problem
The text in the Horizon Administrator interface is garbled. For example, spaces occur in the middle of
words.
Cause
Horizon Administrator requires Microsoft-specific fonts.
Solution
Install Microsoft-specific fonts on your computer.
Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from
independent Web sites.
View Administration
VMware, Inc. 11
Configuring View Connection
Server 2
After you install and perform initial configuration of View Connection Server, you can add vCenter Server
instances and View Composer services to your View deployment, set up roles to delegate administrator
responsibilities, and schedule backups of your configuration data.
This section includes the following topics:
nConfiguring vCenter Server and View Composer
nBacking Up View Connection Server
nConfiguring Settings for Client Sessions
nDisable or Enable View Connection Server
nEdit the External URLs
nJoin or Withdraw from the Customer Experience Program
nView LDAP Directory
Configuring vCenter Server and View Composer
To use virtual machines as remote desktops, you must configure View to communicate with vCenter
Server. To create and manage linked-clone desktop pools, you must configure View Composer settings in
View Administrator.
You can also configure storage settings for View. You can allow ESXi hosts to reclaim disk space on
linked-clone virtual machines. To allow ESXi hosts to cache virtual machine data, you must enable View
Storage Accelerator for vCenter Server.
Create a User Account for View Composer AD Operations
If you use View Composer, you must create a user account in Active Directory that allows View Composer
to perform certain operations in Active Directory. View Composer requires this account to join linked-clone
virtual machines to your Active Directory domain.
To ensure security, you should create a separate user account to use with View Composer. By creating a
separate account, you can guarantee that it does not have additional privileges that are defined for
another purpose. You can give the account the minimum privileges that it needs to create and remove
computer objects in a specified Active Directory container. For example, the View Composer account
does not require domain administrator privileges.
VMware, Inc. 12
Procedure
1In Active Directory, create a user account in the same domain as your Connection Server host or in a
trusted domain.
2Add the Create Computer Objects, Delete Computer Objects, and Write All Properties
permissions to the account in the Active Directory container in which the linked-clone computer
accounts are created or to which the linked-clone computer accounts are moved.
The following list shows all the required permissions for the user account, including permissions that
are assigned by default:
nList Contents
nRead All Properties
nWrite All Properties
nRead Permissions
nReset Password
nCreate Computer Objects
nDelete Computer Objects
Note Fewer permissions are required if you select the Allow reuse of pre-existing computer
accounts setting for a desktop pool. Make sure that the following permissions are assigned to the
user account:
nList Contents
nRead All Properties
nRead Permissions
nReset Password
3Make sure that the user account's permissions apply to the Active Directory container and to all child
objects of the container.
What to do next
Specify the account in Horizon Administrator when you configure View Composer domains in the Add
vCenter Server wizard and when you configure and deploy linked-clone desktop pools.
Add vCenter Server Instances to Horizon 7
You must configure Horizon 7 to connect to the vCenter Server instances in your Horizon 7 deployment.
vCenter Server creates and manages the virtual machines that Horizon 7 uses in desktop pools.
If you run vCenter Server instances in a Linked Mode group, you must add each vCenter Server instance
to Horizon 7 separately.
Horizon 7 connects to the vCenter Server instance using a secure channel (SSL).
View Administration
VMware, Inc. 13
Prerequisites
nInstall the Connection Server product license key.
nPrepare a vCenter Server user with permission to perform the operations in vCenter Server that are
necessary to support Horizon 7. To use View Composer, you must give the user additional privileges.
For details about configuring a vCenter Server user for Horizon 7, see the View Installation document.
nVerify that a TLS/SSL server certificate is installed on the vCenter Server host. In a production
environment, install a valid certificate that is signed by a trusted Certificate Authority (CA).
In a testing environment, you can use the default certificate that is installed with vCenter Server, but
you must accept the certificate thumbprint when you add vCenter Server to Horizon 7.
nVerify that all Connection Server instances in the replicated group trust the root CA certificate for the
server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the
Trusted Root Certification Authorities > Certificates folder in the Windows local computer
certificate stores on the Connection Server hosts. If it is not, import the root CA certificate into the
Windows local computer certificate stores.
See "Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store," in the
View Installation document.
nVerify that the vCenter Server instance contains ESXi hosts. If no hosts are configured in the vCenter
Server instance, you cannot add the instance to Horizon 7.
nIf you upgrade to vSphere 5.5 or a later release, verify that the domain administrator account that you
use as the vCenter Server user was explicitly assigned permissions to log in to vCenter Server by a
vCenter Server local user.
nIf you plan to use Horizon 7 in FIPS mode, verify that you have vCenter Server 6.0 or later and ESXi
6.0 or later hosts.
For more information, see "Installing Horizon 7 in FIPS Mode," in the View Installation document.
nFamiliarize yourself with the settings that determine the maximum operations limits for vCenter Server
and View Composer. See Concurrent Operations Limits for vCenter Server and View Composer and
Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms.
Procedure
1In Horizon Administrator, select View Configuration > Servers.
2On the vCenter Servers tab, click Add.
View Administration
VMware, Inc. 14
3In the vCenter Server Settings Server address text box, type the fully qualified domain name (FQDN)
of the vCenter Server instance.
The FQDN includes the host name and domain name. For example, in the FQDN
myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is
the domain.
Note If you enter a server by using a DNS name or URL, Horizon 7 does not perform a DNS lookup
to verify whether an administrator previously added this server to Horizon 7 by using its IP address. A
conflict arises if you add a vCenter Server with both its DNS name and its IP address.
4Type the name of the vCenter Server user.
For example: domain\user or user@domain.com
5Type the vCenter Server user password.
6(Optional) Type a description for this vCenter Server instance.
7Type the TCP port number.
The default port is 443.
8Under Advanced Settings, set the concurrent operations limits for vCenter Server and View
Composer operations.
9Click Next to display the View Composer Settings page.
What to do next
Configure View Composer settings.
nIf the vCenter Server instance is configured with a signed SSL certificate, and Connection Server
trusts the root certificate, the Add vCenter Server wizard displays the View Composer Settings page.
nIf the vCenter Server instance is configured with a default certificate, you must first determine whether
to accept the thumbprint of the existing certificate. See Accept the Thumbprint of a Default SSL
Certificate.
If Horizon 7 uses multiple vCenter Server instances, repeat this procedure to add the other vCenter
Server instances.
Configure View Composer Settings
To use View Composer, you must configure settings that allow View to connect to the VMware Horizon
View Composer service. View Composer can be installed on its own separate host or on the same host
as vCenter Server.
There must be a one-to-one mapping between each VMware Horizon View Composer service and
vCenter Server instance. A View Composer service can operate with only one vCenter Server instance. A
vCenter Server instance can be associated with only one VMware Horizon View Composer service.
View Administration
VMware, Inc. 15
After the initial View deployment, you can migrate the VMware Horizon View Composer service to a new
host to support a growing or changing View deployment. You can edit the initial View Composer settings
in View Administrator, but you must perform additional steps to ensure that the migration succeeds. See
Migrate View Composer to Another Machine.
Prerequisites
nVerify that you created a user in Active Directory with permission to add and remove virtual machines
from the Active Directory domain that contains your linked clones. See Create a User Account for
View Composer AD Operations.
nVerify that you configured View to connect to vCenter Server. To do so, you must complete the
vCenter Server Information page in the Add vCenter Server wizard. See Add vCenter Server
Instances to Horizon 7.
nVerify that this VMware Horizon View Composer service is not already configured to connect to a
different vCenter Server instance.
Procedure
1In View Administrator, complete the vCenter Server Information page in the Add vCenter Server
wizard.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add and provide the vCenter Server settings.
2On the View Composer Settings page, if you are not using View Composer, select Do not use View
Composer.
If you select Do not use View Composer, the other View Composer settings become inactive. When
you click Next, the Add vCenter Server wizard displays the Storage Settings page. The View
Composer Domains page is not displayed.
3If you are using View Composer, select the location of the View Composer host.
Option Description
View Composer is installed on the
same host as vCenter Server.
a Select View Composer co-installed with the vCenter Server.
b Make sure that the port number is the same as the port that you specified
when you installed the VMware Horizon View Composer service on vCenter
Server. The default port number is 18443.
View Composer is installed on its own
separate host.
a Select Standalone View Composer Server.
b In the View Composer server address text box, type the fully qualified domain
name (FQDN) of the View Composer host.
c Type the name of the View Composer user.
For example: domain.com\user or user@domain.com
d Type the password of the View Composer user.
e Make sure that the port number is the same as the port that you specified
when you installed the VMware Horizon View Composer service. The default
port number is 18443.
View Administration
VMware, Inc. 16
4Click Next to display the View Composer Domains page.
What to do next
Configure View Composer domains.
nIf the View Composer instance is configured with a signed SSL certificate, and View Connection
Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer
Domains page.
nIf the View Composer instance is configured with a default certificate, you must first determine
whether to accept the thumbprint of the existing certificate. See Accept the Thumbprint of a Default
SSL Certificate.
Configure View Composer Domains
You must configure an Active Directory domain in which View Composer deploys linked-clone desktops.
You can configure multiple domains for View Composer. After you first add vCenter Server and View
Composer settings to View, you can add more View Composer domains by editing the vCenter Server
instance in Horizon Administrator.
Prerequisites
nYour Active Directory administrator must create a View Composer user for AD operations. This
domain user must have permission to add and remove virtual machines from the Active Directory
domain that contains your linked clones. For information about the required permissions for this user,
see Create a User Account for View Composer AD Operations.
nIn Horizon Administrator, verify that you completed the vCenter Server Information and View
Composer Settings pages in the Add vCenter Server wizard.
Procedure
1On the View Composer Domains page, click Add to add the View Composer user for AD operations
account information.
2Type the domain name of the Active Directory domain.
For example: domain.com
3Type the domain user name, including the domain name, of the View Composer user.
For example: domain.com\admin
4Type the account password.
5Click OK.
6To add domain user accounts with privileges in other Active Directory domains in which you deploy
linked-clone pools, repeat the preceding steps.
7Click Next to display the Storage Settings page.
View Administration
VMware, Inc. 17
What to do next
Enable virtual machine disk space reclamation and configure View Storage Accelerator for Horizon 7.
Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual
Machines
In vSphere 5.1 and later, you can enable the disk space reclamation feature for Horizon 7. Starting in
vSphere 5.1, Horizon 7 creates linked-clone virtual machines in an efficient disk format that allows ESXi
hosts to reclaim unused disk space in the linked clones, reducing the total storage space required for
linked clones.
As users interact with linked-clone desktops, the clones' OS disks grow and can eventually use almost as
much disk space as full-clone desktops. Disk space reclamation reduces the size of the OS disks without
requiring you to refresh or recompose the linked clones. Space can be reclaimed while the virtual
machines are powered on and users are interacting with their remote desktops.
Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving
strategies such as refresh on logoff. For example, knowledge workers who install user applications on
dedicated remote desktops might lose their personal applications if the remote desktops were refreshed
or recomposed. With disk space reclamation, Horizon 7 can maintain linked clones at close to the
reduced size they start out with when they are first provisioned.
This feature has two components: space-efficient disk format and space reclamation operations.
In a vSphere 5.1 or later environment, when a parent virtual machine is virtual hardware version 9 or later,
Horizon 7 creates linked clones with space-efficient OS disks, whether or not space reclamation
operations are enabled.
To enable space reclamation operations, you must use Horizon Administrator to enable space
reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space
reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools
that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the
setting at the desktop pool level.
The following guidelines apply to the space reclamation feature:
nIt operates only on space-efficient OS disks in linked clones.
nIt does not affect View Composer persistent disks.
nIt works only with vSphere 5.1 or later and only on virtual machines that are virtual hardware version
9 or later.
nIt does not operate on full-clone desktops.
nIt operates on virtual machines with SCSI controllers. IDE controllers are not supported.
Native NFS snapshot technology (VAAI) is not supported in pools that contain virtual machines with
space-efficient disks.
View Administration
VMware, Inc. 18
Prerequisites
nVerify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1
with ESXi 5.1 download patch ESXi510-201212001 or later.
Procedure
1In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage
Settings page.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer
Domains pages.
2On the Storage Settings page, make sure that Enable space reclamation is selected.
Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later.
You must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or
an earlier release.
What to do next
On the Storage Settings page, configure View Storage Accelerator.
To finish configuring disk space reclamation in Horizon 7, set up space reclamation for desktop pools.
Configure View Storage Accelerator for vCenter Server
In vSphere 5.1 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature,
called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts.
View Storage Accelerator improves Horizon 7 performance during I/O storms, which can take place when
many virtual machines start up or run anti-virus scans at once. The feature is also beneficial when
administrators or users load applications or data frequently. Instead of reading the entire OS or
application from the storage system over and over, a host can read common data blocks from cache.
By reducing the number of IOPS during boot storms, View Storage Accelerator lowers the demand on the
storage array, which lets you use less storage I/O bandwidth to support your Horizon 7 deployment.
You enable caching on your ESXi hosts by selecting the View Storage Accelerator setting in the vCenter
Server wizard in Horizon Administrator, as described in this procedure.
Make sure that View Storage Accelerator is also configured for individual desktop pools. To operate on a
desktop pool, View Storage Accelerator must be enabled for vCenter Server and for the individual
desktop pool.
View Administration
VMware, Inc. 19
View Storage Accelerator is enabled for desktop pools by default. The feature can be disabled or enabled
when you create or edit a pool. The best approach is to enable this feature when you first create a
desktop pool. If you enable the feature by editing an existing pool, you must ensure that a new replica
and its digest disks are created before linked clones are provisioned. You can create a new replica by
recomposing the pool to a new snapshot or rebalancing the pool to a new datastore. Digest files can only
be configured for the virtual machines in a desktop pool when they are powered off.
You can enable View Storage Accelerator on desktop pools that contain linked clones and pools that
contain full virtual machines.
Native NFS snapshot technology (VAAI) is not supported in pools that are enabled for View Storage
Accelerator.
View Storage Accelerator is now qualified to work in configurations that use Horizon 7 replica tiering, in
which replicas are stored on a separate datastore than linked clones. Although the performance benefits
of using View Storage Accelerator with Horizon 7 replica tiering are not materially significant, certain
capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this
combination is tested and supported.
Important If you plan to use this feature and you are using multiple View pods that share some ESXi
hosts, you must enable the View Storage Accelerator feature for all pools that are on the shared ESXi
hosts. Having inconsistent settings in multiple pods can cause instability of the virtual machines on the
shared ESXi hosts.
Prerequisites
nVerify that your vCenter Server and ESXi hosts are version 5.1 or later.
In an ESXi cluster, verify that all the hosts are version 5.1 or later.
nVerify that the vCenter Server user was assigned the Host > Configuration > Advanced settings
privilege in vCenter Server.
See the topics in the View Installation document that describe Horizon 7 and View Composer
privileges required for the vCenter Server user.
Procedure
1In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage
Settings page.
a Select View Configuration > Servers.
b On the vCenter Servers tab, click Add.
c Complete the vCenter Server Information, View Composer Settings, and View Composer
Domains pages.
2On the Storage Settings page, make sure that the Enable View Storage Accelerator check box is
selected.
This check box is selected by default.
View Administration
VMware, Inc. 20
3Specify a default host cache size.
The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance.
The default value is 1,024MB. The cache size must be between 100MB and 2,048MB.
4To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache
size.
a In the Host cache dialog box, check Override default host cache size.
b Type a Host cache size value between 100MB and 2,048MB and click OK.
5On the Storage Settings page, click Next.
6Click Finish to add vCenter Server, View Composer, and Storage Settings to Horizon 7.
What to do next
Configure settings for client sessions and connections. See Configuring Settings for Client Sessions.
To complete View Storage Accelerator settings in Horizon 7, configure View Storage Accelerator for
desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in the Setting Up Virtual
Desktops in Horizon 7 document.
Concurrent Operations Limits for vCenter Server and View
Composer
When you add vCenter Server to Horizon 7 or edit the vCenter Server settings, you can configure several
options that set the maximum number of concurrent operations that are performed by vCenter Server and
View Composer.
You configure these options in the Advanced Settings panel on the vCenter Server Information page.
Table 21. Concurrent Operations Limits for vCenter Server and View Composer
Setting Description
Max concurrent vCenter
provisioning operations
Determines the maximum number of concurrent requests that Connection Server can make
to provision and delete full virtual machines in this vCenter Server instance.
The default value is 20.
This setting applies to full virtual machines only.
Max concurrent power
operations
Determines the maximum number of concurrent power operations (startup, shutdown,
suspend, and so on) that can take place on virtual machines managed by Connection Server
in this vCenter Server instance.
The default value is 50.
For guidelines for calculating a value for this setting, see Setting a Concurrent Power
Operations Rate to Support Remote Desktop Logon Storms.
This setting applies to full virtual machines and linked clones.
View Administration
VMware, Inc. 21
Table 21. Concurrent Operations Limits for vCenter Server and View Composer (Continued)
Setting Description
Max concurrent View Composer
maintenance operations
Determines the maximum number of concurrent View Composer refresh, recompose, and
rebalance operations that can take place on linked clones managed by this View Composer
instance.
The default value is 12.
Remote desktops that have active sessions must be logged off before a maintenance
operation can begin. If you force users to log off as soon as a maintenance operation begins,
the maximum number of concurrent operations on remote desktops that require logoffs is half
the configured value. For example, if you configure this setting as 24 and force users to log
off, the maximum number of concurrent operations on remote desktops that require logoffs is
12.
This setting applies to linked clones only.
Max concurrent View Composer
provisioning operations
Determines the maximum number of concurrent creation and deletion operations that can
take place on linked clones managed by this View Composer instance.
The default value is 8.
This setting applies to linked clones only.
Setting a Concurrent Power Operations Rate to Support Remote
Desktop Logon Storms
The Max concurrent power operations setting governs the maximum number of concurrent power
operations that can occur on remote desktop virtual machines in a vCenter Server instance. This limit is
set to 50 by default. You can change this value to support peak power-on rates when many users log on
to their desktops at the same time.
As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For
planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the View Architecture
Planning document.
The required number of concurrent power operations is based on the peak rate at which desktops are
powered on and the amount of time it takes for the desktop to power on, boot, and become available for
connection. In general, the recommended power operations limit is the total time it takes for the desktop
to start multiplied by the peak power-on rate.
For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power
operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support
a peak power-on rate of 16 desktops per minute.
The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other
errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times
the peak power-on rate. With a conservative approach, the default setting of 50 supports a peak power-
on rate of 10 desktops per minute.
View Administration
VMware, Inc. 22
Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over
a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the
middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time
window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and
40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM. If there are 2,000 users, 20%
of whom have their desktops powered off, then 40% of the 400 desktop power-on operations occur in
those 10 minutes. The peak power-on rate is 16 desktops per minute.
Accept the Thumbprint of a Default SSL Certificate
When you add vCenter Server and View Composer instances to Horizon 7, you must ensure that the SSL
certificates that are used for the vCenter Server and View Composer instances are valid and trusted by
Connection Server. If the default certificates that are installed with vCenter Server and View Composer
are still in place, you must determine whether to accept these certificates' thumbprints.
If a vCenter Server or View Composer instance is configured with a certificate that is signed by a CA, and
the root certificate is trusted by Connection Server, you do not have to accept the certificate thumbprint.
No action is required.
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server does not
trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is
a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate
is the same as another certificate, such as the certificate that was accepted previously.
Note If you install vCenter Server and View Composer on the same Windows Server host, they can use
the same SSL certificate, but you must configure the certificate separately for each component.
For details about configuring SSL certificates, see "Configuring SSL Certificates for View Servers" in the
View Installation document.
You first add vCenter Server and View Composer in Horizon Administrator by using the Add
vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add
vCenter Server and View Composer.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
Note You also must accept a certificate thumbprint when you upgrade from an earlier release and a
vCenter Server or View Composer certificate is untrusted, or if you replace a trusted certificate with an
untrusted certificate.
On the Horizon Administrator dashboard, the vCenter Server or View Composer icon turns red and an
Invalid Certificate Detected dialog box appears. You must click Verify and follow the procedure shown
here.
View Administration
VMware, Inc. 23
Similarly, in Horizon Administrator you can configure a SAML authenticator for use by a Connection
Server instance. If the SAML server certificate is not trusted by Connection Server, you must determine
whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the
SAML authenticator in Horizon 7. After a SAML authenticator is configured, you can reconfigure it in the
Edit View Connection Server dialog box.
Procedure
1When Horizon Administrator displays an Invalid Certificate Detected dialog box, click View
Certificate.
2Examine the certificate thumbprint in the Certificate Information window.
3Examine the certificate thumbprint that was configured for the vCenter Server or View Composer
instance.
a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows
Certificate Store.
b Navigate to the vCenter Server or View Composer certificate.
c Click the Certificate Details tab to display the certificate thumbprint.
Similarly, examine the certificate thumbprint for a SAML authenticator. If appropriate, take the
preceding steps on the SAML authenticator host.
4Verify that the thumbprint in the Certificate Information window matches the thumbprint for the
vCenter Server or View Composer instance.
Similarly, verify that the thumbprints match for a SAML authenticator.
5Determine whether to accept the certificate thumbprint.
Option Description
The thumbprints match. Click Accept to use the default certificate.
The thumbprints do not match. Click Reject.
Troubleshoot the mismatched certificates. For example, you might have provided
an incorrect IP address for vCenter Server or View Composer.
Remove a vCenter Server Instance from View
You can remove the connection between View and a vCenter Server instance. When you do so, View no
longer manages the virtual machines created in that vCenter Server instance.
Prerequisites
Delete all the virtual machines that are associated with the vCenter Server instance. For more information
about deleting virtual machines, see "Delete a Desktop Pool" in the Setting Up Virtual Desktops in
Horizon 7 document.
Procedure
1Click View Configuration > Servers.
View Administration
VMware, Inc. 24
2On the vCenter Servers tab, select the vCenter Server instance.
3Click Remove.
A dialog warns you that View will no longer have access to the virtual machines that are managed by
this vCenter Server instance.
4Click OK.
View can no longer access the virtual machines created in the vCenter Server instance.
Remove View Composer from View
You can remove the connection between View and the VMware Horizon View Composer service that is
associated with a vCenter Server instance.
Before you disable the connection to View Composer, you must remove from View all the linked-clone
virtual machines that were created by View Composer. View prevents you from removing View Composer
if any associated linked clones still exist. After the connection to View Composer is disabled, View cannot
provision or manage new linked clones.
Procedure
1Remove the linked-clone desktop pools that were created by View Composer.
a In View Administrator, select Catalog > Desktop Pools.
b Select a linked-clone desktop pool and click Delete.
A dialog box warns that you will permanently delete the linked-clone desktop pool from View. If
the linked-clone virtual machines are configured with persistent disks, you can detach or delete
the persistent disks.
c Click OK.
The virtual machines are deleted from vCenter Server. In addition, the associated View
Composer database entries and the replicas that were created by View Composer are removed.
d Repeat these steps for each linked-clone desktop pool that was created by View Composer.
2Select View Configuration > Servers.
3On the vCenter Servers tab, select the vCenter Server instance with which View Composer is
associated.
4Click Edit.
5Under View Composer Server Settings, click Edit, select Do not use View Composer, and click OK.
You can no longer create linked-clone desktop pools in this vCenter Server instance, but you can
continue to create and manage full virtual-machine desktop pools in the vCenter Server instance.
View Administration
VMware, Inc. 25
What to do next
If you intend to install View Composer on another host and reconfigure View to connect to the new
VMware Horizon View Composer service, you must perform certain additional steps. See Migrate View
Composer Without Linked-Clone Virtual Machines.
Conflicting vCenter Server Unique IDs
If you have multiple vCenter Server instances configured in your environment, an attempt to add a new
instance might fail because of conflicting unique IDs.
Problem
You try to add a vCenter Server instance to View, but the unique ID of the new vCenter Server instance
conflicts with an existing instance.
Cause
Two vCenter Server instances cannot use the same unique ID. By default, a vCenter Server unique ID is
randomly generated, but you can edit it.
Solution
1In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings.
2Type a new unique ID and click OK.
For details about editing vCenter Server unique ID values, see the vSphere documentation.
Backing Up View Connection Server
After you complete the initial configuration of View Connection Server, you should schedule regular
backups of your View and View Composer configuration data.
For information about backing up and restoring your View configuration, see Backing Up and Restoring
View Configuration Data.
Configuring Settings for Client Sessions
You can configure global settings that affect the client sessions and connections that are managed by a
View Connection Server instance or replicated group. You can set the session timeout length, display
prelogin and warning messages, and set security-related client connection options.
Set Options for Client Sessions and Connections
You configure global settings to determine the way client sessions and connections work.
The global settings are not specific to a single View Connection Server instance. They affect all client
sessions that are managed by a standalone View Connection Server instance or a group of replicated
instances.
View Administration
VMware, Inc. 26
You can also configure View Connection Server instances to use direct, nontunneled connections
between Horizon clients and remote desktops. See Configure the Secure Tunnel and PCoIP Secure
Gateway for information about configuring direct connections.
Prerequisites
Familiarize yourself with the global settings. See Global Settings for Client Sessions and Global Security
Settings for Client Sessions and Connections.
Procedure
1In View Administrator, select View Configuration > Global Settings.
2Choose whether to configure general settings or security settings.
Option Description
General global settings In the General pane, click Edit.
Global security settings In the Security pane, click Edit.
3Configure the global settings.
4Click OK.
What to do next
You can change the data recovery password that was provided during installation. See Change the Data
Recovery Password.
Change the Data Recovery Password
You provide a data recovery password when you install View Connection Server version 5.1 or later. After
installation, you can change this password in View Administrator. The password is required when you
restore the View LDAP configuration from a backup.
When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF
data. To restore the encrypted backup View configuration, you must provide the data recovery password.
The password must contain between 1 and 128 characters. Follow your organization's best practices for
generating secure passwords.
Procedure
1In View Administrator, select View Configuration > Global Settings.
2In the Security pane, click Change data recovery password.
3Type and retype the new password.
4(Optional) Type a password reminder.
Note You can also change the data recovery password when you schedule your View configuration data
to be backed up. See Schedule View Configuration Backups.
View Administration
VMware, Inc. 27
What to do next
When you use the vdmimport utility to restore a backup View configuration, provide the new password.
Global Settings for Client Sessions
General global settings determine session timeout lengths, SSO enablement and timeout limits, status
updates in View Administrator, whether prelogin and warning messages are displayed, whether View
Administrator treats Windows Server as a supported operating system for remote desktops, and other
settings.
Changes to any of the settings in the following table take effect immediately. You do not need to restart
View Connection Server or Horizon Client.
Table 22. General Global Settings for Client Sessions
Setting Description
View Administrator session timeout Determines how long an idle View Administrator session continues before the session
times out.
Important Setting the View Administrator session timeout to a high number of minutes
increases the risk of unauthorized use of View Administrator. Use caution when you
allow an idle session to persist a long time.
By default, the View Administrator session timeout is 30 minutes. You can set a session
timeout from 1 to 4320 minutes (72 hours).
Forcibly disconnect users Disconnects all desktops and applications after the specified number of minutes has
passed since the user logged in to View. All desktops and applications will be
disconnected at the same time regardless of when the user opened them.
For clients that do not support application remoting, a maximum timeout value of 1200
minutes applies if the value of this setting is Never or greater than 1200 minutes.
The default is After 600 minutes.
Single sign-on (SSO) If SSO is enabled, View caches a user's credentials so that the user can launch remote
desktops or applications without having to provide credentials to log in to the remote
Windows session. The default is Enabled.
If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be
enabled. With True SSO, if a user logs in using some other form of authentication than
Active Directory credentials, the True SSO feature generates short-term certificates to
use, rather than cached credentials, after users log in to VMware Identity Manager.
Note If a desktop is launched from Horizon Client, and the desktop is locked, either by
the user or by Windows based on a security policy, and if the desktop is running View
Agent 6.0 or later or Horizon Agent 7.0 or later, View Connection Server discards the
user's SSO credentials. The user must provide login credentials to launch a new desktop
or a new application, or reconnect to any disconnected desktop or application. To enable
SSO again, the user must disconnect from View Connection Server or exit
Horizon Client, and reconnect to View Connection Server. However, if the desktop is
launched from Workspace ONE or VMware Identity Manager and the desktop is locked,
SSO credentials are not discarded.
View Administration
VMware, Inc. 28
Table 22. General Global Settings for Client Sessions (Continued)
Setting Description
For clients that support applications.
If the user stops using the keyboard
and mouse, disconnect their
applications and discard SSO
credentials:
Protects application sessions when there is no keyboard or mouse activity on the client
device. If set to After ... minutes, View disconnects all applications and discards SSO
credentials after the specified number of minutes without user activity. Desktop sessions
are not disconnected. Users must log in again to reconnect to the applications that were
disconnected or launch a new desktop or application.
This setting also applies to the True SSO feature. After SSO credentials are discarded,
users are prompted for Active Directory credentials. If users logged in to VMware Identity
Manager without using AD credentials and do not know what AD credentials to enter,
users can log out and log in to VMware Identity Manager again to access their remote
desktops and applications.
Important Users must be aware that when they have both applications and desktops
open, and their applications are disconnected because of this timeout, their desktops
remain connected. Users must not rely on this timeout to protect their desktops.
If set to Never, View never disconnects applications or discards SSO credentials due to
user inactivity.
The default is Never.
Other clients.
Discard SSO credentials:
Discards SSO credentials after the specified number of minutes. This setting is for
clients that do not support application remoting. If set to After ... minutes, users must
log in again to connect to a desktop after the specified number of minutes has passed
since the user logged in to View, regardless of any user activity on the client device.
If set to Never, View stores SSO credentials until the user closes Horizon Client, or the
Forcibly disconnect users timeout is reached, whichever comes first.
The default is After 15 minutes.
Enable automatic status updates Determines if status updates appear in the global status pane in the upper-left corner of
View Administrator every few minutes. The dashboard page of View Administrator is
also updated every few minutes.
By default, this setting is not enabled.
Display a pre-login message Displays a disclaimer or another message to Horizon Client users when they log in.
Type your information or instructions in the text box in the Global Settings dialog box.
To display no message, leave the check box unselected.
Display warning before forced logoff Displays a warning message when users are forced to log off because a scheduled or
immediate update such as a desktop-refresh operation is about to start. This setting also
determines how long to wait after the warning is shown before the user is logged off.
Check the box to display a warning message.
Type the number of minutes to wait after the warning is displayed and before logging off
the user. The default is 5 minutes.
Type your warning message. You can use the default message:
Your desktop is scheduled for an important update and
will be shut down in 5 minutes. Please save
any unsaved work now.
View Administration
VMware, Inc. 29
Table 22. General Global Settings for Client Sessions (Continued)
Setting Description
Enable Windows Server desktops Determines whether you can select available Windows Server 2008 R2 and Windows
Server 2012 R2 machines for use as desktops. When this setting is enabled, View
Administrator displays all available Windows Server machines, including machines on
which View server components are installed.
Note The Horizon Agent software cannot coexist on the same virtual or physical
machine with any other View server software component, including a security server,
View Connection Server, or View Composer.
Clean up credential when tab closed
for HTML Access
Removes a user's credentials from cache when a user closes a tab that connects to a
remote desktop or application, or closes a tab that connects to the desktop and
application selection page, in the HTML Access client.
When this setting is enabled, View also removes the credentials from cache in the
following HTML Access client scenarios:
nA user refreshes the desktop and application selection page or the remote session
page.
nThe server presents a self-signed certificate, a user launches a remote desktop or
application, and the user accepts the certificate when the security warning appears.
nA user runs a URI command in the tab that contains the remote session.
When this setting is disabled, the credentials remain in cache. This feature is disabled by
default.
Note This feature is available in Horizon 7 version 7.0.2 and later.
Mirage Server configuration Allows you to specify the URL of a Mirage server, using the format
mirage://server-name:port or mirages://server-name:port. Here server-name
is the fully qualified domain name. If you do not specify the port number, the default port
number 8000 is used.
Note You can override this global setting by specifying a Mirage server in the desktop
pool settings.
Specifying the Mirage server in View Administrator is an alternative to specifying the
Mirage server when installing the Mirage client. To find out which versions of Mirage
support having the server specified in View Administrator, see the Mirage
documentation, at https://www.vmware.com/support/pubs/mirage_pubs.html.
View Administration
VMware, Inc. 30
Table 22. General Global Settings for Client Sessions (Continued)
Setting Description
Hide server information in client user
interface
Enable this security setting to hide server URL information in Horizon Client 4.4 or later.
Hide domain list in client user
interface
Enable this security setting to hide the Domain drop-down menu in Horizon Client 4.4 or
later.
When users log in to a Connection Server instance for which the Hide domain list in
client user interface global setting is enabled, the Domain drop-down menu is hidden in
Horizon Client and users provide domain information in the Horizon Client User name
text box. For example, users must enter their user name in the format
domain\username or username@domain.
Important If you enable the Hide server information in client user interface and
Hide domain list in client user interface settings and select two-factor authentication
(RSA SecureID or RADIUS) for the Connection Server instance, do not enforce
Windows user name matching. Enforcing Windows user name matching will prevent
users from being able to enter domain information in the user name text box and login
will always fail. For more information, see the topics about two-factor authentication in
the View Administration document.
Global Security Settings for Client Sessions and Connections
Global security settings determine whether clients are reauthenticated after interruptions, message
security mode is enabled, and IPSec is used for security server connections.
SSL is required for all Horizon Client connections and View Administrator connections to View. If your
View deployment uses load balancers or other client-facing, intermediate servers, you can off-load SSL to
them and then configure non-SSL connections on individual View Connection Server instances and
security servers. See Off-load SSL Connections to Intermediate Servers.
View Administration
VMware, Inc. 31
Table 23. Global Security Settings for Client Sessions and Connections
Setting Description
Reauthenticate secure tunnel
connections after network
interruption
Determines if user credentials must be reauthenticated after a network interruption when
Horizon clients use secure tunnel connections to remote desktops.
When you select this setting, if a secure tunnel connection is interrupted, Horizon Client
requires the user to reauthenticate before reconnecting.
This setting offers increased security. For example, if a laptop is stolen and moved to a
different network, the user cannot automatically gain access to the remote desktop without
entering credentials.
When this setting is not selected, the client reconnects to the remote desktop without
requiring the user to reauthenticate.
This setting has no effect when the secure tunnel is not used.
Message security mode Determines the security mechanism used for sending JMS messages between
components
nWhen the mode is set to Enabled, signing and verification of the JMS messages
passed between View components takes place.
nWhen the mode is set to Enhanced, security is provided by mutually authenticated
SSL JMS connections and access control on JMS topics.
For details, see Message Security Mode for View Components.
For new installations, by default, message security mode is set to Enhanced. If you
upgrade from a previous version, the setting used in the previous version is retained.
Enhanced Security Status (Read-
only)
Read-only field that appears when Message security mode is changed from Enabled to
Enhanced. Because the change is made in phases, this field shows the progress through
the phases:
nWaiting for Message Bus restart is the first phase. This state is displayed until you
manually restart either all Connection Server instances in the pod or the VMware
Horizon View Message Bus Component service on all Connection Server hosts in the
pod.
nPending Enhanced is the next state. After all View Message Bus Component
services have been restarted, the system begins changing the message security
mode to Enhanced for all desktops and security servers.
nEnhanced is the final state, indicating that all components are now using Enhanced
message security mode.
You can also use the vdmutil command-line utility to monitor progress. See Using the
vdmutil Utility to Configure the JMS Message Security Mode.
Use IPSec for Security Server
connections
Determines whether to use Internet Protocol Security (IPSec) for connections between
security servers and View Connection Server instances.
By default, secure connections (using IPSec) for security server connections is enabled.
View Administration
VMware, Inc. 32
Note If you upgrade to View 5.1 or later from an earlier View release, the global setting Require SSL for
client connections is displayed in View Administrator, but only if the setting was disabled in your View
configuration before you upgraded. Because SSL is required for all Horizon Client connections and View
Administrator connections to View, this setting is not displayed in fresh installations of View 5.1 or later
versions and is not displayed after an upgrade if the setting was already enabled in the previous View
configuration.
After an upgrade, if you do not enable the Require SSL for client connections setting, HTTPS
connections from Horizon clients will fail, unless they connect to an intermediate device that is configured
to make onward connections using HTTP. See Off-load SSL Connections to Intermediate Servers.
Message Security Mode for View Components
You can set the message security mode to specify the security mechanism used when JMS messages
pass among View components.
Table 24 shows the options you can select to configure the message security mode. To set an option,
select it from the Message security mode list in the Global Settings dialog window.
Table 24. Message Security Mode Options
Option Description
Disabled Message security mode is disabled.
Mixed Message security mode is enabled but not enforced.
You can use this mode to detect components in your View environment that predate View 3.0. The log files
generated by View Connection Server contain references to these components. This setting is not recommended.
Use this setting only to discover components that need to be upgraded.
Enabled Message security mode is enabled, using a combination of message signing and encryption. JMS messages are
rejected if the signature is missing or invalid, or if a message was modified after it was signed.
Some JMS messages are encrypted because they carry sensitive information such as user credentials. If you use
the Enabled setting, you can also use IPSec to encrypt all JMS messages between View Connection Server
instances, and between View Connection Server instances and security servers.
Note View components that predate View 3.0 are not allowed to communicate with other View components.
Enhanced SSL is used for all JMS connections. JMS access control is also enabled so that desktops, security servers, and
View Connection Server instances can only send and receive JMS messages on certain topics.
View components that predate Horizon 6 version 6.1 cannot communicate with a View Connection Server 6.1
instance.
Note Using this mode requires opening TCP port 4002 between DMZ-based security servers and their paired
View Connection Server instances.
View Administration
VMware, Inc. 33
When you first install View on a system, the message security mode is set to Enhanced. If you upgrade
View from a previous release, the message security mode remains unchanged from its existing setting.
Important If you plan to change an upgraded View environment from Enabled to Enhanced, you must
first upgrade all View Connection Server instances, security servers, and View desktops to Horizon 6
version 6.1 or a later release. After you change the setting to Enhanced, the new setting takes place in
stages.
1 You must manually restart the VMware Horizon View Message Bus Component service on all View
Connection Server hosts in the pod, or restart the View Connection Server instances.
2 After the services are restarted, the View Connection Server instances reconfigure the message
security mode on all desktops and security servers, changing the mode to Enhanced.
3 To monitor the progress in View Administrator, go to View Configuration > Global Settings.
On the Security tab, the Enhanced Security Status item will show Enhanced when all components
have made the transition to Enhanced mode.
Alternatively, you can use the vdmutil command-line utility to monitor progress. See Using the
vdmutil Utility to Configure the JMS Message Security Mode.
View components that predate Horizon 6 version 6.1 cannot communicate with a View Connection Server
6.1 instance that uses Enhanced mode
If you plan to change an active View environment from Disabled to Enabled, or from Enabled to
Disabled, change to Mixed mode for a short time before you make the final change. For example, if your
current mode is Disabled, change to Mixed mode for one day, then change to Enabled. In Mixed mode,
signatures are attached to messages but not verified, which allows the change of message mode to
propagate through the environment.
Using the vdmutil Utility to Configure the JMS Message Security Mode
You can use the vdmutil command-line interface to configure and manage the security mechanism used
when JMS messages are passed between View components.
Syntax and Location of the Utility
The vdmutil command can perform the same operations as the lmvutil command that was included
with earlier versions of View. In addition, the vdmutil command has options for determining the message
security mode being used and monitoring the progress of changing all View components to Enhanced
mode. Use the following form of the vdmutil command from a Windows command prompt.
vdmutil command_option [additional_option argument] ...
The additional options that you can use depend on the command option. This topic focuses on the
options for message security mode. For the other options, which relate to Cloud Pod Architecture, see the
Administering Cloud Pod Architecture in Horizon 7 document.
View Administration
VMware, Inc. 34
By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware
View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH
environment variable.
Authentication
You must run the command as a user who has the Administrators role. You can use View Administrator to
assign the Administrators role to a user. See Chapter 6 Configuring Role-Based Delegated
Administration.
The vdmutil command includes options to specify the user name, domain, and password to use for
authentication.
Table 25. vdmutil Command Authentication Options
Option Description
--authAs Name of a View administrator user. Do not use domain\username or user principal name (UPN)
format.
--authDomain Fully qualified domain name for the View administrator user specified in the --authAs option.
--authPassword Password for the View administrator user specified in the --authAs option. Entering "*" instead of
a password causes the vdmutil command to prompt for the password and does not leave
sensitive passwords in the command history on the command line.
You must use the authentication options with all vdmutil command options except for --help and
--verbose.
Options Specific to JMS Message Security Mode
The following table lists only the vdmutil command-line options that pertain to viewing, setting, or
monitoring the JMS message security mode. For a list of the arguments you can use with a specific
option, use the --help command-line option.
The vdmutil command returns 0 when an operation succeeds and a failure-specific non-zero code when
an operation fails. The vdmutil command writes error messages to standard error. When an operation
produces output, or when verbose logging is enabled by using the --verbose option, the vdmutil
command writes output to standard output, in US English.
Table 26. vdmutil Command Options
Option Description
--activatePendingConnectionServerCertificates
Activates a pending security certificate for a View Connection Server
instance in the local pod.
--countPendingMsgSecStatus Counts the number of machines preventing a transition to or from Enhanced
mode.
--createPendingConnectionServerCertificates Creates a new pending security certificate for a View Connection Server
instance in the local pod.
--getMsgSecLevel Gets the enhanced message security status for the local pod. This status
pertains to the process of changing the JMS message security mode from
Enabled to Enhanced for all the components in a View environment.
View Administration
VMware, Inc. 35
Table 26. vdmutil Command Options (Continued)
Option Description
--getMsgSecMode Gets the message security mode for the local pod.
--help Lists the vdmutil command options. You can also use --help on a
particular command, such as --setMsgSecMode --help.
--listMsgBusSecStatus Lists the message bus security status for all connection servers in the local
pod.
--listPendingMsgSecStatus List machines preventing a transition to or from Enhanced mode. Limited to
25 entries by default.
--setMsgSecMode Sets the message security mode for the local pod.
--verbose Enables verbose logging. You can add this option to any other option to
obtain detailed command output. The vdmutil command writes to standard
output.
Configure the Secure Tunnel and PCoIP Secure Gateway
When the secure tunnel is enabled, Horizon Client makes a second HTTPS connection to the View
Connection Server or security server host when users connect to a remote desktop.
When the PCoIP Secure Gateway is enabled, Horizon Client makes a further secure connection to the
View Connection Server or security server host when users connect to a remote desktop with the PCoIP
display protocol.
Note With Horizon 6 version 6.2 and later releases, you can use Unified Access Gateway appliances,
rather than security servers, for secure external access to Horizon 6 servers and desktops. If you use
Unified Access Gateway appliances, you must disable the secure gateways on View Connection Server
instances and enable these gateways on the Unified Access Gateway appliances. For more information,
see Deploying and Configuring Unified Access Gateway.
When the secure tunnel or PCoIP Secure Gateway is not enabled, a session is established directly
between the client system and the remote desktop virtual machine, bypassing the View Connection
Server or security server host. This type of connection is called a direct connection.
Important A typical network configuration that provides secure connections for external clients includes
a security server. To use View Administrator to enable or disable the secure tunnel and PCoIP Secure
Gateway on a security server, you must edit the View Connection Server instance that is paired with the
security server.
In a network configuration in which external clients connect directly to a View Connection Server host, you
enable or disable the secure tunnel and PCoIP Secure Gateway by editing that View Connection Server
instance in View Administrator.
Prerequisites
nIf you intend to enable the PCoIP Secure Gateway, verify that the View Connection Server instance
and paired security server are View 4.6 or later.
View Administration
VMware, Inc. 36
nIf you pair a security server to a View Connection Server instance on which you already enabled the
PCoIP Secure Gateway, verify that the security server is View 4.6 or later.
Procedure
1In View Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select a View Connection Server instance and click Edit.
3Configure use of the secure tunnel.
Option Description
Enable the secure tunnel Select Use Secure Tunnel connection to machine.
Disable the secure tunnel Deselect Use Secure Tunnel connection to machine.
The secure tunnel is enabled by default.
4Configure use of the PCoIP Secure Gateway.
Option Description
Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine
Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine
The PCoIP Secure Gateway is disabled by default.
5Click OK to save your changes.
Configure the Blast Secure Gateway
In Horizon Administrator, you can configure the use of the Blast Secure Gateway to provide secure
access to remote desktops and applications, either through HTML Access or through client connections
that use the VMware Blast display protocol.
The Blast Secure Gateway includes Blast Extreme Adaptive Transport (BEAT) networking, which
dynamically adjusts to network conditions such as varying speeds and packet loss.
nHorizon Clients can use BEAT networking with an excellent network condition while connecting to the
Connection Server, security server, or Unified Access Gateway appliance.
nHorizon Clients that use a typical network condition must connect to a Connection Server (BSG
disabled), security server (BSG disabled), or versions later than 2.8 of an Unified Access Gateway
appliance. If Horizon Client uses a typical network condition to connect to a Connection Server (BSG
enabled), security server (BSG enabled), or versions earlier than 2.8 of an Unified Access Gateway
appliance, the client automatically senses the network condition and falls back to TCP networking.
nHorizon Clients that use a poor network condition must connect to version 2.9 or later of an
Unified Access Gateway appliance (with UDP Tunnel Server Enabled). If Horizon Client uses a poor
network condition to connect to the Connection Server (BSG enabled), security server (BSG
enabled), or versions earlier than 2.8 of an Unified Access Gateway appliance, the client
automatically senses the network condition and falls back to TCP networking.
View Administration
VMware, Inc. 37
nHorizon Clients that use a poor network condition to connect to Connection Server (BSG disabled),
security server (BSG disabled), or version 2.9 or later of Unified Access Gateway appliance (without
UDP Tunnel Server Enabled), or version 2.8 of Unified Access Gateway appliance, the client
automatically senses the network condition and falls back to the typical network condition.
For more information, see the Horizon Client documentation at
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Note You can also use Unified Access Gateway appliances, rather than security servers, for secure
external access to Horizon 7 servers and desktops. If you use Unified Access Gateway appliances, you
must disable the secure gateways on Connection Server instances and enable these gateways on the
Unified Access Gateway appliances. For more information, see Deploying and Configuring Unified
Access Gateway.
When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the VMware
Blast Extreme protocol to establish direct connections to remote desktop virtual machines and
applications, bypassing the Blast Secure Gateway.
Important A typical network configuration that provides secure connections for external users includes a
security server. To enable or disable the Blast Secure Gateway on a security server, you must edit the
Connection Server instance that is paired with the security server. If external users connect directly to a
Connection Server host, you enable or disable the Blast Secure Gateway by editing that Connection
Server instance.
Prerequisites
If users select remote desktops by using VMware Identity Manager, verify that VMware Identity Manager
is installed and configured for use with Connection Server and that Connection Server is paired with a
SAML 2.0 Authentication server.
Procedure
1In Horizon Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select a Connection Server instance and click Edit.
3Configure use of the Blast Secure Gateway.
Option Description
Enable the Blast Secure Gateway Select Use Blast Secure Gateway for Blast connections to machine
Disable the Blast secure Gateway Deselect Use Blast Secure Gateway for Blast connections to machine
The Blast Secure Gateway is enabled by default.
4Click OK to save your changes.
View Administration
VMware, Inc. 38
O-load SSL Connections to Intermediate Servers
Horizon Client must use HTTPS to connect to View. If your Horizon clients connect to load balancers or
other intermediate servers that pass on the connections to View Connection Server instances or security
servers, you can off-load SSL to the intermediate servers.
Import SSL O-loading Servers' Certificates to View Servers
If you off-load SSL connections to an intermediate server, you must import the intermediate server's
certificate onto the View Connection Server instances or security servers that connect to the intermediate
server. The same SSL server certificate must reside on both the off-loading intermediate server and each
off-loaded View server that connects to the intermediate server.
If you deploy security servers, the intermediate server and the security servers that connect to it must
have the same SSL certificate. You do not have to install the same SSL certificate on View Connection
Server instances that are paired to the security servers and do not connect directly to the intermediate
server.
If you do not deploy security servers, or if you have a mixed network environment with some security
servers and some external-facing View Connection Server instances, the intermediate server and any
View Connection Server instances that connect to it must have the same SSL certificate.
If the intermediate server's certificate is not installed on the View Connection Server instance or security
server, clients cannot validate their connections to View. In this situation, the certificate thumbprint sent by
the View server does not match the certificate on the intermediate server to which Horizon Client
connects.
Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that
is configured to provide SSL off-loading, including some types of load balancers. However, pure load
balancing does not require copying of certificates between devices.
For information about importing certificates to View servers, see "Import a Signed Server Certificate into a
Windows Certificate Store" in the View Installation document.
Set View Server External URLs to Point Clients to SSL O-loading Servers
If SSL is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect
to View, you must set the secure tunnel external URL to an address that clients can use to access the
intermediate server.
You configure the external URL settings on the View Connection Server instance or security server that
connects to the intermediate server.
If you deploy security servers, external URLs are required for the security servers but not for the View
Connection Server instances that are paired with the security servers.
View Administration
VMware, Inc. 39
If you do not deploy security servers, or if you have a mixed network environment with some security
servers and some external-facing View Connection Server instances, External URLs are required for any
View Connection Server instances that connect to the intermediate server.
Note You cannot off-load SSL connections from a PCoIP Secure Gateway (PSG) or Blast Secure
Gateway. The PCoIP external URL and Blast Secure Gateway external URL must allow clients to connect
to the computer that hosts the PSG and Blast Secure Gateway. Do not reset the PCoIP external URL and
Blast external URL to point to the intermediate server unless you plan to require SSL connections
between the intermediate server and the View server.
For information about configuring External URLs, see “Configuring External URLs for PCoIP Secure
Gateway and Tunnel Connections” in the View Installation document.
Allow HTTP Connections From Intermediate Servers
When SSL is off-loaded to an intermediate server, you can configure View Connection Server instances
or security servers to allow HTTP connections from the client-facing, intermediate devices. The
intermediate devices must accept HTTPS for Horizon Client connections.
To allow HTTP connections between View servers and intermediate devices, you must configure the
locked.properties file on each View Connection Server instance and security server on which HTTP
connections are allowed.
Even when HTTP connections between View servers and intermediate devices are allowed, you cannot
disable SSL in View. View servers continue to accept HTTPS connections as well as HTTP connections.
Note If your Horizon clients use smart card authentication, the clients must make HTTPS connections
directly to View Connection Server or security server. SSL off-loading is not supported with smart card
authentication.
Procedure
1Create or edit the locked.properties file in the SSL gateway configuration folder on the View
Connection Server or security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\locked.properties
2To configure the View server's protocol, add the serverProtocol property and set it to http.
The value http must be typed in lower case.
3(Optional) Add properties to configure a non-default HTTP listening port and a network interface on
the View server.
nTo change the HTTP listening port from 80, set serverPortNonSSL to another port number to
which the intermediate device is configured to connect.
nIf the View server has more than one network interface, and you intend the server to listen for
HTTP connections on only one interface, set serverHostNonSSL to the IP address of that
network interface.
View Administration
VMware, Inc. 40
4Save the locked.properties file.
5Restart the View Connection Server service or security server service to make your changes take
effect.
Example: locked.properties file
This file allows non-SSL HTTP connections to a View server. The IP address of the View server's client-
facing network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP
connections. The value http must be lower case.
serverProtocol=http
serverHostNonSSL=10.20.30.40
Configure the Gateway Location for a Horizon Connection Server
or Security Server Host
By default, Horizon Connection Server instances set the gateway location to Internal and security
servers set the gateway location to External. You can change the default gateway location by setting the
gatewayLocation property in the locked.properties file.
The gateway location determines the value of the ViewClient_Broker_GatewayLocation registry key
in a remote desktop. You can use this value with Smart Policies to create a policy that takes effect only if
a user connects to a remote desktop from inside or outside your corporate network. For more information,
see "Using Smart Policies" in the Configuring Remote Desktop Features in Horizon 7 document.
Procedure
1Create or edit the locked.properties file in the SSL gateway configuration folder on the Horizon
Connection Server or security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\locked.properties
The properties in the locked.properties file are case sensitive.
2Add the following line to the locked.properties file:
gatewayLocation=value
value can be either External or Internal. External indicates that the gateway is available for
users outside the corporate network. Internal indicates that the gateway is available only for users
inside the corporate network.
For example: gatewayLocation=External
3Save the locked.properties file.
4Restart the VMware Horizon Connection Server service or the VMware Horizon Security Server
service to make your changes take effect.
View Administration
VMware, Inc. 41
Disable or Enable View Connection Server
You can disable a View Connection Server instance to prevent users from logging in to their remote
desktops and applications. After you disable an instance, you can enable it again.
When you disable a View Connection Server instance, users who are currently logged in to remote
desktops and applications are not affected.
Your View deployment determines how users are affected by disabling an instance.
nIf this is a single, standalone View Connection Server instance, users cannot log in to their remote
desktops or applications. They cannot connect to View Connection Server.
nIf this is a replicated View Connection Server instance, your network topology determines whether
users can be routed to another replicated instance. If users can access another instance, they can log
in to their remote desktops and applications.
Procedure
1In View Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select the View Connection Server instance.
3Click Disable.
You can enable the instance again by clicking Enable.
Edit the External URLs
You can use View Administrator to edit external URLs for View Connection Server instances and security
servers.
By default, a View Connection Server or security server host can be contacted only by tunnel clients that
reside within the same network. Tunnel clients that run outside of your network must use a client-
resolvable URL to connect to a View Connection Server or security server host.
When users connect to remote desktops with the PCoIP display protocol, Horizon Client can make a
further connection to the PCoIP Secure Gateway on the View Connection Server or security server host.
To use the PCoIP Secure Gateway, a client system must have access to an IP address that allows the
client to reach the View Connection Server or security server host. You specify this IP address in the
PCoIP external URL.
A third URL allows users to make secure connections through the Blast Secure Gateway.
The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses
that client systems use to reach this host.
Note You cannot edit the external URLs for a security server that has not been upgraded to View
Connection Server 4.5 or later.
View Administration
VMware, Inc. 42
Procedure
1In View Administrator, select View Configuration > Servers.
Option Action
View Connection Server instance Select the View Connection Server instance on the Connection Servers tab and
click Edit.
Security server Select the security server on the Security Servers tab and click Edit.
2Type the secure tunnel external URL in the External URL text box.
The URL must contain the protocol, client-resolvable host name and port number.
For example: https://view.example.com:443
Note You can use the IP address if you have to access a View Connection Server instance or
security server when the host name is not resolvable. However, the host that you contact will not
match the SSL certificate that is configured for the View Connection Server instance or security
server, resulting in blocked access or access with reduced security.
3Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box.
Specify the PCoIP external URL as an IP address with the port number 4172. Do not include a
protocol name.
For example: 10.20.30.40:4172
The URL must contain the IP address and port number that a client system can use to reach this
security server or View Connection Server instance.
4Type the Blast Secure Gateway external URL in the Blast External URL text box.
The URL must contain the HTTPS protocol, client-resolvable host name, and port number.
For example: https://myserver.example.com:8443
By default, the URL includes the FQDN of the secure tunnel external URL and the default port
number, 8443. The URL must contain the FQDN and port number that a client system can use to
reach this host.
5Verify that all addresses in this dialog allow client systems to reach this host.
6Click OK to save your changes.
The external URLs are updated immediately. You do not need to restart the View Connection Server
service or the security server service for the changes to take effect.
View Administration
VMware, Inc. 43
Join or Withdraw from the Customer Experience Program
When you install View Connection Server with a new configuration, you can choose to participate in a
customer experience improvement program. If you change your mind about participating after the
installation, you can join or withdraw from the program by using View Administrator.
If you participate in the program, VMware collects anonymous data about your deployment in order to
improve VMware's response to user requirements. No data that identifies your organization is collected.
To review the list of fields from which data is collected, including the fields that are made anonymous, see
GUID-4FDD21B3-5F28-419F-AA16-4C7578996A54#GUID-4FDD21B3-5F28-419F-
AA16-4C7578996A54.
Procedure
1In View Administrator, select View Configuration > Product Licensing and Usage.
2In the Customer Experience Program pane, click Edit Settings.
3Decide whether to participate in or withdraw from the program by selecting or deselecting the Send
anonymous data to VMware checkbox.
4(Optional) If you participate, you can select the geographic location, type of business, and number of
employees in your organization.
5Click OK.
View LDAP Directory
View LDAP is the data repository for all View configuration information. View LDAP is an embedded
Lightweight Directory Access Protocol (LDAP) directory that is provided with the View Connection Server
installation.
View LDAP contains standard LDAP directory components that are used by View.
nView schema definitions
nDirectory information tree (DIT) definitions
nAccess control lists (ACLs)
View LDAP contains directory entries that represent View objects.
nRemote desktop entries that represent each accessible desktop. Each entry contains references to
the Foreign Security Principal (FSP) entries of Windows users and groups in Active Directory who are
authorized to use the desktop.
nRemote desktop pool entries that represent multiple desktops managed together
nVirtual machine entries that represent the vCenter Server virtual machine for each remote desktop
nView component entries that store configuration settings
View Administration
VMware, Inc. 44
View LDAP also contains a set of View plug-in DLLs that provide automation and notification services for
other View components.
Note Security server instances do not contain a View LDAP directory.
LDAP Replication
When you install a replicated instance of View Connection Server, View copies the View LDAP
configuration data from the existing View Connection Server instance. Identical View LDAP configuration
data is maintained on all View Connection Server instances in the replicated group. When a change is
made on one instance, the updated information is copied to the other instances.
If a replicated instance fails, the other instances in the group continue to operate. When the failed
instance resumes activity, its configuration is updated with the changes that took place during the outage.
With Horizon 7 and later releases, a replication status check is performed every 15 minutes to determine
whether each instance can communicate with the other servers in the replicated group and whether each
instance can fetch LDAP updates from the other servers in the group.
You can use the dashboard in View Administrator to check the replication status. If any View Connection
Server instances have a red icon in the dashboard, click the icon to see the replication status. Replication
might be impaired for any of the following reasons:
nA firewall might be blocking communication
nThe VMware VDMDS service might be stopped on a View Connection Server instance
nThe VMware VDMDS DSA options might be blocking the replications
nA network problem has occurred
By default, the replication check occurs every 15 minutes. You can use ADSI Edit on a View Connection
Server instance to change the interval. To set the number of minutes, connect to
DC=vdi,DC=vmware,DC=int and edit the pae-ReplicationStatusDataExpiryInMins attribute on the
CN=Common,OU=Global,OU=Properties object.
The pae-ReplicationStatusDataExpiryInMins attribute value should be between 10 minutes and 1440
minutes (one day). If the attribute value is less than 10 minutes, View treats it as 10 minutes. If the
attribute value is greater than 1440, View treats it as 1440 minutes.
View Administration
VMware, Inc. 45
Setting Up Smart Card
Authentication 3
For added security, you can configure a View Connection Server instance or security server so that users
and administrators can authenticate by using smart cards.
A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature
computer, includes secure storage for data, including private keys and public key certificates. One type of
smart card used by the United States Department of Defense is called a Common Access Card (CAC).
With smart card authentication, a user or administrator inserts a smart card into a smart card reader
attached to the client computer and enters a PIN. Smart card authentication provides two-factor
authentication by verifying both what the person has (the smart card) and what the person knows (the
PIN).
See the View Installation document for information about hardware and software requirements for
implementing smart card authentication. The Microsoft TechNet Web site includes detailed information on
planning and implementing smart card authentication for Windows systems.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install
certificates on smart cards, you must set up a computer to act as an enrollment station. For information
about whether a particular type of Horizon Client supports smart cards, see the Horizon Client
documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
This section includes the following topics:
nLogging In with a Smart Card
nConfigure Smart Card Authentication on View Connection Server
nConfigure Smart Card Authentication on Third-Party Solutions
nPrepare Active Directory for Smart Card Authentication
nVerify Your Smart Card Authentication Configuration
nUsing Smart Card Certificate Revocation Checking
VMware, Inc. 46
Logging In with a Smart Card
When a user or administrator inserts a smart card into a smart card reader, the user certificates on the
smart card are copied to the local certificate store on the client system if the client operating system is
Windows. The certificates in the local certificate store are available to all of the applications running on
the client computer, including Horizon Client.
When a user or administrator initiates a connection to a View Connection Server instance or security
server that is configured for smart card authentication, the View Connection Server instance or security
server sends a list of trusted certificate authorities (CAs) to the client system. The client system checks
the list of trusted CAs against the available user certificates, selects a suitable certificate, and then
prompts the user or administrator to enter a smart card PIN. If there are multiple valid user certificates,
the client system prompts the user or administrator to select a certificate.
The client system sends the user certificate to the View Connection Server instance or security server,
which verifies the certificate by checking the certificate trust and validity period. Typically, users and
administrators can successfully authenticate if their user certificate is signed and valid. If certificate
revocation checking is configured, users or administrators who have revoked user certificates are
prevented from authenticating.
In some environments, a user's smart card certificate can map to multiple Active Directory domain user
accounts. A user might have multiple accounts with administrator privileges and needs to specify which
account to use in the Username hint field during smart card login. To make the Username hint field
appear on the Horizon Client login dialog box, the administrator must enable the smart card user name
hints feature for the Connection Server instance in View Administrator. The smart card user can then
enter a user name or UPN in the Username hint field during smart card login.
If your environment uses an Access Point appliance for secure external access, you must configure the
Access Point appliance to support the smart card user name hints feature. The smart card user name
hints feature is supported only with Access Point 2.7.2 and later. For information about enabling the smart
card user name hints feature in Access Point, see the Deploying and Configuring Access Point document.
Display protocol switching is not supported with smart card authentication in Horizon Client. To change
display protocols after authenticating with a smart card in Horizon Client, a user must log off and log on
again.
View Administration
VMware, Inc. 47
Configure Smart Card Authentication on View Connection
Server
To configure smart card authentication, you must obtain a root certificate and add it to a server truststore
file, modify View Connection Server configuration properties, and configure smart card authentication
settings. Depending on your particular environment, you might need to perform additional steps.
Procedure
1Obtain the Certificate Authority Certificates
You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on
the smart cards presented by your users and administrators. These certificates include root
certificates and can include intermediate certificates if the user's smart card certificate was issued by
an intermediate certificate authority.
2Obtain the CA Certificate from Windows
If you have a CA-signed user certificate or a smart card that contains one, and Windows trusts the
root certificate, you can export the root certificate from Windows. If the issuer of the user certificate
is an intermediate certificate authority, you can export that certificate.
3Add the CA Certificate to a Server Truststore File
You must add root certificates, intermediate certificates, or both to a server truststore file for all users
and administrators that you trust. View Connection Server instances and security servers use this
information to authenticate smart card users and administrators.
4Modify View Connection Server Configuration Properties
To enable smart card authentication, you must modify View Connection Server configuration
properties on your View Connection Server or security server host.
5Configure Smart Card Settings in View Administrator
You can use View Administrator to specify settings to accommodate different smart card
authentication scenarios.
Obtain the Certificate Authority Certificates
You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the
smart cards presented by your users and administrators. These certificates include root certificates and
can include intermediate certificates if the user's smart card certificate was issued by an intermediate
certificate authority.
If you do not have the root or intermediate certificate of the CA that signed the certificates on the smart
cards presented by your users and administrators, you can export the certificates from a CA-signed user
certificate or a smart card that contains one. See Obtain the CA Certificate from Windows.
View Administration
VMware, Inc. 48
Procedure
uObtain the CA certificates from one of the following sources.
nA Microsoft IIS server running Microsoft Certificate Services. See the Microsoft TechNet Web site
for information on installing Microsoft IIS, issuing certificates, and distributing certificates in your
organization.
nThe public root certificate of a trusted CA. This is the most common source of a root certificate in
environments that already have a smart card infrastructure and a standardized approach to smart
card distribution and authentication.
What to do next
Add the root certificate, intermediate certificate, or both to a server truststore file.
Obtain the CA Certificate from Windows
If you have a CA-signed user certificate or a smart card that contains one, and Windows trusts the root
certificate, you can export the root certificate from Windows. If the issuer of the user certificate is an
intermediate certificate authority, you can export that certificate.
Procedure
1If the user certificate is on a smart card, insert the smart card into the reader to add the user
certificate to your personal store.
If the user certificate does not appear in your personal store, use the reader software to export the
user certificate to a file. This file is used in Step 4 of this procedure.
2In Internet Explorer, select Tools > Internet Options.
3On the Content tab, click Certificates.
4On the Personal tab, select the certificate you want to use and click View.
If the user certificate does not appear on the list, click Import to manually import it from a file. After
the certificate is imported, you can select it from the list.
5On the Certification Path tab, select the certificate at the top of the tree and click View Certificate.
If the user certificate is signed as part of a trust hierarchy, the signing certificate might be signed by
another higher-level certificate. Select the parent certificate (the one that actually signed the user
certificate) as your root certificate. In some cases, the issuer might be an intermediate CA.
6On the Details tab, click Copy to File.
The Certificate Export Wizard appears.
7Click Next > Next and type a name and location for the file that you want to export.
8Click Next to save the file as a root certificate in the specified location.
What to do next
Add the CA certificate to a server truststore file.
View Administration
VMware, Inc. 49
Add the CA Certificate to a Server Truststore File
You must add root certificates, intermediate certificates, or both to a server truststore file for all users and
administrators that you trust. View Connection Server instances and security servers use this information
to authenticate smart card users and administrators.
Prerequisites
nObtain the root or intermediate certificates that were used to sign the certificates on the smart cards
presented by your users or administrators. See Obtain the Certificate Authority Certificates and
Obtain the CA Certificate from Windows.
Important These certificates can include intermediate certificates if the user's smart card certificate
was issued by an intermediate certificate authority.
nVerify that the keytool utility is added to the system path on your View Connection Server or security
server host. See the View Installation document for more information.
Procedure
1On your View Connection Server or security server host, use the keytool utility to import the root
certificate, intermediate certificate, or both into the server truststore file.
For example:
keytool -import -alias alias -file root_certificate -keystore truststorefile.key
In this command, alias is a unique case-sensitive name for a new entry in the truststore file,
root_certificate is the root or intermediate certificate that you obtained or exported, and
truststorefile.key is the name of the truststore file that you are adding the root certificate to. If the file
does not exist, it is created in the current directory.
Note The keytool utility might prompt you to create a password for the truststore file. You will be
asked to provide this password if you need to add additional certificates to the truststore file at a later
time.
2Copy the truststore file to the SSL gateway configuration folder on the View Connection Server or
security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\truststorefile.key
What to do next
Modify View Connection Server configuration properties to enable smart card authentication.
View Administration
VMware, Inc. 50
Modify View Connection Server Configuration Properties
To enable smart card authentication, you must modify View Connection Server configuration properties on
your View Connection Server or security server host.
Prerequisites
Add the CA (certificate authority) certificates for all trusted user certificates to a server truststore file.
These certificates include root certificates and can include intermediate certificates if the user's smart
card certificate was issued by an intermediate certificate authority.
Procedure
1Create or edit the locked.properties file in SSL gateway configuration folder on the View
Connection Server or security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\locked.properties
2Add the trustKeyfile, trustStoretype, and useCertAuth properties to the locked.properties
file.
a Set trustKeyfile to the name of your truststore file.
b Set trustStoretype to jks.
c Set useCertAuth to true to enable certificate authentication.
3Restart the View Connection Server service or security server service to make your changes take
effect.
Example: locked.properties File
The file shown specifies that the root certificate for all trusted users is located in the file lonqa.key, sets
the trust store type to jks, and enables certificate authentication.
trustKeyfile=lonqa.key
trustStoretype=jks
useCertAuth=true
What to do next
If you configured smart card authentication for a View Connection Server instance, configure smart card
authentication settings in View Administrator. You do not need to configure smart card authentication
settings for a security server. Settings that are configured on a View Connection Server instance are also
applied to a paired security server.
View Administration
VMware, Inc. 51
Configure Smart Card Settings in View Administrator
You can use View Administrator to specify settings to accommodate different smart card authentication
scenarios.
When you configure these settings on a View Connection Server instance, the settings are also applied to
paired security servers.
Prerequisites
nModify View Connection Server configuration properties on your View Connection Server host.
nVerify that Horizon clients make HTTPS connections directly to your View Connection Server or
security server host. Smart card authentication is not supported if you off-load SSL to an intermediate
device.
Procedure
1In View Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select the View Connection Server instance and click Edit.
View Administration
VMware, Inc. 52
3To configure smart card authentication for remote desktop and application users, perform these steps.
a On the Authentication tab, select a configuration option from the Smart card authentication for
users drop-down menu in the View Authentication section.
Option Action
Not allowed Smart card authentication is disabled on the View Connection Server instance.
Optional Users can use smart card authentication or password authentication to
connect to the View Connection Server instance. If smart card authentication
fails, the user must provide a password.
Required Users are required to use smart card authentication when connecting to the
View Connection Server instance.
When smart card authentication is required, authentication fails for users who
select the Log in as current user check box when they connect to the View
Connection Server instance. These users must reauthenticate with their smart
card and PIN when they log in to View Connection Server.
View Administration
VMware, Inc. 53
Option Action
Note Smart card authentication replaces Windows password authentication
only. If SecurID is enabled, users are required to authenticate by using both
SecurID and smart card authentication.
b Configure the smart card removal policy.
You cannot configure the smart card removal policy when smart card authentication is set to Not
Allowed.
Option Action
Disconnect users from View
Connection Server when they remove
their smart cards.
Select the Disconnect user sessions on smart card removal check box.
Keep users connected to View
Connection Server when they remove
their smart cards and let them start
new desktop or application sessions
without reauthenticating.
Deselect the Disconnect user sessions on smart card removal check box.
The smart card removal policy does not apply to users who connect to the View Connection
Server instance with the Log in as current user check box selected, even if they log in to their
client system with a smart card.
c Configure the smart card user name hints feature.
You cannot configure the smart card user name hints feature when smart card authentication is
set to Not Allowed.
Option Action
Enable users to use a single smart
card certificate to authenticate to
multiple user accounts.
Select the Allow smart card user name hints check box.
Disable users from using a single
smart card certificate to authenticate
to multiple user accounts.
Deselect the Allow smart card user name hints check box.
4To configure smart card authentication for administrators logging in to View Administrator, click the
Authentication tab and select a configuration option from the Smart card authentication for
administrators drop-down menu in the View Administration Authentication section.
Option Action
Not allowed Smart card authentication is disabled on the View Connection Server instance.
Optional Administrators can use smart card authentication or password authentication to
log in to the View Administrator. If smart card authentication fails, the
administrator must provide a password.
Required Administrators are required to use smart card authentication when they log in to
View Administrator.
View Administration
VMware, Inc. 54
5Click OK.
6Restart the View Connection Server service.
You must restart the View Connection Server service for changes to smart card settings to take effect,
with one exception. You can change smart card authentication settings between Optional and
Required without having to restart the View Connection Server service.
Currently logged in user and administrators are not affected by changes to smart card settings.
What to do next
Prepare Active Directory for smart card authentication, if required. See Prepare Active Directory for Smart
Card Authentication.
Verify your smart card authentication configuration. See Verify Your Smart Card Authentication
Configuration.
Configure Smart Card Authentication on Third-Party
Solutions
Third-party solutions such as load balancers and gateways can perform smart card authentication by
passing a SAML assertion that contains the smart card's X.590 certificate and encrypted PIN.
This topic outlines the tasks involved in setting up third-party solutions to provide the relevant X.590
certificate to View Connection Server after the certificate has been validated by the partner device.
Because this feature uses SAML authentication, one of the tasks is to create a SAML authenticator in
View Administrator.
For information about configuring smart card authentication on Unified Access Gateway, see Deploying
and Configuring Unified Access Gateway.
Procedure
1Create a SAML authenticator for the third-party gateway or load balancer.
See Configure a SAML Authenticator in Horizon Administrator.
2Extend the expiration period of the View Connection Server metadata so that remote sessions are not
terminated after only 24 hours.
See Change the Expiration Period for Service Provider Metadata on Connection Server.
3If necessary, configure the third-party device to use service provider metadata from View Connection
Server.
See the product documentation for the third-party device.
4Configure smart card settings on the third-party device.
See the product documentation for the third-party device.
View Administration
VMware, Inc. 55
Prepare Active Directory for Smart Card Authentication
You might need to perform certain tasks in Active Directory when you implement smart card
authentication.
nAdd UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of
users and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
nAdd the Root Certificate to the Enterprise NTAuth Store
If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this
procedure if the Windows domain controller acts as the root CA.
nAdd the Root Certificate to Trusted Root Certification Authorities
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you
must add the root certificate to the Trusted Root Certification Authorities group policy in Active
Directory. You do not need to perform this procedure if the Windows domain controller acts as the
root CA.
nAdd an Intermediate Certificate to Intermediate Certification Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities
group policy in Active Directory.
Add UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users
and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate was issued
from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate
of the trusted CA. If your root certificate was issued from a server in the smart card user's current domain,
you do not need to modify the user's UPN.
Note You might need to set the UPN for built-in Active Directory accounts, even if the certificate is
issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set by
default.
Prerequisites
nObtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
nIf the ADSI Edit utility is not present on your Active Directory server, download and install the
appropriate Windows Support Tools from the Microsoft Web site.
View Administration
VMware, Inc. 56
Procedure
1On your Active Directory server, start the ADSI Edit utility.
2In the left pane, expand the domain the user is located in and double-click CN=Users.
3In the right pane, right-click the user and then click Properties.
4Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.
5Click OK to save the attribute setting.
Add the Root Certificate to the Enterprise NTAuth Store
If you use a CA to issue smart card login or domain controller certificates, you must add the root
certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if
the Windows domain controller acts as the root CA.
Procedure
uOn your Active Directory server, use the certutil command to publish the certificate to the
Enterprise NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
The CA is now trusted to issue certificates of this type.
Add the Root Certificate to Trusted Root Certification Authorities
If you use a certification authority (CA) to issue smart card login or domain controller certificates, you
must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory.
You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Procedure
1On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003 a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy Management
plug-in.
d Right-click Default Domain Policy, and click Edit.
Windows 2008 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2012R2 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2016 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
View Administration
VMware, Inc. 57
2Expand the Computer Configuration section and open Windows Settings\Security
Settings\Public Key.
3Right-click Trusted Root Certification Authorities and select Import.
4Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click
OK.
5Close the Group Policy window.
All of the systems in the domain now have a copy of the root certificate in their trusted root store.
What to do next
If an intermediate certification authority (CA) issues your smart card login or domain controller certificates,
add the intermediate certificate to the Intermediate Certification Authorities group policy in Active
Directory. See Add an Intermediate Certificate to Intermediate Certification Authorities.
Add an Intermediate Certificate to Intermediate Certification
Authorities
If you use an intermediate certification authority (CA) to issue smart card login or domain controller
certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group
policy in Active Directory.
Procedure
1On the Active Directory server, navigate to the Group Policy Management plug-in.
AD Version Navigation Path
Windows 2003 a Select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
b Right-click your domain and click Properties.
c On the Group Policy tab, click Open to open the Group Policy Management
plug-in.
d Right-click Default Domain Policy, and click Edit.
Windows 2008 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2012R2 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
Windows 2016 a Select Start > Administrative Tools > Group Policy Management.
b Expand your domain, right-click Default Domain Policy, and click Edit.
2Expand the Computer Configuration section and open the policy for Windows Settings\Security
Settings\Public Key.
3Right-click Intermediate Certification Authorities and select Import.
4Follow the prompts in the wizard to import the intermediate certificate (for example,
intermediateCA.cer) and click OK.
View Administration
VMware, Inc. 58
5Close the Group Policy window.
All of the systems in the domain now have a copy of the intermediate certificate in their intermediate
certification authority store.
Verify Your Smart Card Authentication Configuration
After you set up smart card authentication for the first time, or when smart card authentication is not
working correctly, you should verify your smart card authentication configuration.
Procedure
nVerify that each client system has smart card middleware, a smart card with a valid certificate, and a
smart card reader. For end users, verify that they have Horizon Client.
See the documentation provided by your smart card vendor for information on configuring smart card
software and hardware.
nOn each client system, select Start > Settings > Control Panel > Internet Options > Content >
Certificates > Personal to verify that certificates are available for smart card authentication.
When a user or administrator inserts a smart card into the smart card reader, Windows copies
certificates from the smart card to the user's computer. Applications on the client system, including
Horizon Client, can use these certificates.
nIn the locked.properties file on the View Connection Server or security server host, verify that the
useCertAuth property is set to true and is spelled correctly.
The locked.properties file is located in install_directory\VMware\VMware
View\Server\sslgateway\conf. The useCertAuth property is commonly misspelled as
userCertAuth.
nIf you configured smart card authentication on a View Connection Server instance, check the smart
card authentication setting in View Administrator.
a Select View Configuration > Servers.
b On the Connection Servers tab, select the View Connection Server instance and click Edit.
c If you configured smart card authentication for users, on the Authentication tab, verify that
Smart card authentication for users is set to either Optional or Required.
d If you configured smart card authentication for administrators, on the Authentication tab, verify
that Smart card authentication for administrators is set to either Optional or Required.
You must restart the View Connection Server service for changes to smart card settings to take effect.
View Administration
VMware, Inc. 59
nIf the domain a smart card user resides in is different from the domain your root certificate was issued
from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA.
a Find the SAN contained in the root certificate of the trusted CA by viewing the certificate
properties.
b On your Active Directory server, select Start > Administrative Tools > Active Directory Users
and Computers.
c Right-click the user in the Users folder and select Properties.
The UPN appears in the User logon name text boxes on the Account tab.
nIf smart card users select the PCoIP display protocol or the VMware Blast display protocol to connect
to single-session desktops, verify that the View Agent or Horizon Agent component called Smartcard
Redirection is installed on the single-user machines. The smart card feature lets users log in to
single-session desktops with smart cards. RDS hosts, which have the Remote Desktop Services role
installed, support the smart card feature automatically and you do not need to install the feature.
nCheck the log files in drive:\Documents and Settings\All Users\Application
Data\VMware\VDM\logs on the View Connection Server or security server host for messages stating
that smart card authentication is enabled.
Using Smart Card Certificate Revocation Checking
You can prevent users who have revoked user certificates from authenticating with smart cards by
configuring certificate revocation checking. Certificates are often revoked when a user leaves an
organization, loses a smart card, or moves from one department to another.
View supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online
Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued
the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.
509 certificate.
You can configure certificate revocation checking on a View Connection Server instance or on a security
server. When a View Connection Server instance is paired with a security server, you configure certificate
revocation checking on the security server. The CA must be accessible from the View Connection Server
or security server host.
You can configure both CRL and OCSP on the same View Connection Server instance or security server.
When you configure both types of certificate revocation checking, View attempts to use OCSP first and
falls back to CRL if OCSP fails. View does not fall back to OCSP if CRL fails.
nLogging in with CRL Checking
When you configure CRL checking, View constructs and reads a CRL to determine the revocation
status of a user certificate.
nLogging in with OCSP Certificate Revocation Checking
When you configure OCSP certificate revocation checking, View sends a request to an OCSP
Responder to determine the revocation status of a specific user certificate. View uses an OCSP
signing certificate to verify that the responses it receives from the OCSP Responder are genuine.
View Administration
VMware, Inc. 60
nConfigure CRL Checking
When you configure CRL checking, View reads a CRL to determine the revocation status of a smart
card user certificate.
nConfigure OCSP Certificate Revocation Checking
When you configure OCSP certificate revocation checking, View sends a verification request to an
OCSP Responder to determine the revocation status of a smart card user certificate.
nSmart Card Certificate Revocation Checking Properties
You set values in the locked.properties file to enable and configure smart card certificate
revocation checking.
Logging in with CRL Checking
When you configure CRL checking, View constructs and reads a CRL to determine the revocation status
of a user certificate.
If a certificate is revoked and smart card authentication is optional, the Enter your user name and
password dialog box appears and the user must provide a password to authenticate. If smart card
authentication is required, the user receives an error message and is not allowed to authenticate. The
same events occur if View cannot read the CRL.
Logging in with OCSP Certificate Revocation Checking
When you configure OCSP certificate revocation checking, View sends a request to an OCSP Responder
to determine the revocation status of a specific user certificate. View uses an OCSP signing certificate to
verify that the responses it receives from the OCSP Responder are genuine.
If the user certificate is revoked and smart card authentication is optional, the Enter your user name and
password dialog box appears and the user must provide a password to authenticate. If smart card
authentication is required, the user receives an error message and is not allowed to authenticate.
View falls back to CRL checking if it does not receive a response from the OCSP Responder or if the
response is invalid.
Configure CRL Checking
When you configure CRL checking, View reads a CRL to determine the revocation status of a smart card
user certificate.
Prerequisites
Familiarize yourself with the locked.properties file properties for CRL checking. See Smart Card
Certificate Revocation Checking Properties.
View Administration
VMware, Inc. 61
Procedure
1Create or edit the locked.properties file in the SSL gateway configuration folder on the View
Connection Server or security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\locked.properties
2Add the enableRevocationChecking and crlLocation properties to the locked.properties file.
a Set enableRevocationChecking to true to enable smart card certificate revocation checking.
b Set crlLocation to the location of the CRL. The value can be a URL or a file path.
3Restart the View Connection Server service or security server service to make your changes take
effect.
Example: locked.properties File
The file shown enables smart card authentication and smart card certificate revocation checking,
configures CRL checking, and specifies a URL for the CRL location.
trustKeyfile=lonqa.key
trustStoretype=jks
useCertAuth=true
enableRevocationChecking=true
crlLocation=http://root.ocsp.net/certEnroll/ocsp-ROOT_CA.crl
Configure OCSP Certificate Revocation Checking
When you configure OCSP certificate revocation checking, View sends a verification request to an OCSP
Responder to determine the revocation status of a smart card user certificate.
Prerequisites
Familiarize yourself with the locked.properties file properties for OCSP certificate revocation
checking. See Smart Card Certificate Revocation Checking Properties.
Procedure
1Create or edit the locked.properties file in the SSL gateway configuration folder on the View
Connection Server or security server host.
For example: install_directory\VMware\VMware
View\Server\sslgateway\conf\locked.properties
2Add the enableRevocationChecking, enableOCSP, ocspURL, and ocspSigningCert properties to
the locked.properties file.
a Set enableRevocationChecking to true to enable smart card certificate revocation checking.
b Set enableOCSP to true to enable OCSP certificate revocation checking.
View Administration
VMware, Inc. 62
c Set ocspURL to the URL of the OCSP Responder.
d Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing
certificate.
3Restart the View Connection Server service or security server service to make your changes take
effect.
Example: locked.properties File
The file shown enables smart card authentication and smart card certificate revocation checking,
configures both CRL and OCSP certificate revocation checking, specifies the OCSP Responder location,
and identifies the file that contains the OCSP signing certificate.
trustKeyfile=lonqa.key
trustStoretype=jks
useCertAuth=true
enableRevocationChecking=true
enableOCSP=true
allowCertCRLs=true
ocspSigningCert=te-ca.signing.cer
ocspURL=http://te-ca.lonqa.int/ocsp
Smart Card Certificate Revocation Checking Properties
You set values in the locked.properties file to enable and configure smart card certificate revocation
checking.
Table 31 lists the locked.properties file properties for certificate revocation checking.
Table 31. Properties for Smart Card Certificate Revocation Checking
Property Description
enableRevocationChecking Set this property to true to enable certificate revocation
checking.
When this property is set to false, certificate revocation
checking is disabled and all other certificate revocation checking
properties are ignored.
The default value is false.
crlLocation Specifies the location of the CRL, which can be either a URL or
a file path.
If you do not specify a URL, or if the specified URL is invalid,
View uses the list of CRLs on the user certificate if
allowCertCRLs is set to true or is not specified.
If View cannot access a CRL, CRL checking fails.
allowCertCRLs When this property is set to true, View extracts a list of CRLs
from the user certificate.
The default value is true.
View Administration
VMware, Inc. 63
Table 31. Properties for Smart Card Certificate Revocation Checking (Continued)
Property Description
enableOCSP Set this property to true to enable OCSP certificate revocation
checking.
The default value is false.
ocspURL Specifies the URL of an OCSP Responder.
ocspResponderCert Specifies the file that contains the OCSP Responder's signing
certificate. View uses this certificate to verify that the OCSP
Responder's responses are genuine.
ocspSendNonce When this property is set to true, a nonce is sent with OCSP
requests to prevent repeated responses.
The default value is false.
ocspCRLFailover When this property is set to true, View uses CRL checking if
OCSP certificate revocation checking fails.
The default value is true.
View Administration
VMware, Inc. 64
Setting Up Other Types of User
Authentication 4
View uses your existing Active Directory infrastructure for user and administrator authentication and
management. You can also integrate View with other forms of authentication besides smart cards, such
as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to
authenticate remote desktop and application users.
This section includes the following topics:
nUsing Two-Factor Authentication
nUsing SAML Authentication
nConfigure Biometric Authentication
Using Two-Factor Authentication
You can configure a Horizon Connection Server instance so that users are required to use RSA SecurID
authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.
nRADIUS support offers a wide range of alternative two-factor token-based authentication options.
nHorizon 7 also provides an open standard extension interface to allow third-party solution providers to
integrate advanced authentication extensions into Horizon 7.
Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication
managers, installed on separate servers, you must have those servers configured and accessible to the
Connection Server host. For example, if you use RSA SecurID, the authentication manager would be
RSA Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS
server.
To use two-factor authentication, each user must have a token, such as an RSA SecurID token, that is
registered with its authentication manager. A two-factor authentication token is a piece of hardware or
software that generates an authentication code at fixed intervals. Often authentication requires knowledge
of both a PIN and an authentication code.
If you have multiple Connection Server instances, you can configure two-factor authentication on some
instances and a different user authentication method on others. For example, you can configure two-
factor authentication only for users who access remote desktops and applications from outside the
corporate network, over the Internet.
VMware, Inc. 65
Horizon 7 is certified through the RSA SecurID Ready program and supports the full range of SecurID
capabilities, including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load
balancing.
nLogging in Using Two-Factor Authentication
When a user connects to a View Connection Server instance that has RSA SecurID authentication
or RADIUS authentication enabled, a special login dialog box appears in Horizon Client.
nEnable Two-Factor Authentication in View Administrator
You enable a View Connection Server instance for RSA SecurID authentication or RADIUS
authentication by modifying View Connection Server settings in View Administrator.
nTroubleshooting RSA SecurID Access Denial
Access is denied when Horizon Client connects with RSA SecurID authentication.
nTroubleshooting RADIUS Access Denial
Access is denied when Horizon Client connects with RADIUS two-factor authentication.
Logging in Using Two-Factor Authentication
When a user connects to a View Connection Server instance that has RSA SecurID authentication or
RADIUS authentication enabled, a special login dialog box appears in Horizon Client.
Users enter their RSA SecurID or RADIUS authentication user name and passcode in the a special login
dialog box. A two-factor authentication passcode typically consists of a PIN followed by a token code.
nIf RSA Authentication Manager requires users to enter a new RSA SecurID PIN after entering their
RSA SecurID username and passcode, a PIN dialog box appears. After setting a new PIN, users are
prompted to wait for the next token code before logging in. If RSA Authentication Manager is
configured to use system-generated PINs, a dialog box appears to confirm the PIN.
nWhen logging in to View, RADIUS authentication works much like RSA SecurID. If the RADIUS
server issues an access challenge, Horizon Client displays a dialog box similar to the RSA SecurID
prompt for the next token code. Currently support for RADIUS challenges is limited to prompting for
text input. Any challenge text sent from the RADIUS server is not displayed. More complex forms of
challenge, such as multiple choice and image selection, are currently not supported.
After a user enters credentials in Horizon Client, the RADIUS server can send an SMS text message
or email, or text using some other out-of-band mechanism, to the user's cell phone with a code. The
user can enter this text and code into Horizon Client to complete the authentication.
nBecause some RADIUS vendors provide the ability to import users from Active Directory, end users
might first be prompted to supply Active Directory credentials before being prompted for a RADIUS
authentication user name and passcode.
View Administration
VMware, Inc. 66
Enable Two-Factor Authentication in View Administrator
You enable a View Connection Server instance for RSA SecurID authentication or RADIUS authentication
by modifying View Connection Server settings in View Administrator.
Prerequisites
Install and configure the two-factor authentication software, such as the RSA SecurID software or the
RADIUS software, on an authentication manager server.
nFor RSA SecurID authentication, export the sdconf.rec file for the View Connection Server instance
from RSA Authentication Manager. See the RSA Authentication Manager documentation.
nFor RADIUS authentication, follow the vendor's configuration documentation. Make a note of the
RADIUS server's host name or IP address, the port number on which it is listening for RADIUS
authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2) and
the shared secret. You will enter these values in View Administrator. You can enter values for a
primary and a secondary RADIUS authenticator.
Procedure
1In View Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select the server and click Edit.
3On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced
Authentication section, select RSA SecureID or RADIUS.
4To force RSA SecurID or RADIUS user names to match user names in Active Directory, select
Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user
name matching.
If you select this option, users must use the same RSA SecurID or RADIUS user name for Active
Directory authentication. If you do not select this option, the names can be different.
5For RSA SecurID, click Upload File, type the location of the sdconf.rec file, or click Browse to
search for the file.
View Administration
VMware, Inc. 67
6For RADIUS authentication, complete the rest of the fields:
a Select Use the same username and password for RADIUS and Windows authentication if
the initial RADIUS authentication uses Windows authentication that triggers an out-of-band
transmission of a token code, and this token code is used as part of a RADIUS challenge.
If you select this check box, users will not be prompted for Windows credentials after RADIUS
authentication if the RADIUS authentication uses the Windows username and password. Users
do not have to reenter the Windows username and password after RADIUS authentication.
b From the Authenticator drop-down list, select Create New Authenticator and complete the
page.
nSet Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a
non-zero number only if your RADIUS server supports collecting accounting data. If the
RADIUS server does not support accounting messages and you set this port to a nonzero
number, the messages will be sent and ignored and retried a number of times, resulting in a
delay in authentication.
Accounting data can be used in order to bill users based on usage time and data. Accounting
data can also be used for statistical purposes and for general network monitoring.
nIf you specify a realm prefix string, the string is placed at the beginning of the username when
it is sent to the RADIUS server. For example, if the username entered in Horizon Client is
jdoe and the realm prefix DOMAIN-A\ is specified, the username DOMAIN-A\jdoe is sent to
the RADIUS server. Similarly if you use the realm suffix, or postfix, string @mycorp.com, the
username jdoe@mycorp.com is sent to the RADIUS server.
7Click OK to save your changes.
You do not need to restart the View Connection Server service. The necessary configuration files are
distributed automatically and the configuration settings take effect immediately.
When users open Horizon Client and authenticate to View Connection Server, they are prompted for two-
factor authentication. For RADIUS authentication, the login dialog box displays text prompts that contain
the token label you specified.
Changes to RADIUS authentication settings affect remote desktop and application sessions that are
started after the configuration is changed. Current sessions are not affected by changes to RADIUS
authentication settings.
What to do next
If you have a replicated group of View Connection Server instances and you want to also set up RADIUS
authentication on them, you can re-use an existing RADIUS authenticator configuration.
View Administration
VMware, Inc. 68
Troubleshooting RSA SecurID Access Denial
Access is denied when Horizon Client connects with RSA SecurID authentication.
Problem
A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication
Manager Log Monitor displays the error Node Verification Failed.
Cause
The RSA Agent host node secret needs to be reset.
Solution
1In View Administrator, select View Configuration > Servers.
2On the Connection Servers tab, select the View Connection Server and click Edit.
3On the Authentication tab, select Clear node secret.
4Click OK to clear the node secret.
5On the computer that is running RSA Authentication Manager, select Start > Programs > RSA
Security > RSA Authentication Manager Host Mode.
6Select Agent Host > Edit Agent Host.
7Select View Connection Server from the list and deselect the Node Secret Created check box.
Node Secret Created is selected by default each time you edit it.
8Click OK.
Troubleshooting RADIUS Access Denial
Access is denied when Horizon Client connects with RADIUS two-factor authentication.
Problem
A Horizon Client connection using RADIUS two-factor authentication displays Access Denied.
Cause
RADIUS does not receive a reply from the RADIUS server, causing View to time out.
Solution
The following common configuration mistakes most often lead to this situation:
nThe RADIUS server has not been configured to accept the View Connection Server instance as a
RADIUS client. Each View Connection Server instance using RADIUS must be set up as a client on
the RADIUS server. See the documentation for your RADIUS two-factor authentication product.
nThe shared secret values on the View Connection Server instance and the RADIUS server do not
match.
View Administration
VMware, Inc. 69
Using SAML Authentication
The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and
exchange authentication and authorization information between different security domains. SAML passes
information about users between identity providers and service providers in XML documents called SAML
assertions.
You can use SAML authentication to integrate Horizon 7 with VMware Workspace ONE,
VMware Identity Manager, or a third-party load balancer or gateway. When SSO is enabled, users who
log in to VMware Identity Manager or a third-party device can launch remote desktops and applications
without having to go through a second login procedure. You can also use SAML authentication to
implement smart card authentication on VMware Access Point, or on third-party devices.
To delegate responsibility for authentication to Workspace ONE, VMware Identity Manager, or a third-
party device, you must create a SAML authenticator in Horizon 7. A SAML authenticator contains the trust
and metadata exchange between Horizon 7 and Workspace ONE, VMware Identity Manager, or the third-
party device. You associate a SAML authenticator with a Connection Server instance.
Using SAML Authentication for VMware Identity Manager
Integration
Integration between Horizon 7 and VMware Identity Manager (formerly called Workspace ONE) uses the
SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality.
When SSO is enabled, users who log in to VMware Identity Manager or Workspace ONE with Active
Directory credentials can launch remote desktops and applications without having to go through a second
login procedure.
When VMware Identity Manager and Horizon 7 are integrated, VMware Identity Manager generates a
unique SAML artifact whenever a user logs in to VMware Identity Manager and clicks a desktop or
application icon. VMware Identity Manager uses this SAML artifact to create a Universal Resource
Identifier (URI). The URI contains information about the Connection Server instance where the desktop or
application pool resides, which desktop or application to launch, and the SAML artifact.
VMware Identity Manager sends the SAML artifact to the Horizon client, which in turn sends the artifact to
the Connection Server instance. The Connection Server instance uses the SAML artifact to retrieve the
SAML assertion from VMware Identity Manager.
After a Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the
user's password, and uses the decrypted password to launch the desktop or application.
Setting up VMware Identity Manager and Horizon 7 integration involves configuring
VMware Identity Manager with Horizon 7 information and configuring Horizon 7 to delegate responsibility
for authentication to VMware Identity Manager.
View Administration
VMware, Inc. 70
To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML
authenticator in Horizon 7. A SAML authenticator contains the trust and metadata exchange between
Horizon 7 and VMware Identity Manager. You associate a SAML authenticator with a Connection Server
instance.
Note If you intend to provide access to your desktops and applications through
VMware Identity Manager, verify that you create the desktop and application pools as a user who has the
Administrators role on the root access group in Horizon Administrator. If you give the user the
Administrators role on an access group other than the root access group, VMware Identity Manager will
not recognize the SAML authenticator you configure in Horizon 7, and you cannot configure the pool in
VMware Identity Manager.
Configure a SAML Authenticator in Horizon Administrator
To launch remote desktops and applications from VMware Identity Manager or to connect to remote
desktops and applications through a third-party load balancer or gateway, you must create a SAML
authenticator in Horizon Administrator. A SAML authenticator contains the trust and metadata exchange
between Horizon 7 and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment includes
more than one Connection Server instance, you must associate the SAML authenticator with each
instance.
You can allow one static authenticator and multiple dynamic authenticators to go live at a time. You can
configure vIDM (Dynamic) and Unified Access Gateway (Static) authenticators and retain them in active
state. You can make connections through either of these authenticators.
You can configure more than one SAML authenticator to a Connection Server and all the authenticators
can be active simultaneously. However, the entity-ID of each of these SAML authenticators configured on
the Connection Server must be different.
The status of the SAML authenticator in dashboard is always green as it is predefined metadata that is
static in nature. The red and green toggling is only applicable for dynamic authenticators.
For information about configuring a SAML authenticator for VMware Unified Access Gateway appliances,
see Deploying and Configuring Unified Access Gateway.
Prerequisites
nVerify that Workspace ONE, VMware Identity Manager, or a third-party gateway or load balancer is
installed and configured. See the installation documentation for that product.
nVerify that the root certificate for the signing CA for the SAML server certificate is installed on the
connection server host. VMware does not recommend that you configure SAML authenticators to use
self-signed certificates. For information about certificate authentication, see the View Installation
document.
nMake a note of the FQDN or IP address of the Workspace ONE server, VMware Identity Manager
server, or external-facing load balancer.
View Administration
VMware, Inc. 71
n(Optional) If you are using Workspace ONE or VMware Identity Manager, make a note of the URL of
the connector Web interface.
nIf you are creating an authenticator for Unified Access Gateway or a third-party appliance that
requires you to generate SAML metadata and create a static authenticator, perform the procedure on
the device to generate the SAML metadata, and then copy the metadata.
Procedure
1In Horizon Administrator, select Configuration > Servers.
2On the Connection Servers tab, select a server instance to associate with the SAML authenticator
and click Edit.
3On the Authentication tab, select a setting from the Delegation of authentication to VMware
Horizon (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator.
Option Description
Disabled SAML authentication is disabled. You can launch remote desktops and
applications only from Horizon Client.
Allowed SAML authentication is enabled. You can launch remote desktops and
applications from both Horizon Client and VMware Identity Manager or the third-
party device.
Required SAML authentication is enabled. You can launch remote desktops and
applications only from VMware Identity Manager or the third-party device. You
cannot launch desktops or applications from Horizon Client manually.
You can configure each Connection Server instance in your deployment to have different SAML
authentication settings, depending on your requirements.
4Click Manage SAML Authenticators and click Add.
5Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.
Option Description
Type For Unified Access Gateway or a third-party device, select Static. For
VMware Identity Manager select Dynamic. For dynamic authenticators, you can
specify a metadata URL and an administration URL. For static authenticators, you
must first generate the metadata on the Unified Access Gateway or a third-party
device, copy the metadata, and then paste it into the SAML metadata text box.
Label Unique name that identifies the SAML authenticator.
Description Brief description of the SAML authenticator. This value is optional.
Metadata URL (For dynamic authenticators) URL for retrieving all of the information required to
exchange SAML information between the SAML identity provider and the
Connection Server instance. In the URL https://<YOUR HORIZON SERVER
NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON
SERVER NAME> and replace it with the FQDN or IP address of the
VMware Identity Manager server or external-facing load balancer (third-party
device).
Administration URL (For dynamic authenticators) URL for accessing the administration console of the
SAML identity provider. For VMware Identity Manager, this URL should point to
the VMware Identity Manager Connector Web interface. This value is optional.
View Administration
VMware, Inc. 72
Option Description
SAML metadata (For static authenticators) Metadata text that you generated and copied from the
Unified Access Gateway or a third-party device.
Enabled for Connection Server Select this check box to enable the authenticator. You can enable multiple
authenticators. Only enabled authenticators are displayed in the list.
6Click OK to save the SAML authenticator configuration.
If you provided valid information, you must either accept the self-signed certificate (not
recommended) or use a trusted certificate for Horizon 7 and VMware Identity Manager or the third-
party device.
The Manage SAML Authenticators dialog box displays the newly created authenticator.
7In the System Health section on the Horizon Administrator dashboard, select Other components >
SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
If the configuration is successful, the authenticator's health is green. An authenticator's health can
display red if the certificate is untrusted, if VMware Identity Manager is unavailable, or if the metadata
URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept
the certificate.
What to do next
Extend the expiration period of the Connection Server metadata so that remote sessions are not
terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on
Connection Server.
Configure Proxy Support for VMware Identity Manager
Horizon 7 provides proxy support for the VMware Identity Manager (vIDM) server. The proxy details such
as hostname and port number can be configured in the ADAM database and the HTTP requests are
routed through the proxy.
This feature supports hybrid deployment where the on-premise Horizon 7 deployment can communicate
with a vIDM server that is hosted in the cloud.
Prerequisites
Procedure
1Start the ADSI Edit utility on your Connection Server host.
2Expand the ADAM ADSI tree under the object path:
cd=vdi,dc=vmware,dc=int,ou=Properties,ou=Global,cn=Common Attributes.
3Select Action > Properties, and under the pae-NameValuePair attribute, add the new entries
pae-SAMLProxyName and pae-SAMLProxyPort.
View Administration
VMware, Inc. 73
Change the Expiration Period for Service Provider Metadata on
Connection Server
If you do not change the expiration period, Connection Server will stop accepting SAML assertions from
the SAML authenticator, such as Unified Access Gateway or a third-party identity provider, after 24 hours,
and the metadata exchange must be repeated.
Use this procedure to specify the number of days that can elapse before Connection Server stops
accepting SAML assertions from the identity provider. This number is used when the current expiration
period ends. For example, if the current expiration period is 1 day and you specify 90 days, after 1 day
elapses, Connection Server generates metadata with an expiration period of 90 days.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows
operating system version.
Procedure
1Start the ADSI Edit utility on your Connection Server host.
2In the console tree, select Connect to.
3In the Select or type a Distinguished Name or Naming Context text box, type the distinguished
name DC=vdi, DC=vmware, DC=int.
4In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of
the Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.example.com:389
5Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click
CN=Common in the right pane.
6In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values
cs-samlencryptionkeyvaliditydays=number-of-days
cs-samlsigningkeyvaliditydays=number-of-days
In this example, number-of-days is the number of days that can elapse before a remote Connection
Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML
metadata must be repeated.
View Administration
VMware, Inc. 74
Generate SAML Metadata So That Connection Server Can Be Used
as a Service Provider
After you create and enable a SAML authenticator for the identity provider you want to use, you might
need to generate Connection Server metadata. You use this metadata to create a service provider on the
Unified Access Gateway appliance or a third-party load balancer that is the identity provider.
Prerequisites
Verify that you have created a SAML authenticator for the identity provider: Unified Access Gateway or a
third-party load balancer or gateway. In the System Health section on the Horizon Administrator
dashboard, you can select Other components > SAML 2.0 Authenticators, select the SAML
authenticator that you added, and verify the details.
Procedure
1Open a new browser tab and enter the URL for getting the Connection Server SAML metadata.
https://connection-server.example.com/SAML/metadata/sp.xml
In this example, connection-server.example.com is the fully qualified domain name of the Connection
Server host.
This page displays the SAML metadata from Connection Server.
2Use a Save As command to save the Web page to an XML file.
For example, you could save the page to a file named connection-server-metadata.xml. The
contents of this file begin with the following text:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...
What to do next
Use the appropriate procedure on the identity provider to copy in the Connection Server SAML metadata.
Refer to the documentation for Unified Access Gateway or a third-party load balancer or gateway.
Response Time Considerations for Multiple Dynamic SAML
Authenticators
If you configure SAML 2.0 Authentication as optional or required on a Connection Server instance and
you associate multiple dynamic SAML authenticators with the Connection Server instance, if any of the
dynamic SAML authenticators become unreachable, the response time to launch remote desktops from
the other dynamic SAML authenticators increases.
You can decrease the response time for remote desktop launch on the other dynamic SAML
authenticators by using Horizon Administrator to disable the unreachable dynamic SAML authenticators.
For information about disabling a SAML authenticator, see Configure a SAML Authenticator in Horizon
Administrator.
View Administration
VMware, Inc. 75
Configure Workspace ONE Access Policies in Horizon
Administrator
Workspace ONE, or VMware Identity Manager (vIDM) administrators can configure access policies to
restrict access to entitled desktops and applications in Horizon 7. To enforce policies created in vIDM you
put Horizon client into Workspace ONE mode so that Horizon client can push the user into
Workspace ONE client to launch entitlements. When you log in to Horizon Client, the access policy
directs you to log in through Workspace ONE to access your published desktops and applications.
Prerequisites
nConfigure the access policies for applications in Workspace ONE. For more information about setting
access policies, see the VMware Identity Manager Administration Guide.
nEntitle users to published desktops and applications in Horizon Administrator.
Procedure
1In Horizon Administrator, select Configuration > Servers.
2On the Connection Servers tab, select a server instance that is associated with a SAML
authenticator and click Edit.
3On the Authentication tab, set the Delegation of authentication to VMware Horizon (SAML 2.0
Authenticator) option to Required.
The Required option enables SAML authentication. The end user can only connect to the Horizon
server with a SAML token provided by vIDM or a third-party identity provider. You cannot start
desktops or applications from Horizon Client manually.
4Select Enable Workspace ONE mode.
5In the Workspace ONE server hostname text box, enter the Workspace ONE Hostname FQDN
value.
6(Optional) Select Block connections from clients that don't support Workspace ONE mode to
restrict Horizon Clients that support Workspace ONE mode from accessing applications.
Horizon Clients earlier than 4.5 do not support the Workspace ONE mode feature. If you select this
option, Horizon Clients earlier than 4.5 cannot access applications in Workspace ONE. The
Workspace ONE mode feature is not enabled for versions later than Horizon 7 version 7.2 if the
Workspace ONE version is earlier than version 2.9.1.
View Administration
VMware, Inc. 76
Configure Biometric Authentication
You can configure biometric authentication by editing the pae-ClientConfig attribute in the LDAP
database.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows
server.
Procedure
1Start the ADSI Edit utility on the View Connection Server host.
2In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int.
3In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of
the View Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.mydomain.com:389
4On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and
add the value BioMetricsTimeout=<integer>.
The following BioMetricsTimeout values are valid:
BioMetricsTimeout Value Description
0Biometric authentication is not supported. This is the default.
-1 Biometric authentication is supported without any time limit.
Any positive integer Biometric authentication is supported and can be used for the specified number of
minutes.
The new setting takes effect immediately. You do not need to restart the View Connection Server service
or the client device.
View Administration
VMware, Inc. 77
Authenticating Users Without
Requiring Credentials 5
After users log in to a client device or to VMware Identity Manager, they can connect to a published
application or desktop without being prompted for Active Directory credentials.
Administrators can choose to set up the configuration based on user requirements.
nProvide users unauthenticated access to published applications. Administrators can configure the set
up so that users do not need to log in to a Horizon Client with Active Directory (AD) credentials.
nUse Log In as Current User for Windows-Based clients. For Windows clients, administrators can
configure the setup so that users do not need to supply additional credentials to log in to a Horizon
server after they log in to a Windows client with AD credentials.
nSave credentials in Mobile and Mac Horizon Clients. For mobile and Mac clients, administrators can
configure the Horizon server to save credentials. With this feature, users do not need to remember
AD credentials for SSO (single sign-on) after supplying them once to a mobile or Mac client.
nConfigure True SSO for VMware Identity Manager. For VMware Identity Manager, administrators can
configure True SSO so that users who authenticate using some method other than AD credentials
can then also log in to a remote desktop or application without being prompted for AD credentials.
This section includes the following topics:
nProviding Unauthenticated Access for Published Applications
nUsing the Log In as Current User Feature Available with Windows-Based Horizon Client
nSaving Credentials in Mobile and Mac Horizon Clients
nSetting Up True SSO
Providing Unauthenticated Access for Published
Applications
Administrators can set up the configuration for unauthenticated users to access their published
applications from a Horizon Client without requiring AD credentials. Consider setting up unauthenticated
access if your users require access to a seamless application that has its own security and user
management.
When a user starts a published application that is configured for unauthenticated access, the RDS host
creates a local user session on demand and allocates the session to the user.
VMware, Inc. 78
This feature requires the Horizon 7 version 7.1 environment set up and Horizon Client version 4.4.
Workflow for Configuring Unauthenticated Users
1 Create users for unauthenticated access. See, Create Users for Unauthenticated Access.
2 Enable unauthenticated access to users and set a default unauthenticated user. See, Enable
Unauthenticated Access for Users.
3 Entitle unauthenticated users to published applications. See, Entitle Unauthenticated Access Users to
Published Applications.
4 Enable unauthenticated access from the Horizon Client. See, Unauthenticated Access From Horizon
Client.
Rules and Guidelines for Configuring Unauthenticated Users
nTwo-factor authentication such as RSA and RADIUS, and Smart card authentication are not
supported for unauthenticated access.
nSmart card authentication and unauthenticated access are mutually exclusive. When Smart card
authentication is set to Required in Connection Server, unauthenticated access is disabled even if it
was previously enabled.
nVMware Identity Manager and VMware App Volumes are not supported for unauthenticated access.
nUnauthenticated access login from the HTML Access Client is not supported.
nBoth PCoIP and VMware Blast display protocols are supported for this feature.
nThe unauthenticated access feature does not verify license information for RDS hosts. The
administrator must configure and use device licenses.
nThe unauthenticated access feature does not retain any user-specific data. The user can verify the
data storage requirements for the application.
nYou cannot reconnect to unauthenticated application sessions. When a user disconnects from the
client, the RDS host logs off the local user session automatically.
nUnauthenticated access is only supported for published applications.
nUnauthenticated access is not supported with a security server or an Unified Access Gateway
appliance.
nUser preferences are not preserved for unauthenticated users.
nVirtual desktops are not supported for unauthenticated users.
nHorizon Administrator displays a red status for the Connection Server, if the Connection Server is
configured with a CA signed certificate and enabled for unauthenticated access but a default
unauthenticated user is not configured.
View Administration
VMware, Inc. 79
nThe unauthenticated access feature will not work if the AllowSingleSignon group policy for the
Horizon Agent installed on an RDS host is disabled. Administrators can also control whether to
disable or enable unauthenticated access with the UnAuthenticatedAccessEnabled Horizon Agent
group policy setting. The Horizon Agent group policy settings are included in the ADMX template file
(vdm_agent.admx). You must reboot the RDS host for this policy to take effect.
Create Users for Unauthenticated Access
Administrators can create users for unauthenticated access to published applications. After an
administrator configures a user for unauthenticated access, the user can log in to the Connection Server
instance from Horizon Client only with unauthenticated access.
Prerequisites
nVerify that the Active Directory (AD) user for whom you want to configure unauthenticated access for
has a valid UPN. Only an AD user can be configured as an unauthenticated access user.
Note Administrators can create only one user for each AD account. Administrators cannot create
unauthenticated user groups. If you create an unauthenticated access user and there is an existing client
session for that AD user, you must restart the client session to make the changes take effect.
Procedure
1In Horizon Administrator, select Users and Groups.
2On the Unauthenticated Access tab, click Add.
3In the Add Unauthenticated User wizard, select one or more search criteria and click Find to find
users based on your search criteria.
The user must have a valid UPN.
4Select a user and click Next.
Repeat this step to add multiple users.
5(Optional) Enter the user alias.
The default user alias is the user name that was configured for the AD account. End users can use
the user alias to log in to the Connection Server instance from Horizon Client.
6(Optional) Review the user details and add comments.
7Click Finish.
Connection Server creates the unauthenticated access user and displays the user details including user
alias, user name, first and last name, number of source pods, application entitlements, and sessions. You
can click the number in the Source Pods column to display pod information.
What to do next
Enable unauthenticated access for users in Connection Server. See, Enable Unauthenticated Access for
Users.
View Administration
VMware, Inc. 80
Enable Unauthenticated Access for Users
After you create users for unauthenticated access, you must enable unauthenticated access in the
Connection Server to enable users to connect and access published applications.
Procedure
1In Horizon Administrator, select View Configuration > Servers.
2Click the Connection Servers tab.
3Select the Connection Server instance and click Edit.
4Click the Authentication tab.
5Change Unauthenticated Access to Enabled.
6From the Default unauthenticated access user drop-down menu, select a user as the default user.
The default user must be present on the local pod in a Cloud Pod Architecture environment. If you
select a default user from a different pod, Connection Server creates the user on the local pod before
it makes the user the default user.
7(Optional) Enter the default session timeout for the user.
The default session timeout is 10 minutes after being idle.
8Click OK.
What to do next
Entitle unauthenticated users to published applications. See Entitle Unauthenticated Access Users to
Published Applications.
Entitle Unauthenticated Access Users to Published Applications
After you create an unauthenticated access user, you must entitle the user to access published
applications.
Prerequisites
nCreate a farm based on a group of RDS hosts. See "Creating Farms" in the Setting Up Published
Desktops and Applications in Horizon 7 document.
nCreate an application pool for published applications that run on a farm of RDS hosts. See "Creating
Application Pools" in the Setting Up Published Desktops and Applications in Horizon 7 document.
Procedure
1In Horizon Administrator, select Catalog > Application Pools and click the name of the application
pool.
2Select Add entitlement from the Entitlements drop-down menu.
View Administration
VMware, Inc. 81
3Click Add, select one or more search criteria, click Find, and select the Unauthenticated Users
check box to find unauthenticated access users based on your search criteria.
4Select the users to entitle to the applications in the pool and click OK.
5Click OK to save your changes.
An unauthenticated access icon appears next to the unauthenticated access user after the
entitlement process completes.
What to do next
Use an unauthenticated access user to log in to Horizon Client. See, Unauthenticated Access From
Horizon Client.
Search Unauthenticated Access Sessions
Use Horizon Administrator to list or search for application sessions that unauthenticated access users
have connected to. The unauthenticated access user icon appears next to those sessions that
unauthenticated access users have connected to.
Procedure
1In Horizon Administrator, select Monitoring > Sessions.
2Click Applications to search for application sessions.
3Select search criteria and being the search.
The search results include the user, type of session (desktop or application), machine, pool or farm,
DNS name, client ID and security gateway. The session start time, duration, state, and last session
also appear in the search results.
Delete an Unauthenticated Access User
When you delete an unauthenticated access user, you must also remove the application pool entitlements
for the user. You cannot delete an unauthenticated access user who is the default user.
Note If you delete an unauthenticated access user and if there is an existing client session for that AD
user, then you must restart the client session to make the changes take effect.
Procedure
1In Horizon Administrator, select Users and Groups.
2On the Unauthenticated Access tab, click Delete.
3Click OK.
What to do next
Remove application entitlements for the user. See " Remove Entitlements from a Desktop or Application
Pool" in the Setting Up Published Desktops and Applications in Horizon 7 document.
View Administration
VMware, Inc. 82
Unauthenticated Access From Horizon Client
Log in to Horizon Client with unauthenticated access and start the published application.
To ensure greater security, the unauthenticated access user has a user alias that you can use to log in to
Horizon Client. When you select a user alias, you do not need to provide the AD credentials or UPN for
the user. After you log in to Horizon Client, you can click your published applications to start the
applications. For more information about installing and setting up Horizon Clients, see the Horizon Client
documentation at the VMware Horizon Clients documentation Web page .
Prerequisites
nVerify that Horizon 7 version 7.1 Connection Server is configured for unauthenticated access.
nVerify that the unauthenticated access users are created in Horizon Administrator. If the default
unauthenticated user is the only unauthenticated access user, Horizon Client connects to the
Connection Server instance with the default user.
Procedure
1Start Horizon Client.
2In Horizon Client, select Log in anonymously with Unauthenticated Access.
3Connect to the Connection Server instance.
4Select a user alias from the drop-down menu and click Login.
The default user has the "default" suffix.
5Double-click a published application to start the application.
Using the Log In as Current User Feature Available with
Windows-Based Horizon Client
With Horizon Client for Windows, when users select the Log in as current user check box, the
credentials that they provided when logging in to the client system are used to authenticate to the Horizon
Connection Server instance and to the remote desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the Connection Server instance and on the
client system.
nOn the Connection Server instance, user credentials are encrypted and stored in the user session
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when
the user logs out, the session times out, or authentication fails. The session object resides in volatile
memory and is not stored in Horizon LDAP or in a disk file.
View Administration
VMware, Inc. 83
nOn the client system, user credentials are encrypted and stored in a table in the Authentication
Package, which is a component of Horizon Client. The credentials are added to the table when the
user logs in and are removed from the table when the user logs out. The table resides in volatile
memory.
Administrators can use Horizon Client group policy settings to control the availability of the Log in as
current user check box and to specify its default value. Administrators can also use group policy to
specify which Connection Server instances accept the user identity and credential information that is
passed when users select the Log in as current user check box in Horizon Client.
The Recursive Unlock feature is enabled after a user logs in to Connection Server with the Log in as
current user feature. The Recursive Unlock feature unlocks all remote sessions after the client machine
has been unlocked. Administrators can control the Recursive Unlock feature with the Unlock remote
sessions when the client machine is unlocked global policy setting in Horizon Client. For more
information about global policy settings for Horizon Client, see the Horizon Client documentation at the
VMware Horizon Clients documentation Web page.
The Log in as current user feature has the following limitations and requirements:
nWhen smart card authentication is set to Required on a Connection Server instance, authentication
fails for users who select the Log in as current user check box when they connect to the Connection
Server instance. These users must reauthenticate with their smart card and PIN when they log in to
Connection Server.
nThe time on the system where the client logs in and the time on the Connection Server host must be
synchronized.
nIf the default Access this computer from the network user-right assignments are modified on the
client system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
nThe client machine must be able to communicate with the corporate Active Directory server and not
use cached credentials for authentication. For example, if users log in to their client machines from
outside the corporate network, cached credentials are used for authentication. If the user then
attempts to connect to a security server or a Connection Server instance without first establishing a
VPN connection, the user is prompted for credentials, and the Log in as Current User feature does
not work.
Saving Credentials in Mobile and Mac Horizon Clients
Administrators can configure View Connection Server to enable mobile and Mac Horizon Clients to
remember a user's user name, password, and domain information.
For Horizon Client for mobile devices, this feature causes the Save password check box to appear on
the login dialog boxes. For Horizon Client for Mac, this feature causes the Remember this password
check box to appear on the login dialog box.
If users choose to save their credentials, the credentials are added to the login fields in Horizon Client on
subsequent connections.
View Administration
VMware, Inc. 84
To enable this feature, you must set a value in View LDAP to indicate how long to save credential
information in the client. For Horizon Client for Mac, this feature is supported only in version 4.1 or later.
Note On Windows-based Horizon clients, the feature for logging in as the current user avoids requiring
users to supply credentials multiple times.
Configure a Timeout Limit to Save Horizon Client Credentials
You configure a timeout limit that indicates how long to save Horizon Client credential information on
mobile devices and Mac client systems by setting a value in View LDAP. The timeout limit is set in
minutes. When you change View LDAP on a View Connection Server instance, the change is propagated
to all replicated View Connection Server instances.
Prerequisites
See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows
operating system version.
Procedure
1Start the ADSI Edit utility on your View Connection Server host.
2In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int.
3In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of
the View Connection Server host followed by port 389.
For example: localhost:389 or mycomputer.mydomain.com:389
4On the object CN=Common, OU=Global, OU=Properties, edit the clientCredentialCacheTimeout
attribute value.
When clientCredentialCacheTimeout is not set or is set to 0, the feature is disabled. To enable
this feature, you can set the number of minutes to retain the credential information, or set a value of
-1, meaning that there is no timeout.
On View Connection Server, the new setting takes effect immediately. You do not need to restart the View
Connection Server service or the client computer.
Setting Up True SSO
With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart
card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory
credentials in order to use a remote desktop or application.
If a user authenticates by using Active Directory credentials, the True SSO feature is not necessary, but
you can configure True SSO to be used even in this case, so that the AD credentials that the user
provides are ignored and True SSO is used.
When connecting to a virtual desktop or remote application, users can select to use either the native
Horizon Client or HTML Access.
View Administration
VMware, Inc. 85
This feature has the following limitations:
nThis feature does not work for virtual desktops that are provided by using the View Agent Direct
Connection plug-in.
nThis feature is supported only in IPv4 environments.
Following is a list tasks you must perform to set up your environment for True SSO:
1Determining an Architecture for True SSO
2Set Up an Enterprise Certificate Authority
3Create Certificate Templates Used with True SSO
4Install and Set Up an Enrollment Server
5Export the Enrollment Service Client Certificate
6Configure SAML Authentication to Work with True SSO
7Configure View Connection Server for True SSO
Determining an Architecture for True SSO
To use True SSO, you must have or add a certificate authority and create an enrollment server. These
two servers communicate to create the short-lived Horizon virtual certificate that enables a password-free
Windows logon. You can use True SSO in a single domain, in a single-forest with multiple domains, and
in a multiple-forest, multiple-domain setup.
VMware recommends to have two CAs and two ESs deployed to use True SSO. The following examples
illustrate True SSO in different architectures.
The following figure illustrates a simple True SSO architecture.
View Administration
VMware, Inc. 86
Certificate Authority
Very Simple True SSO Architecture
Enrollment Server
Connection Server
VMware Identity
Manager Appliance
Client
SAML Trust
AD
The following figure illustrates True SSO in a single domain architecture.
The following figure illustrates True SSO in a single-forest with multiple domains architecture.
View Administration
VMware, Inc. 87
True SSO Single Forest Multiple Domain Architecture (non HA)
Client
VMware
Identity
Manager
Appliance
CA
Enrollment
Server
Connection
Server
Domain #1 (Root Domain)Domain #2
CA
Forest
ADAD
The following figure illustrates True SSO in a multiple-forest architecture.
True SSO Multi-Forest Architecture (non HA)
Enrollment
Server
Client
VMware
Identity
Manager
Appliance
CA
Enrollment
Server
Connection
Server
Domain #1 (Root Domain)Domain #2
CA
Forest #2 Forest #1
2-way, Forest Level,
Transitive Trust
ADAD
View Administration
VMware, Inc. 88
Set Up an Enterprise Certificate Authority
If you do not already have a certificate authority set up, you must add the Active Directory Certificate
Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.
If you do already have an enterprise CA set up, verify that you are using the settings described in this
procedure.
You must have at least one enterprise CA, and VMware recommends that you have two for purposes of
failover and load balancing. The enrollment server you will create for True SSO communicates with the
enterprise CA. If you configure the enrollment server to use multiple enterprise CAs, the enrollment server
will alternate between the CAs available. If you install the enrollment server on the same machine that
hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. This
configuration is recommended for best performance.
Part of this procedure involves enabling non-persistent certificate processing. By default, certificate
processing includes storing a record of each certificate request and issued certificate in the CA database.
A sustained high volume of requests increases the CA database growth rate and could consume all
available disk space if not monitored. Enabling non-persistent certificate processing can help reduce the
CA database growth rate and frequency of database management tasks.
Prerequisites
nCreate a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine.
nVerify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.
nVerify that you are using an IPv4 environment. This feature is currently not supported in an IPv6
environment.
nVerify that the system has a static IP address.
Procedure
1Log in to the virtual machine operating system as an administrator and start Server Manager.
2Select the settings for adding roles.
Operating System Selections
Windows Server 2012 R2 a Select Add roles and features.
b On the Select Installation Type page, select Role-based or feature-based
installation.
c On the Select Destination Server page, select a server.
Windows Server 2008 R2 a Select Roles in the navigation tree.
b Click Add Roles to start the Add Role wizard.
3On the Select Server Roles page, select Active Directory Certificate Services.
4In the Add Roles and Features wizard, click Add Features, and leave the Include management
tools check box selected.
View Administration
VMware, Inc. 89
5On the Select Features page, accept the defaults.
6On the Select Role Services page, select Certification Authority.
7Follow the prompts and finish the installation.
8When installation is complete, on the Installation Progress page, click the Configure Active
Directory Certificate Services on destination server link to open the AD CS Configuration wizard.
9On the Credentials page, click Next and complete the AD CS Configuration wizard pages as
described in the following table.
Option Action
Role Services Select Certification Authority, and click Next (rather than Configure).
Setup Type Select Enterprise CA.
CA Type Select Root CA or Subordinate CA. Some enterprises prefer two-tier PKI
deployment. For more information, see
http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-
step-guide-two-tier-pki-hierarchy-deployment.aspx.
Private Key Select Create a new private key.
Cryptography for CA For hash algorithm, you can select SHA1, SHA256, SHA384, or SHA512. For
key length, you can select 1024, 2048, 3072, or 4096.
VMware recommends a minimum of SHA256 and a 2048 key.
CA Name Accept the default or change the name.
Validity Period Accept the default of 5 years.
Certificate Database Accept the defaults.
10 On the Confirmation page, click Configure, and when the wizard reports a successful configuration,
close the wizard.
11 Open a command prompt and enter the following command to configure the CA for non-persistent
certificate processing:
certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
12 Enter the following command to ignore offline CRL (certificate revocation list) errors on the CA:
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
This flag is required because the root certificate that True SSO uses will usually be offline, and thus
revocation checking will fail, which is expected.
13 Enter the following commands to restart the service:
sc stop certsvc
sc start certsvc
What to do next
Create a certificate template. See Create Certificate Templates Used with True SSO.
View Administration
VMware, Inc. 90
Create Certificate Templates Used with True SSO
You must create a certificate template that can be used for issuing short-lived certificates, and you must
specify which computers in the domain can request this type of certificate.
You can create more than one certificate template. You can configure only one template per domain but
you can share the template across multiple domains. For example, if you have an Active Directory forest
with three domains and you want to use True SSO for all three domains, you can choose to configure
one, two, or three templates. All domains can share the same template, or you can have different
templates for each domain.
Prerequisites
nVerify that you have an enterprise CA to use for creating the template described in this procedure.
See Set Up an Enterprise Certificate Authority.
nVerify that you have prepared Active Directory for smart card authentication. For more information,
see the View Installation document.
nCreate a security group in the domain and forest for the enrollment servers, and add the computer
accounts of the enrollment servers to that group.
Procedure
1To configure True SSO, on the machine that you are using for the certificate authority, log in to the
operating system as an administrator and go to Administrative Tools > Certification Authority.
a Expand the tree in the left pane, right-click Certificate Templates and select Manage.
b Right-click the Smartcard Logon template and select Duplicate.
View Administration
VMware, Inc. 91
c Make the following changes on the following tabs:
Tab Action
Compatibility tab nFor Certificate Authority, select Windows Server 2008 R2.
nFor Certificate Recipient, select Windows 7/Windows Server 2008 R2.
General tab nChange the template display name to True SSO.
nChange the validity period to a period that is as long as a typical working
day; that is, as long as the user is likely to remain logged into the system.
So that the user does not lose access to network resources while logged
on, the validity period must be longer than the Kerberos TGT renewal time
in the users domain.
(The default maximum lifetime of the ticket is 10 hours. To find the default
domain policy, you can go to Computer Configuration > Policies >
Windows Settings > Security Settings > Account Policies > Kerberos
Policy:Maximum lifetime for user ticket.)
nChange the renewal period to 1 day.
Request Handling tab nFor Purpose, select Signature and smartcard logon.
nSelect, For automatic renewal of smart cards, …
Cryptography tab nFor Provider Category, select Key Storage Provider.
nFor Algorithm name, select RSA.
Server tab Select Do not store certificates and requests in the CA database.
Important Make sure to deselect Do not include revocation information in
issued certificates. (This box gets selected when you select the first one, and
you have to deselect (clear) it.)
Issuance Requirements tab nSelect This number of authorized signatures, and type 1 in the box.
nFor Policy type, select Application Policy and set the policy to
Certificate Request Agent.
nFor, Require the following for reenrollment, select Valid existing
certificate.
Security tab For the security group that you created for the enrollment server computer
accounts, as described in the prerequisites, provide the following permissions:
Read, Enroll
1 Click Add.
2 Specify which computers to allow to enroll for certificates.
3 For these computers select the appropriate check boxes to give the
computers the following permissions: Read, Enroll.
d Click OK in the Properties of New Template dialog box.
e Close the Certificate Templates Console window.
f Right-click Certificate Templates and select New > Certificate Template to Issue.
Note This step is required for all certificate authorities that issue certificates based on this
template.
g In the Enable Certificate Templates window, select the template you just created (for example,
True SSO Template) and click OK.
View Administration
VMware, Inc. 92
2To configure Enrollment Agent Computer, on the machine that you are using for the certificate
authority, log in to the operating system as an administrator and go to Administrative Tools >
Certification Authority.
a Expand the tree in the left pane, right-click Certificate Templates and select Manage.
b Locate and open the Enrollment Agent Computer template and then make the following change
on the Security tab:
For the security group that you created for the enrollment server computer accounts, as
described in the prerequisites, provide the following permissions: Read, Enroll
1 Click Add.
2 Specify which computers to allow to enroll for certificates.
3 For these computers select the appropriate check boxes to give the computers the following
permissions: Read, Enroll.
c Right-click Certificate Templates and select New > Certificate Template to Issue.
Note This step is required for all certificate authorities that issue certificates based on this
template.
d In the Enable Certificate Templates window, select Enrollment Agent Computer and click OK.
What to do next
Create an enrollment service. See Install and Set Up an Enrollment Server.
Install and Set Up an Enrollment Server
You run the Connection Server installer and select the Horizon 7 Enrollment Server option to install an
enrollment server. The enrollment server requests short-lived certificates on behalf of the users you
specify. These short-term certificates are the mechanism True SSO uses for authentication to avoid
prompting users for Active Directory credentials.
You must install and set up at least one enrollment server, and the enrollment server cannot be installed
on the same host as View Connection Server. VMware recommends that you have two enrollment
servers for purposes of failover and load balancing. If you have two enrollment servers, by default one is
preferred and the other is used for failover. You can change this default, however, so that the connection
server alternates sending certificate requests to both enrollment servers.
If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure
the enrollment server to prefer using the local CA. For best performance, VMware recommends
combining the configuration to prefer using the local CA with the configuration to load balance the
enrollment servers. As a result, when certificate requests arrive, the connection server will use alternate
enrollment servers, and each enrollment server will service the requests using the local CA. For
information about the configuration settings to use, see Enrollment Server Configuration Settings and
Connection Server Configuration Settings.
View Administration
VMware, Inc. 93
Prerequisites
nCreate a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine with at least 4GB of
memory, or use the virtual machine that hosts the enterprise CA. Do not use a machine that is a
domain controller.
nVerify that no other View component, including View Connection Server, View Composer, security
server, Horizon Client, or View Agent or Horizon Agent is installed on the virtual machine.
nVerify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.
nVerify that you are using an IPv4 environment. This feature is currently not supported in an IPv6
environment
nVMware recommends that the system must have a static IP address.
nVerify that you can log in to the operating system as a domain user with Administrator privileges. You
must log in as an administrator to run the installer.
Procedure
1On the machine that you plan to use for the enrollment server, add the Certificate snap-in to MMC:
a Open the MMC console and select File > Add/Remove Snap-in
b Under Available snap-ins, select Certificates and click Add.
c In the Certificates snap-in window, select Computer account, click Next, and click Finish.
d In the Add or Remove Snap-in window, click OK.
2Issue an enrollment agent certificate:
a In the Certificates console, expand the console root tree, right-click the Personal folder, and
select All Tasks > Request New Certificate.
b In the Certificate Enrollment wizard, accept the defaults until you get to the Request Certificates
page.
c On the Request Certificates page, select the Enrollment Agent (Computer) check box and click
Enroll.
d Accept the defaults on the other wizard pages, and click Finish on the last page.
In the MMC console, if you expand the Personal folder and select Certificates in the left pane, you
will see a new certificate listed in the right pane.
View Administration
VMware, Inc. 94
3Install the enrollment server:
a Download the View Connection Server installer file from the VMware download site at
https://my.vmware.com/web/vmware/downloads.
Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes
View Connection Server.
The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where
xxxxxx is the build number and y.y.y is the version number.
b Double-click the installer file to start the wizard, and follow the prompts until you get to the
Installation Options page.
c On the Installation Options page, select Horizon 7 Enrollment Server and choose an
authentication mode for the enrollment server instance, then click Next.
Option Description
Horizon 7 Configures the authentication mode for a Horizon 7 environment.
Horizon Cloud Configures the authentication mode for a Horizon Cloud environment.
d Follow the prompts to finish the installation.
You must enable the incoming connections on Port 32111 (TCP) for enrollment server to be
functional. The installer opens the port by default during installation.
What to do next
nIf you installed the enrollment server on the same machine that hosts an enterprise CA, configure the
enrollment server to prefer using the local CA. See Enrollment Server Configuration Settings.
Optionally, if you install and set up more than one enrollment server, configure connection servers to
enable load balancing between the enrollment servers. See Connection Server Configuration
Settings.
nPair connection servers with enrollment servers. See Export the Enrollment Service Client Certificate.
Export the Enrollment Service Client Certificate
To accomplish pairing, you can use the MMC Certificates snap-in to export automatically generated, self-
signed Enrollment Service Client certificate from one connection server in the cluster. This certificate is
called a client certificate because the connection server is a client of the Enrollment Service provided by
the enrollment server.
Enrollment Service must trust the VMware Horizon View Connection Server when it prompts the
Enrollment Servers to issue the short lived certificates for Active Directory users. Hence, the VMware
Horizon View Connection Server clusters or pods must be paired with Enrollment Servers.
View Administration
VMware, Inc. 95
The Enrollment Service Client certificate is automatically created when a Horizon 7 or later connection
server is installed and the VMware Horizon View Connection Server service starts. The certificate is
distributed through View LDAP to other Horizon 7 connection servers that get added to the cluster later.
The certificate is then stored in a custom container (VMware Horizon View
Certificates\Certificates) in the Windows Certificate Store on the computer.
Prerequisites
Verify that you have a Horizon 7 or later connection server. For installation instructions, see View
Installation. For upgrade instructions, see View Upgrades.
Important Customers can use their own certificates for pairing, rather than using the self-generated
certificate created by the connection server. To do so, place the preferred certificate (and the associated
private key) in the custom container (VMware Horizon View Certificates\Certificates) in the
Windows Certificate Store on the connection server machine. You must then set the friendly name of the
certificate to vdm.ec.new, and restart the server. The other servers in the cluster will fetch this certificate
from LDAP. You can then perform the steps in this procedure.
Procedure
1On one of the connection server machines in the cluster, add the Certificates snap-in to MMC:
a Open the MMC console and select File > Add/Remove Snap-in
b Under Available snap-ins, select Certificates and click Add.
c In the Certificates snap-in window, select Computer account, click Next, and click Finish.
d In the Add or Remove Snap-in window, click OK.
2In the MMC console, in the left pane, expand the VMware Horizon View Certificates folder and
select the Certificates folder.
3In the right pane, right-click the certificate file with the friendly name vdm.ec, and select All Tasks >
Export.
4In the Certificate Export wizard, accept the defaults, including leaving the No, do not export the
private key radio button selected.
5When you are prompted to name the file, type a file name such as EnrollClient, for Enrollment
Service Client certificate, and follow the prompts to finish exporting the certificate.
What to do next
Import the certificate into the enrollment server. See Import the Enrollment Service Client Certificate on
the Enrollment Server.
View Administration
VMware, Inc. 96
Import the Enrollment Service Client Certificate on the Enrollment
Server
To complete the pairing process, you use the MMC Certificates snap-in to import the Enrollment Service
Client certificate into the enrollment server. You must perform this procedure on every enrollment server.
Prerequisites
nVerify that you have a Horizon 7 or later enrollment server. See Install and Set Up an Enrollment
Server.
nVerify that you have the correct certificate to import. You can use either your own certificate or the
automatically generated, self-signed Enrollment Service Client certificate from one connection server
in the cluster, as described in Export the Enrollment Service Client Certificate.
Important To use your own certificates for pairing, place the preferred certificate (and the
associated private key) in the custom container (VMware Horizon View
Certificates\Certificates) in the Windows Certificate Store on the connection server machine.
You must then set the friendly name of the certificate to vdm.ec.new, and restart the server. The
other servers in the cluster will fetch this certificate from LDAP. You can then perform the steps in this
procedure.
If you have your own client certificate, the certificate that you must copy to the enrollment server is
the root certificate used to generate the client certificate.
Procedure
1Copy the appropriate certificate file to the enrollment server machine.
To use the automatically generated certificate, copy the Enrollment Service Client certificate from the
connection server. To use your own certificate, copy the root certificate that was used to generate the
client certificate.
2On the enrollment server, add the Certificates snap-in to MMC:
a Open the MMC console and select File > Add/Remove Snap-in
b Under Available snap-ins, select Certificates and click Add.
c In the Certificates snap-in window, select Computer account, click Next, and click Finish.
d In the Add or Remove Snap-in window, click OK.
3In the MMC console, in the left pane, right-click the VMware Horizon View Enrollment Server
Trusted Roots folder and select All Tasks > Import.
4In the Certificate Import wizard, follow the prompts to browse to and open the EnrollClient certificate
file.
5Follow the prompts and accept the defaults to finish importing the certificate.
View Administration
VMware, Inc. 97
6Right-click the imported certificate and add a friendly name such as vdm.ec (for Enrollment Client
certificate).
VMware recommends you use a friendly name that identifies the View cluster, but you can use any
name that helps you easily identify the client certificate.
What to do next
Configure the SAML authenticator used for delegating authentication to VMware Identity Manager. See
Configure SAML Authentication to Work with True SSO.
Configure SAML Authentication to Work with True SSO
With the True SSO feature introduced in Horizon 7, users can log in to VMware Identity Manager 2.6 and
later releases using smart card, RADIUS, or RSA SecurID authentication, and they will no longer be
prompted for Active Directory credentials, even when they launch a remote desktop or application for the
first time.
With earlier releases, SSO (single sign-on) worked by prompting users for their Active Directory
credentials the first time they launched a remote desktop or published application if they had not
previously authenticated with their Active Directory credentials. The credentials were then cached so that
subsequent launches would not require users to re-enter their credentials. With True SSO, short-term
certificates are created and used instead of AD credentials.
Although the process for configuring SAML authentication for VMware Identity Manager has not changed,
one additional step has been added for True SSO. You must configure VMware Identity Manager so that
password pop-ups are suppressed.
Note If your deployment includes more than one View Connection Server instance, you must associate
the SAML authenticator with each instance.
Prerequisites
nVerify that single sign-on is enabled as a global setting. In View Administrator, select Configuration >
Global Settings, and verify that Single sign-on (SSO) is set to Enabled.
nVerify that VMware Identity Manager is installed and configured. See the VMware Identity Manager
documentation, available at https://www.vmware.com/support/pubs/vidm_pubs.html
nVerify that the root certificate for the signing CA for the SAML server certificate is installed on the
connection server host. VMware does not recommend that you configure SAML authenticators to use
self-signed certificates. See the topic "Import a Root Certificate and Intermediate Certificates into a
Windows Certificate Store," in the chapter "Configuring SSL Certificates for View Servers," in the
View Installation document.
nMake a note of the FQDN of the VMware Identity Manager server instance.
Procedure
1In Horizon Administrator, select Configuration > Servers.
View Administration
VMware, Inc. 98
2On the Connection Servers tab, select a server instance to associate with the SAML authenticator
and click Edit.
3On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0
Authenticator) drop-down menu, select Allowed or Required.
You can configure each View Connection Server instance in your deployment to have different SAML
authentication settings, depending on your requirements.
4Click Manage SAML Authenticators and click Add.
5Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.
Option Description
Label You can use the FQDN of the VMware Identity Manager server instance.
Description (Optional) You can use the FQDN of the VMware Identity Manager server
instance.
Metadata URL URL for retrieving all of the information required to exchange SAML information
between the SAML identity provider and the View Connection Server instance. In
the URL https://<YOUR HORIZON SERVER
NAME>/SAAS/API/1.0/GET/metadata/idp.xml, click <YOUR HORIZON
SERVER NAME> and replace it with the FQDN of the VMware Identity Manager
server instance.
Administration URL URL for accessing the administration console of the SAML identity provider
(VMware Identity Manager instance). This URL has the format
https://<Identity-Manager-FQDN>:8443.
6Click OK to save the SAML authenticator configuration.
If you provided valid information, you must either accept the self-signed certificate (not
recommended) or use a trusted certificate for View and VMware Identity Manager.
The SAML 2.0 Authenticator drop-down menu displays the newly created authenticator, which is
now set as the selected authenticator.
7In the System Health section on the View Administrator dashboard, select Other components >
SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
If the configuration is successful, the authenticator's health is green. An authenticator's health can
display red if the certificate is untrusted, if the VMware Identity Manager service is unavailable, or if
the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate
and accept the certificate.
8Log in to the VMware Identity Manager administration console, go to the View Pools page, and select
the Suppress Password Popup check box.
What to do next
nExtend the expiration period of the View Connection Server metadata so that remote sessions are not
terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on
Connection Server.
View Administration
VMware, Inc. 99
nUse the vdmutil command-line interface to configure True SSO on a connection server. See
Configure View Connection Server for True SSO.
For more information about how SAML authentication works, see Using SAML Authentication.
Configure View Connection Server for True SSO
You can use the vdmutil command-line interface to configure and enable or disable True SSO.
This procedure is required to be performed on only one connection server in the cluster.
Important This procedure uses only the commands necessary for enabling True SSO. For a list of all
the configuration options available for managing True SSO configurations, and a description of each
option, see Command-line Reference for Configuring True SSO.
Prerequisites
nVerify that you can run the command as a user who has the Administrators role. You can use View
Administrator to assign the Administrators role to a user. See Chapter 6 Configuring Role-Based
Delegated Administration.
nVerify that you have the fully qualified domain name (FQDN) for the following servers:
nConnection server
nEnrollment server
For more information, see Install and Set Up an Enrollment Server.
nEnterprise certificate authority
For more information, see Set Up an Enterprise Certificate Authority.
nVerify that you have the Netbios name or the FQDN of the domain.
nVerify that you have created a certificate template. See Create Certificate Templates Used with True
SSO.
nVerify that you have created a SAML authenticator to delegate authentication to VMware Identity
Manager. See Configure SAML Authentication to Work with True SSO.
Procedure
1On a connection server in the cluster, open a command prompt and enter the command to add an
enrollment server.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --
truesso --environment --add --enrollmentServer enroll-server-fqdn
The enrollment server is added to the global list.
View Administration
VMware, Inc. 100
2Enter the command to list the information for that enrollment server.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --
truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn
The output shows the forest name, whether the certificate for the enrollment server is valid, the name
and details of the certificate template you can use, and the common name of the certificate authority.
To configure which domains the enrollment server can connect to, you can use a Windows Registry
setting on the enrollment server. The default is to connect to all trusting domains.
Important You will be required to specify the common name of the certificate authority in the next
step.
3Enter the command to create a True SSO connector, which will hold the configuration information,
and enable the connector.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --
truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --
primaryEnrollmentServer enroll-server-fqdn --certificateServer ca-common-name --mode enabled
In this command, TrueSSO-template-name is the name of the template shown in the output for the
previous step, and ca-common-name is the common name of the enterprise certificate authority
shown in that output.
The True SSO connector is enabled on a pool or cluster for the domain specified. To disable True
SSO at the pool level, run vdmUtil --certsso --edit --connector <domain> --mode
disabled. To disable true SSO for an individual virtual machine, you can use GPO
(vdm_agent.adm).
4Enter the command to discover which SAML authenticators are available.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --
truesso --list --authenticator
Authenticators are created when you configure SAML authentication between VMware Identity
Manager and a connection server, using View Administrator.
The output shows the name of the authenticator and shows whether True SSO is enabled.
Important You will be required to specify the authenticator name in the next step.
5Enter the command to enable the authenticator to use True SSO mode.
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --
truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS}
View Administration
VMware, Inc. 101
For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied
when the user logged in to VMware Identity Manager. In this case if a password was used and
cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be
used even if a password was supplied when the user logged in to VMware Identity Manager.
What to do next
In View Administrator, verify the health status of the True SSO configuration. For more information, see
Using the System Health Dashboard to Troubleshoot Issues Related to True SSO.
To configure advanced options, use Windows advanced settings on the appropriate system. See
Advanced Configuration Settings for True SSO.
Command-line Reference for Configuring True SSO
You can use the vdmutil command-line interface to configure and manage the True SSO feature.
Location of the Utility
By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware
View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH
environment variable.
Syntax and Authentication
Use the following form of the vdmutil command from a Windows command prompt.
vdmutil authentication options --truesso additional options and arguments
The additional options that you can use depend on the command option. This topic focuses on the
options for configuring True SSO (--truesso). Following is an example of a command for listing
connectors that have been configured for True SSO:
vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso
--list --connector
The vdmutil command includes authentication options to specify the user name, domain, and password
to use for authentication.
View Administration
VMware, Inc. 102
Table 51. vdmutil Command Authentication Options
Option Description
--authAs Name of a View administrator user. Do not use domain\username or user principal name (UPN) format.
--authDomain Fully qualified domain name or Netbios name of the domain for the View administrator user specified in the
--authAs option.
--authPassword Password for the View administrator user specified in the --authAs option. Entering "*" instead of a
password causes the vdmutil command to prompt for the password and does not leave sensitive
passwords in the command history on the command line.
You must use the authentication options with all vdmutil command options except for --help and
--verbose.
Command Output
The vdmutil command returns 0 when an operation succeeds and a failure-specific non-zero code when
an operation fails. The vdmutil command writes error messages to standard error. When an operation
produces output, or when verbose logging is enabled by using the --verbose option, the vdmutil
command writes output to standard output, in US English.
Commands for Managing Enrollment Servers
You must add one enrollment server for each domain. You can also add a second enrollment server and
later designate that server to be used as a backup.
For readability, the options shown in the following table do not represent the complete command you
would enter. Only the options specific to the particular task are included. For example, one row shows the
--environment --list --enrollmentServers options, but the vdmUtil command you would actually
enter also contains options for authentication and for specifying that you are configuring True SSO:
vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --
truesso --environment --list --enrollmentServers
For more information about the authentication options, see Command-line Reference for Configuring True
SSO.
Table 52. vdmutil truesso Command Options for Managing Enrollment Servers
Command and Options Description
--environment --add --enrollmentServer enroll-
server-fqdn
Adds the specified enrollment server to the environment, where enroll-
server-fqdn is the FQDN of the enrollment server. If the enrollment server
has already been added, when you run this command, nothing happens.
--environment --remove --enrollmentServer
enroll-server-fqdn
Removes the specified enrollment server from the environment, where
enroll-server-fqdn is the FQDN of the enrollment server. If the enrollment
server has already been removed, when you run this command, nothing
happens.
--environment --list --enrollmentServers Lists the FQDNs of all enrollment servers in the environment.
View Administration
VMware, Inc. 103
Table 52. vdmutil truesso Command Options for Managing Enrollment Servers (Continued)
Command and Options Description
--environment --list --enrollmentServer
enroll-server-fqdn
List s the FQDNs of the domains and forests that are trusted by the
domains and forests to which the enrollment server belongs, and the
state of the enrollment certificate, which can be VALID or INVALID. VALID
means the enrollment server has an Enrollment Agent certificate
installed. The state might be INVALID for any of several reasons:
nThe certificate has not been installed.
nThe certificate Is not yet valid, or has expired.
nThe certificate was not issued by a trusted Enterprise CA.
nThe private key is not available.
nThe certificate has been corrupted.
The log file on the enrollment server can provide the reason for the
INVALID state.
--environment --list --enrollmentServer
enroll-server-fqdn --domain domain-fqdn
For the enrollment server in the specified domain, lists the CNs (common
names) of the available certificate authorities, and provides the following
information about each certificate template that can be used for True
SSO: name, minimum key length, and hash algorithm.
Commands for Managing Connectors
You create one connector for each domain. The connector defines the parameters that are used for True
SSO.
For readability, the options shown in the following table do not represent the complete command you
would enter. Only the options specific to the particular task are included. For example, one row shows the
--list --connector options, but the vdmUtil command you would actually enter also contains options
for authentication and for specifying that you are configuring True SSO:
vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --
truesso --list --connector
For more information about the authentication options, see Command-line Reference for Configuring True
SSO.
View Administration
VMware, Inc. 104
Table 53. vdmutil truesso Command Options for Managing Connectors
Options Description
--create --connector --domain domain-fqdn
--template template-name
--primaryEnrollmentServer enroll-server1-fqdn
[--secondaryEnrollmentServer enroll-server2-
fqdn] --certificateServer CA-common-name
--mode {enabled |disabled}
Creates a connector for the specified domain and configures the connector
to use the following settings:
ntemplate-name is the name of the certificate template to use.
nenroll-server1-fqdn is the FQDN of the primary enrollment server to use.
nenroll-server2-fqdn is the FQDN of the secondary enrollment server to
use. This setting is optional.
nCA-common-name is the common name of the certificate authority to
use. This can be a comma-separated list of CAs.
To determine which certificate template and certificate authority are available
for a particular enrollment server, you can run the vdmutil command with
the --truesso --environment --list --enrollmentServer enroll-
server-fqdn --domain domain-fqdn options.
--list --connector Lists the FQDNs of the domains that already have a connector created.
--list --connector --verbose Lists all the domains that have connectors, and for each connector, provides
the following information:
nPrimary enrollment server
nSecondary enrollment server, if there is one
nName of the certificate template
nWhether the connector is enabled or disabled
nCommon name of the certificate authority server or servers, if there are
more than one
--edit --connector domain-fqdn [--template
template-name] [--mode {enabled |disabled]
[--primaryEnrollmentServer enroll-server1-fqdn]
[--secondaryEnrollmentServer enroll-server2-
fqdn] [--certificateServer CA-common-name]
For the connector created for the domain specified by domain-fqdn, allows
you to change any of the following settings:
ntemplate-name is the name of the certificate template to use.
nThe mode can be either enabled or disabled.
nenroll-server1-fqdn is the FQDN of the primary enrollment server to use.
nenroll-server2-fqdn is the FQDN of the secondary enrollment server to
use. This setting is optional.
nCA-common-name is the common name of the certificate authority to
use. This can be a comma-separated list of CAs.
--delete --connector domain-fqdn Deletes the connector that has been created for the domain specified by
domain-fqdn.
View Administration
VMware, Inc. 105
Commands for Managing Authenticators
Authenticators are created when you configure SAML authentication between VMware Identity Manager
and a connection server. The only management task is to enable or disable True SSO for the
authenticator.
For readability, the options shown in the following table do not represent the complete command you
would enter. Only the options specific to the particular task are included. For example, one row shows the
--list --authenticator options, but the vdmUtil command you would actually enter also contains
options for authentication and for specifying that you are configuring True SSO:
vdmUtil --authAs admin-role-user --authDomain netbios-name --authPassword admin-user-password --
truesso --list --authenticator
For more information about the authentication options, see Command-line Reference for Configuring True
SSO.
Table 54. vdmutil truesso Command Options for Managing Authenticators
Command and Options Description
--list --authenticator [--verbose] Lists the fully qualified domain names (FQDNs) of all SAML authenticators
found in the domain. For each one, specifies whether True SSO is enabled.
If you use the --verbose option, the FQDNs of the associated connection
servers are also listed.
--list --authenticator --name label For the specified authenticator, lists whether True SSO is enabled, and lists
the FQDNs of the associated connection servers. For label use one of the
names listed when you use the --authenticator option without the
--name option.
--edit --authenticator --name label
--truessoMode mode-value
For the specified authenticator, sets the True SSO mode to the value you
specify, where mode-value can be one of the following values:
nENABLED. True SSO is used only when the Active Directory credentials
of the user is not available.
nALWAYS. True SSO is always used even if vIDM has the AD credentials
of the user.
nDISABLED. True SSO is disabled.
For label use one of the names listed when you use the --authenticator
option without the --name option.
View Administration
VMware, Inc. 106
Advanced Configuration Settings for True SSO
You can manage the True SSO advanced settings by using the GPO template on the Horizon Agent
machine, registry settings on the enrollment server, and LDAP entries on the connection server. These
settings include default timeout, configure load balancing, specify domains to be included, and more.
Horizon Agent Configuration Settings
You can use GPO template on the agent OS to turn off True SSO at the pool level or to change defaults
for certificate settings such as key size and count and settings for reconnect attempts.
Note The following table shows the settings to use for configuring the agent on individual virtual
machines, but you can alternatively use the Horizon Agent Configuration template files. The ADMX
template file is named (vdm_agent.admx). Use the template files to make these policy settings apply to all
the virtual machines in a desktop or application pool. If a policy is set the policy takes precedence over
the registry settings.
The ADMX files are available in a bundled .zip file named VMware-Horizon-Extras-Bundle-x.x.x-
yyyyyyy.zip, which you can download from the VMware download site at
https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the
VMware Horizon 7 download, which includes the bundled .zip file.
Table 55. Keys for Configuring True SSO on Horizon Agent
Key
Min &
Max Description
Disable True SSO N/A Set this key to true to disable the feature on the agent. Use this setting in
the group policy to disable True SSO at the pool level. The default is
false.
Certificate wait timeout 10
-120
Specifies timeout period of certificates to arrive on the agent, in seconds.
The default is 40.
Minimum key size 1024 -
8192
Minimum allowed size for a key. The default is 1024, meaning that by
default, if the key size is below 1024, the key cannot be used.
All key sizes N/A Comma-separated list of key sizes that can be used. Up to 5 sizes can be
specified; for example: 1024,2048,3072,4096. The default is 2048.
Number of keys to pre-create 1-100 Number of keys to pre-create on RDS servers that provide remote
desktops and hosted Windows applications. The default is 5.
Minimum validity period required
for a certificate
N/A Minimum validity period, in minutes, required for a certificate when it is
being reused to reconnect a user. The default is 5.
View Administration
VMware, Inc. 107
Enrollment Server Configuration Settings
You can use Windows Registry settings on the enrollment server OS to configure which domains to
connect to, various timeout periods, polling periods, and retries, and whether to prefer using the certificate
authority that is installed on the same local server (recommended).
To change the advanced configuration settings, you can open the Windows Registry Editor
(regedit.exe) on the enrollment server machine and navigate to the following registry key:
HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service
Table 56. Registry Keys for Configuring True SSO on the Enrollment Server
Registry Key
Min &
Max Type Description
ConnectToDomains N/A REG_MULTI
_SZ
List of domains the enrollment server attempts to connect to
automatically. For this multi-string registry type, the DNS fully
qualified domain name (FQDN) of each domain is listed on its
own line.
The default is to trust all domains.
ExcludeDomains N/A REG_MULTI
_SZ
List of domains the enrollment server does not connect to
automatically. If the connection server provides a configuration
set with any of the domains, the enrollment server will attempt
to connect to that domain or domains. For this multi-string
registry type, the DNS FQDN of each domain is listed on its
own line.
The default is to exclude no domains.
ConnectToDomainsInForest N/A REG_SZ Specifies whether to connect to and use all domains in the
forest that the enrollment server is a member of. The default is
TRUE.
Use one of the following values:
n0 means false; do not connect to the domains of the forest
being used.
n!=0 means true.
ConnectToTrustingDomains N/A REG_SZ Specifies whether to connect to explicitly trusting/incoming
domains. The default is TRUE.
Use one of the following values:
n0 means false; do not connect to explicitly
trusting/incoming domains.
n!=0 means true.
PreferLocalCa N/A REG_SZ Specifies whether to prefer the locally installed CA, if available,
for performance benefits. If set to TRUE, the enrollment server
will send requests to the local CA. If the connection to the local
CA fails, the enrollment server will try to send certificates
requests to alternate CAs. The default is FALSE.
Use one of the following values:
n0 means false.
n!=0 means true.
View Administration
VMware, Inc. 108
Table 56. Registry Keys for Configuring True SSO on the Enrollment Server (Continued)
Registry Key
Min &
Max Type Description
MaxSubmitRetryTime 9500-
59000
DWORD Amount of time to wait before retrying to submit a certificate
signing request, in milliseconds. The default is 25000.
SubmitLatencyWarningTime 500 -
5000
DWORD Submit latency warning time when the interface is marked
"Degraded" (in milliseconds). The default is 1500.
The enrollment server uses this setting to determine whether a
CA should be considered to be in a degraded state. If the last
three certificate requests took more milliseconds to complete
than are specified by this setting, the CA is considered
degraded, and this status appears in the Horizon Administrator
Health Status dashboard.
A CA usually issues a certificate within 20 ms, but if the CA has
been idle for a few hours, any initial request might take longer
to complete. This setting allows an administrator to find out that
a CA is slow, without necessary having the CA marked as slow.
Use this setting to configure the threshold for marking the CA
as slow.
WarnForLonglivedCert N/A REG_SZ Disable warning for long-lived True-SSO certificate (templates).
The default is True.
The enrollment server displays a warning status in the Horizon
Administrator Health Status dashboard by reporting True SSO
templates as being in a degraded or non-optimal state if the
certificate lifetime is set to greater than 14 days. The
enrollment server uses this setting to disable the warning.
The enrollment server must be restarted for this setting to take
effect.
Connection Server Configuration Settings
You can edit View LDAP on View Connection Server to configure a timeout for generating certificates and
whether to enable load balancing certificate requests between enrollment server (recommended).
To change the advanced configuration settings, you must use ADSI Edit on a View Connection Server
host. You can connect by typing in the distinguished name DC=vdi, DC=vmware, DC=int as the
connection point, and typing in the server name and port for the computer localhost:389. Expand
OU=Properties, select OU=Global, and double-click CN=Common in the right pane.
You can then edit the pae-NameValuePair attribute to add one or more of the values listed in the
following table. You must use the syntax name=value when adding values.
View Administration
VMware, Inc. 109
Table 57. Advanced True SSO Settings for Connection Servers
Registry Key Description
cs-view-certsso-enable-es-
loadbalance=[true|false]
Specifies whether to enable load balancing CSR requests between two
enrollment servers. The default is false.
For example, add cs-view-certsso-enable-es-loadbalance=true to
enable load balancing so that when certificate requests arrive, the connection
server will use alternate enrollment servers,. Each enrollment server can
service the requests using the local CA, if you have the enrollment server and
CA on the same host.
cs-view-certsso-certgen-timeout-
sec=number
Amount of time to wait for generating a certificate after receiving a CSR, in
seconds. The default is 35.
Identify an AD User That Does not Have an AD UPN
You can configure LDAP URL filters for Connection Server to identify an AD user that does not have an
AD UPN.
You must use ADAM ADSI Edit on a Connection Server host. You can connect by typing in the
distinguished name DC=vdi, DC=vmware, DC=int. Expand OU=Properties, and select
OU=Authenticator.
You can then edit the pae-LDAPURLList attribute to add an LDAP URL filter.
For example, add the following filter:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=ldap:///???(telephoneNumber=
$NAMEID)
Connection Server uses the following default LDAP URL filters:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=ldap:///???
(&(objectCategory=user)(objectclass=user)(sAMAccountName=$NAMEID)) ldap:///???
(&(objectCategory=group)(objectclass=group)(sAMAccountName=$NAMEID))
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified=ldap:///???
(&(objectCategory=user)(objectclass=user)(sAMAccountName=$NAMEID)) ldap:///???
(&(objectCategory=group)(objectclass=group)(sAMAccountName=$NAMEID))
If you configure an LDAP URL filter, Connection Server uses this LDAP URL filter and does not use the
default LDAP URL filter to identity the user.
Examples of identifiers that you can use for SAML authentication for an AD user that does not have an
AD UPN:
n"cn"
n"mail"
n"description"
n"givenName"
n"sn"
View Administration
VMware, Inc. 110
n"canonicalName"
n"sAMAccountName"
n"member"
n"memberOf"
n"distinguishedName"
n"telephoneNumber"
n"primaryGroupID"
Using the System Health Dashboard to Troubleshoot Issues
Related to True SSO
You can use the system health dashboard in View Administrator to quickly see problems that might affect
the operation of the True SSO feature.
For end users, if True SSO stops working, when the system attempts to log the user in to the remote
desktop or application, the user sees the following message: "The user name or password is
incorrect." After the user clicks OK, the user is taken to the login screen. On the Windows login screen
the user sees an extra tile labeled VMware SSO User. If the user has the Active Directory credentials for
an entitled user, the user can log in with AD credentials.
The system health dashboard in the top-left portion of the View Administrator display contains a couple of
items that pertain to True SSO.
Note The True SSO feature provides information to the dashboard only once per minute. Click the
refresh icon in the upper-right corner to refresh the information immediately.
nYou can click to expand View Components > True SSO to see a list of the domains that are using
True SSO.
You can click a domain name to see the following information: a list of enrollment servers configured
for that domain, a list of enterprise certificate authorities, the name of the certificate template being
used, and the status. If there is a problem, the Status field explains what it is.
To change any of the configuration settings shown in the True SSO Domain Details dialog box, use
the vdmutil command-line interface to edit the True SSO connector. For more information, see
Commands for Managing Connectors.
nYou can click to expand Other Components > SAML 2.0 Authenticators to see a list of the SAML
authenticators that have been created for delegating authentication to VMware Identity Manager
instances. You can click the authenticator name to examine the details and status.
Note In order for True SSO to be used, the global setting for SSO must be enabled. In View
Administrator, select Configuration > Global Settings, and verify that Single sign-on (SSO) is set to
Enabled.
View Administration
VMware, Inc. 111
Table 58. Broker to Enrollment Server Connection Status
Status Text Description
Failed to fetch True SSO health
information.
The dashboard is unable to retrieve the health information from the broker.
The <FQDN> enrollment server
cannot be contacted by the True SSO
configuration service.
In a POD, one of the brokers is elected to send the configuration information to all
enrollment servers used by the POD. This broker will refresh the enrollment server
configuration once every minute. This message is displayed if the configuration task has
failed to updated the enrollment server. For additional information, see the table for
Enrollment Server Connectivity.
The <FQDN> enrollment server
cannot be contacted to manage
sessions on this connection server.
The current broker is unable to connect to the enrollment server. This status is only
displayed for the broker that your browser is pointing to. If there are multiple brokers in the
pod, you need to change your browser to point to the other brokers in order to check their
status. For additional information, see the table for Enrollment Server Connectivity.
Table 59. Enrollment Server Connectivity
Status Text Description
This domain <Domain Name> does
not exist on the <FQDN> enrollment
server.
The True SSO connector has been configured to use this enrollment server for this
domain, but the enrollment server has not yet been configured to connect to this domain. If
the state remains for longer than one minute, you need to check the state of the broker
currently responsible for refreshing the enrollment configuration.
The <FQDN> enrollment server's
connection to the domain <Domain
Name> is still being established.
The enrollment server has not been able to connect to a domain controller in this domain.
If this state remains for longer than a minute, you might have to verify that name resolution
from the enrollment server to the domain is correct, and that there is network connectivity
between the enrollment server and the domain.
The <FQDN> enrollment server's
connection to the domain <Domain
Name> is stopping or in a problematic
state.
The enrollment server has connected to a domain controller in the domain, but it has not
been able to read the PKI information from the domain controller. If this happens, then
there is likely a problem with the actual domain controller. This issue can also happen if
DNS is not configured correctly. Check the log file on the enrollment server to see what
domain controller the enrollment server is trying to use, and verify that the domain
controller is fully operational.
The <FQDN> enrollment server has
not yet read the enrollment properties
from a domain controller.
This state is transitional, and is only displayed during startup of the enrollment server, or
when a new domain has been added to the environment. This state usually lasts less than
one minute. If this state lasts longer than a minute, either the network is extremely slow, or
there is an issue causing difficulties accessing the domain controller.
The <FQDN> enrollment server has
read the enrollment properties at least
once, but has not been able to reach a
domain controller for some time.
As long as the enrollment server reads the PKI configuration from a domain controller, it
keeps polling for changes once every two minutes. This status will be set if the domain
controller (DC) has been unreachable for a short period of time. Typically this inability to
contact the DC might mean the enrollment server cannot detect any changes in PKI
configuration. As long the certificate servers can still access a domain controller,
certificates can still be issued.
The <FQDN> enrollment server has
read the enrollment properties at least
once but either has not been able to
reach a domain controller for an
extended time or another issue exists.
If the enrollment server has not been able to reach the domain controller for an extended
period, then this state is displayed. The enrollment server will then try to discover an
alternative domain controller for this domain. If a certificate server can still access a
domain controller, then certificates can still be issued, but if this state remains for more
than one minute, it means the enrollment server has lost access to all domain controllers
for the domain, and it is likely that certificates can no longer be issued.
View Administration
VMware, Inc. 112
Table 510. Enrollment Certificate Status
Status Text Description
A valid enrollment certificate for this
domain's <domain name> forest is not
installed on the <FQDN> enrollment
server, or it may have expired
No enrollment certificate for this domain has been installed, or the certificate is invalid or
has expired. The enrollment certificate must be issued by an enterprise CA that is trusted
by the forest this domain is a member of. Verify that you have completed the steps in the
View Administration document, which describes how to install the enrollment certificate on
the enrollment server. You can also open the MMC, certificate management snap-in,
opening the local computer store. Open the Personal certificate container and verify that
the certificate is installed, and that it is valid. You can also open the enrollment server log
file. The enrollment server will log additional information about the state of any certificate it
located.
Table 511. Certificate Template Status
Status Text Description
The template <name> does not exist
on the <FQDN> enrollment server
domain.
Check that you specified the correct template name.
Certificates generated by this template
can NOT be used to log on to windows.
This template does not have the smart card usage enabled and data signing enabled.
Check that you specified the correct template name. Verify that you have .completed the
steps described in Create Certificate Templates Used with True SSO.
The template <name> is smartcard
logon enabled, but cannot be used.
This template is enabled for smart card logon, but the template cannot be used with True
SSO. Check that you specified the correct template name, verify that you have gone
through the steps described in Create Certificate Templates Used with True SSO. You
can also check the enrollment server log file, since it will log what setting in the template
is preventing it from being used for True SSO.
Table 512. Certificate Server Configuration Status
Status Text Description
The certificate server <CN of CA>
does not exist in the domain.
Verify that you specified the correct name for the CA. You must specify the Common
Name (CN).
The certificate is not in the NTAuth
(Enterprise) store.
This CA is not an enterprise CA or its CA certificate has not been added to the NTAUTH
store. If this CA is not a member of the forest, you must manually add the CA certificate to
the NTAUTH store of this forest.
View Administration
VMware, Inc. 113
Table 513. Certificate Server Connection Status
Status Text Description
The <FQDN> enrollment server is not
connected to the certificate server <CN
of CA>.
The enrollment server is not connected to the certificate server. This state might be a
transitional state if the enrollment server just started, or if the CA was recently added to a
True SSO connector. If the state remains for longer than one minute, it means that the
enrollment server failed to connect to the CA. Validate that name resolution is working
correctly, and that you have network connectivity to the CA, and that the system account
for the enrollment server has permission to access the CA.
The <FQDN> enrollment server has
connected to the certificate server <CN
of CA>, but the certificate server is in a
degraded state
This state is displayed if the CA is slow at issuing certificates. If the CA remains in this
state, check the load of the CA or the domain controllers used by the CA.
Note If the CA has been marked as slow, it will retain this state until at least one
certificate request has been completed successfully, and that certificate was issued within
a normal time frame.
The <FQDN> enrollment server can
connect to the certificate server <CN of
CA>, but the service is unavailable.
This state is issued if the enrollment server has an active connection to the CA but it is
unable to issue certificates. This state is typically a transitional state. If the CA does not
become available quickly, the state will be changed to disconnected.
View Administration
VMware, Inc. 114
Configuring Role-Based
Delegated Administration 6
One key management task in a View environment is to determine who can use View Administrator and
what tasks those users are authorized to perform. With role-based delegated administration, you can
selectively assign administrative rights by assigning administrator roles to specific Active Directory users
and groups.
This section includes the following topics:
nUnderstanding Roles and Privileges
nUsing Access Groups to Delegate Administration of Pools and Farms
nUnderstanding Permissions
nManage Administrators
nManage and Review Permissions
nManage and Review Access Groups
nManage Custom Roles
nPredefined Roles and Privileges
nRequired Privileges for Common Tasks
nBest Practices for Administrator Users and Groups
Understanding Roles and Privileges
The ability to perform tasks in View Administrator is governed by an access control system that consists
of administrator roles and privileges. This system is similar to the vCenter Server access control system.
An administrator role is a collection of privileges. Privileges grant the ability to perform specific actions,
such as entitling a user to a desktop pool. Privileges also control what an administrator can see in View
Administrator. For example, if an administrator does not have privileges to view or modify global policies,
the Global Policies setting is not visible in the navigation panel when the administrator logs in to View
Administrator.
Administrator privileges are either global or object-specific. Global privileges control system-wide
operations, such as viewing and changing global settings. Object-specific privileges control operations on
specific types of objects.
VMware, Inc. 115
Administrator roles typically combine all of the individual privileges required to perform a higher-level
administration task. View Administrator includes predefined roles that contain the privileges required to
perform common administration tasks. You can assign these predefined roles to your administrator users
and groups, or you can create your own roles by combining selected privileges. You cannot modify the
predefined roles.
To create administrators, you select users and groups from your Active Directory users and groups and
assign administrator roles. Administrators obtain privileges through their role assignments. You cannot
assign privileges directly to administrators. An administrator that has multiple role assignments acquires
the sum of all the privileges contained in those roles.
Using Access Groups to Delegate Administration of Pools
and Farms
By default, automated desktop pools, manual desktop pools, and farms are created in the root access
group, which appears as / or Root(/) in View Administrator. RDS desktop pools and application pools
inherit their farm's access group. You can create access groups under the root access group to delegate
the administration of specific pools or farms to different administrators.
Note You cannot change the access group of an RDS desktop pool or an application pool directly. You
must change the access group of the farm that the RDS desktop pool or the application pool belongs to.
A virtual or physical machine inherits the access group from its desktop pool. An attached persistent disk
inherits the access group from its machine. You can have a maximum of 100 access groups, including the
root access group.
You configure administrator access to the resources in an access group by assigning a role to an
administrator on that access group. Administrators can access the resources that reside only in access
groups for which they have assigned roles. The role that an administrator has on an access group
determines the level of access that the administrator has to the resources in that access group.
Because roles are inherited from the root access group, an administrator that has a role on the root
access group has that role on all access groups. Administrators who have the Administrators role on the
root access group are super administrators because they have full access to all of the objects in the
system.
A role must contain at least one object-specific privilege to apply to an access group. Roles that contain
only global privileges cannot be applied to access groups.
View Administration
VMware, Inc. 116
You can use View Administrator to create access groups and to move existing desktop pools to access
groups. When you create an automated desktop pool, a manual pool, or a farm, you can accept the
default root access group or select a different access group.
Note If you intend to provide access to your desktops and applications through
VMware Identity Manager, verify that you create the desktop and application pools as a user who has the
Administrators role on the root access group in Horizon Administrator. If you give the user the
Administrators role on an access group other than the root access group, VMware Identity Manager will
not recognize the SAML authenticator you configure in Horizon 7, and you cannot configure the pool in
VMware Identity Manager.
nDifferent Administrators for Different Access Groups
You can create a different administrator to manage each access group in your configuration.
nDifferent Administrators for the Same Access Group
You can create different administrators to manage the same access group.
Dierent Administrators for Dierent Access Groups
You can create a different administrator to manage each access group in your configuration.
For example, if your corporate desktop pools are in one access group and your desktop pools for
software developers are in another access group, you can create different administrators to manage the
resources in each access group.
Table 61 shows an example of this type of configuration.
Table 61. Dierent Administrators for Dierent Access Groups
Administrator Role Access Group
view-domain.com\Admin1 Inventory Administrators /CorporateDesktops
view-domain.com\Admin2 Inventory Administrators /DeveloperDesktops
In this example, the administrator called Admin1 has the Inventory Administrators role on the access
group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators
role on the access group called DeveloperDesktops.
Dierent Administrators for the Same Access Group
You can create different administrators to manage the same access group.
For example, if your corporate desktop pools are in one access group, you can create one administrator
that can view and modify those pools and another administrator that can only view them.
Table 62 shows an example of this type of configuration.
View Administration
VMware, Inc. 117
Table 62. Dierent Administrators for the Same Access Group
Administrator Role Access Group
view-domain.com\Admin1 Inventory Administrators /CorporateDesktops
view-domain.com\Admin2 Inventory Administrators (Read only) /CorporateDesktops
In this example, the administrator called Admin1 has the Inventory Administrators role on the access
group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators
(Read only) role on the same access group.
Understanding Permissions
View Administrator presents the combination of a role, an administrator user or group, and an access
group as a permission. The role defines the actions that can be performed, the user or group indicates
who can perform the action, and the access group contains the objects that are the target of the action.
Permissions appear differently in View Administrator depending on whether you select an administrator
user or group, an access group, or a role.
Table 63 shows how permissions appear in View Administrator when you select an administrator user or
group. The administrator user is called Admin 1 and it has two permissions.
Table 63. Permissions on the Administrators and Groups Tab for Admin 1
Role Access Group
Inventory Administrators MarketingDesktops
Administrators (Read only) /
The first permission shows that Admin 1 has the Inventory Administrators role on the access group called
MarketingDesktops. The second permission shows that Admin 1 has the Administrators (Read only)
role on the root access group.
Table 64 shows how the same permissions appear in View Administrator when you select the
MarketingDesktops access group.
Table 64. Permissions on the Folders Tab for MarketingDesktops
Admin Role Inherited
view-domain.com\Admin1 Inventory Administrators
view-domain.com\Admin1 Administrators (Read only) Yes
The first permission is the same as the first permission shown in Table 63. The second permission is
inherited from the second permission shown in Table 63. Because access groups inherit permissions
from the root access group, Admin1 has the Administrators (Read only) role on the MarketingDesktops
access group. When a permission is inherited, Yes appears in the Inherited column.
Table 65 shows how the first permission in Table 63 appears in View Administrator when you select the
Inventory Administrators role.
View Administration
VMware, Inc. 118
Table 65. Permissions on the Role Tab for Inventory Administrators
Administrator Access Group
view-domain.com\Admin1 /MarketingDesktops
Manage Administrators
Users who have the Administrators role can use View Administrator to add and remove administrator
users and groups.
The Administrators role is the most powerful role in View Administrator. Initially, members of the View
Administrators account are given the Administrators role. You specify the View Administrators account
when you install View Connection Server. The View Administrators account can be the local
Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain
user or group account.
Note By default, the Domain Admins group is a member of the local Administrators group. If you
specified the View Administrators account as the local Administrators group, and you do not want domain
administrators to have full access to inventory objects and View configuration settings, you must remove
the Domain Admins group from the local Administrators group.
nCreate an Administrator
To create an administrator, you select a user or group from your Active Directory users and groups in
Horizon Administrator and assign an administrator role.
nRemove an Administrator
You can remove an administrator user or group. You cannot remove the last super administrator in
the system. A super administrator is an administrator that has the Administrators role on the root
access group.
Create an Administrator
To create an administrator, you select a user or group from your Active Directory users and groups in
Horizon Administrator and assign an administrator role.
Prerequisites
nBecome familiar with the predefined administrator roles. See Predefined Roles and Privileges.
nBecome familiar with the best practices for creating administrator users and groups. See Best
Practices for Administrator Users and Groups.
nTo assign a custom role to the administrator, create the custom role. See Add a Custom Role.
nTo create an administrator that can manage specific desktop pools, create an access group and move
the desktop pools to that access group. See Manage and Review Access Groups.
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
View Administration
VMware, Inc. 119
2On the Administrators and Groups tab, click Add User or Group.
3Click Add, select one or more search criteria, and click Find to filter Active Directory users or groups
based on your search criteria.
4Select the Active Directory user or group that you want to be an administrator user or group, click OK
and click Next.
You can press the Ctrl and Shift keys to select multiple users and groups.
5Select a role to assign to the administrator user or group.
The Applies to an access group column indicates whether a role applies to access groups. Only roles
that contain object-specific privileges apply to access groups. Roles that contain only global privileges
do not apply to access groups.
Option Action
The role you selected applies to
access groups
Select one or more access groups and click Next.
You want the role to apply to all access
groups
Select the root access group and click Next.
6Click Finish to create the administrator user or group.
The new administrator user or group appears in the left pane and the role and access group that you
selected appear in the right pane on the Administrators and Groups tab.
Remove an Administrator
You can remove an administrator user or group. You cannot remove the last super administrator in the
system. A super administrator is an administrator that has the Administrators role on the root access
group.
Procedure
1In View Administrator, select View Configuration > Administrators.
2On the Administrators and Groups tab, select the administrator user or group, click Remove User
or Group, and click OK.
The administrator user or group no longer appears on the Administrators and Groups tab.
Manage and Review Permissions
You can use View Administrator to add, delete, and review permissions for specific administrator users
and groups, for specific roles, and for specific access groups.
nAdd a Permission
You can add a permission that includes a specific administrator user or group, a specific role, or a
specific access group.
View Administration
VMware, Inc. 120
nDelete a Permission
You can delete a permission that includes a specific administrator user or group, a specific role, or a
specific access group.
nReview Permissions
You can review the permissions that include a specific administrator or group, a specific role, or a
specific access group.
Add a Permission
You can add a permission that includes a specific administrator user or group, a specific role, or a specific
access group.
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
2Create the permission.
Option Action
Create a permission that includes a
specific administrator user or group
a On the Administrators and Groups tab, select the administrator or group
and click Add Permission.
b Select a role.
c If the role does not apply to access groups, click Finish.
d If the role applies to access groups, click Next, select one or more access
groups, and click Finish. A role must contain at least one object-specific
privilege to apply to an access group.
Create a permission that includes a
specific role
a On the Roles tab, select the role, click Permissions, and click Add
Permission.
b Click Add, select one or more search criteria, and click Find to find
administrator users or groups that match your search criteria.
c Select an administrator user or group to include in the permission and click
OK. You can press the Ctrl and Shift keys to select multiple users and groups.
d If the role does not apply to access groups, click Finish.
e If the role applies to access groups, click Next, select one or more access
groups, and click Finish. A role must contain at least one object-specific
privilege to apply to an access group.
Create a permission that includes a
specific access group
a On the Access Groups tab, select the access group and click Add
Permission.
b Click Add, select one or more search criteria, and click Find to find
administrator users or groups that match your search criteria.
c Select an administrator user or group to include in the permission and click
OK. You can press the Ctrl and Shift keys to select multiple users and groups.
d Click Next, select a role, and click Finish. A role must contain at least one
object-specific privilege to apply to an access group.
View Administration
VMware, Inc. 121
Delete a Permission
You can delete a permission that includes a specific administrator user or group, a specific role, or a
specific access group.
If you remove the last permission for an administrator user or group, that administrator user or group is
also removed. Because at least one administrator must have the Administrators role on the root access
group, you cannot remove a permission that would cause that administrator to be removed. You cannot
delete an inherited permission.
Procedure
1In View Administrator, select View Configuration > Administrators.
2Select the permission to delete.
Option Action
Delete a permission that applies to a
specific administrator or group
Select the administrator or group on the Administrators and Groups tab.
Delete a permission that applies to a
specific role
Select the role on the Roles tab.
Delete a permission that applies to a
specific access group
Select the folder on the Access Groups tab.
3Select the permission and click Delete Permission.
Review Permissions
You can review the permissions that include a specific administrator or group, a specific role, or a specific
access group.
Procedure
1Select View Configuration > Administrators.
2Review the permissions.
Option Action
Review the permissions that include a
specific administrator or group
Select the administrator or group on the Administrators and Groups tab.
Review the permissions that include a
specific role
Select the role on the Roles tab and click Permissions.
Review the permissions that include a
specific access group
Select the folder on the Access Groups tab.
View Administration
VMware, Inc. 122
Manage and Review Access Groups
You can use View Administrator to add and delete access groups and to review the desktop pools and
machines in a particular access group.
nAdd an Access Group
You can delegate the administration of specific machines, desktop pools, or farms to different
administrators by creating access groups. By default, desktop pools, application pools, and farms
reside in the root access group.
nMove a Desktop Pool or a Farm to a Different Access Group
After you create an access group, you can move automated desktop pools, manual pools, or farms
to the new access group.
nRemove an Access Group
You can remove an access group if it does not contain any object. You cannot remove the root
access group.
nReview the Desktop Pools, Application Pools, or Farms in an Access Group
You can see the desktop pools, the application pools, or the farms in a particular access group in
View Administrator.
nReview the vCenter Virtual Machines in an Access Group
You can see the vCenter virtual machines in a particular access group in View Administrator. A
vCenter virtual machine inherits the access group from its pool.
Add an Access Group
You can delegate the administration of specific machines, desktop pools, or farms to different
administrators by creating access groups. By default, desktop pools, application pools, and farms reside
in the root access group.
You can have a maximum of 100 access groups, including the root access group.
Procedure
1In View Administrator, navigate to the Add Access Group dialog box.
Option Action
From Catalog nSelect Catalog > Desktop Pools.
nFrom the Access Group drop-down menu in the top window pane, select
New Access Group.
From Resources nSelect Resources > Farms.
nFrom the Access Group drop-down menu in the top window pane, select
New Access Group.
From View Configuration nSelect View Configuration > Administrators.
nFrom the Access Groups tab, select Add Access Group.
View Administration
VMware, Inc. 123
2Type a name and description for the access group and click OK.
The description is optional.
What to do next
Move one or more objects to the access group.
Move a Desktop Pool or a Farm to a Dierent Access Group
After you create an access group, you can move automated desktop pools, manual pools, or farms to the
new access group.
Procedure
1In View Administrator, select Catalog > Desktop Pools or Resources > Farms.
2Select a pool or a farm.
3Select Change Access Group from the Access Group drop-down menu in the top window pane.
4Select the access group and click OK.
View Administrator moves the pool to the access group that you selected.
Remove an Access Group
You can remove an access group if it does not contain any object. You cannot remove the root access
group.
Prerequisites
If the access group contains objects, move the objects to another access group or to the root access
group. See Move a Desktop Pool or a Farm to a Different Access Group.
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
2On the Access Groups tab, select the access group and click Remove Access Group.
3Click OK to remove the access group.
View Administration
VMware, Inc. 124
Review the Desktop Pools, Application Pools, or Farms in an
Access Group
You can see the desktop pools, the application pools, or the farms in a particular access group in View
Administrator.
Procedure
1In View Administrator, navigate to the main page for the objects.
Object Action
Desktop Pools Select Catalog > Desktop Pools.
Application Pools Select Catalog > Application Pools.
Farms Select Resources > Farms.
By default, the objects in all access groups are displayed.
2Select an access group from the Access Group drop-down menu in the main window pane.
The objects in the access group that you selected are displayed.
Review the vCenter Virtual Machines in an Access Group
You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter
virtual machine inherits the access group from its pool.
Procedure
1In View Administrator, select Resources > Machines.
2Select the vCenter VMs tab.
By default, the vCenter virtual machines in all access groups are displayed.
3Select an access group from the Access Group drop-down menu.
The vCenter virtual machines in the access group that you selected are displayed.
Manage Custom Roles
You can use View Administrator to add, modify, and delete custom roles.
nAdd a Custom Role
If the predefined administrator roles do not meet your needs, you can combine specific privileges to
create your own roles in View Administrator.
nModify the Privileges in a Custom Role
You can modify the privileges in a custom role. You cannot modify the predefined administrator
roles.
View Administration
VMware, Inc. 125
nRemove a Custom Role
You can remove a custom role if it is not included in a permission. You cannot remove the
predefined administrator roles.
Add a Custom Role
If the predefined administrator roles do not meet your needs, you can combine specific privileges to
create your own roles in View Administrator.
Prerequisites
Familiarize yourself with the administrator privileges that you can use to create custom roles. See
Predefined Roles and Privileges.
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
2On the Roles tab, click Add Role.
3Type a name and description for the new role, select one or more privileges, and click OK.
The new role appears in the left pane.
Modify the Privileges in a Custom Role
You can modify the privileges in a custom role. You cannot modify the predefined administrator roles.
Prerequisites
Familiarize yourself with the administrator privileges that you can use to create custom roles. See
Predefined Roles and Privileges.
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
2On the Roles tab, select the role.
3Click Privileges to display the privileges in the role and click Edit.
4Select or deselect privileges.
5Click OK to save your changes.
Remove a Custom Role
You can remove a custom role if it is not included in a permission. You cannot remove the predefined
administrator roles.
Prerequisites
If the role is included in a permission, delete the permission. See Delete a Permission.
View Administration
VMware, Inc. 126
Procedure
1In Horizon Administrator, select View Configuration > Administrators.
2On the Roles tab, select the role and click Remove Role.
The Remove Role button is not available for predefined roles or for custom roles that are included in
a permission.
3Click OK to remove the role.
Predefined Roles and Privileges
View Administrator includes predefined roles that you can assign to your administrator users and groups.
You can also create your own administrator roles by combining selected privileges.
nPredefined Administrator Roles
The predefined administrator roles combine all of the individual privileges required to perform
common administration tasks. You cannot modify the predefined roles.
nGlobal Privileges
Global privileges control system-wide operations, such as viewing and changing global settings.
Roles that contain only global privileges cannot be applied to access groups.
nObject-Specific Privileges
Object-specific privileges control operations on specific types of inventory objects. Roles that contain
object-specific privileges can be applied to access groups.
nInternal Privileges
Some of the predefined administrator roles contain internal privileges. You cannot select internal
privileges when you create custom roles.
Predefined Administrator Roles
The predefined administrator roles combine all of the individual privileges required to perform common
administration tasks. You cannot modify the predefined roles.
Table 66 describes the predefined roles and indicates whether a role can be applied to an access group.
View Administration
VMware, Inc. 127
Table 66. Predefined Roles in Horizon Administrator
Role User Capabilities
Applies to an Access
Group
Administrators Perform all administrator operations, including creating additional
administrator users and groups. In a Cloud Pod Architecture
environment, administrators that have this role can configure and
manage a pod federation and manage remote pod sessions.
Administrators that have the Administrators role on the root access
group are super users because they have full access to all of the
inventory objects in the system. Because the Administrators role
contains all privileges, you should assign it to a limited set of users.
Initially, members of the local Administrators group on your Connection
Server host are given this role on the root access group.
Important An administrator must have the Administrators role on the
root access group to perform the following tasks:
nAdd and delete access groups.
nManage ThinApp applications and configuration settings in Horizon
Administrator.
nUse the vdmadmin , vdmimport, and lmvutil commands.
Yes
Administrators (Read only) nView, but not modify, global settings and inventory objects.
nView, but not modify, ThinApp applications and settings.
nRun all PowerShell commands and command line utilities,
including vdmexport but excluding vdmadmin, vdmimport and
lmvutil.
In a Cloud Pod Architecture environment, administrators that have this
role can view inventory objects and settings in the Global Data Layer.
When administrators have this role on an access group, they can only
view the inventory objects in that access group.
Yes
Agent Registration
Administrators
Register unmanaged machines such as physical systems, standalone
virtual machines, and RDS hosts.
No
Global Configuration and Policy
Administrators
View and modify global policies and configuration settings except for
administrator roles and permissions, and ThinApp applications and
settings.
No
Global Configuration and Policy
Administrators (Read only)
View, but not modify, global policies and configuration settings except
for administrator roles and permissions, and ThinApp applications and
settings.
No
Help Desk Administrators Perform desktop and application actions such as shutdown, reset,
restart, and perform remote assistance actions such as end processes
for a user's desktop or application.
nRead-only access to Horizon Help Desk Tool.
nManage global sessions.
nCan log in to Horizon Administrator.
nPerform all machine and session-related commands.
nManage remote processes and applications.
nRemote assistance to the virtual desktop or published desktop.
No
View Administration
VMware, Inc. 128
Table 66. Predefined Roles in Horizon Administrator (Continued)
Role User Capabilities
Applies to an Access
Group
Help Desk Administrators
(Read Only)
View user and session information, and drill down on session details.
nRead-only access to Horizon Help Desk Tool.
nCannot log in to Horizon Administrator.
No
Inventory Administrators nPerform all machine, session, and pool-related operations.
nManage persistent disks.
nResync, Refresh, and Rebalance linked-clone pools and change
the default pool image.
When administrators have this role on an access group, they can only
perform these operations on the inventory objects in that access group.
Yes
Inventory Administrators (Read
only)
View, but not modify, inventory objects.
When administrators have this role on an access group, they can only
view the inventory objects in that access group.
Yes
Local Administrators Perform all local administrator operations, except for creating
additional administrator users and groups. In a Cloud Pod Architecture
environment, administrators that have this role cannot perform
operations on the Global Data Layer or manage sessions on remote
pods.
Note An administrator with the Local Administrators role cannot
access Horizon Help Desk Tool. Administrators in a non-CPA
environment do not have the Manage Global Sessions privilege, which
is required to perform tasks in Horizon Help Desk Tool.
Yes
Local Administrators (Read
Only)
Same as the Administrators (Read Only) role, except for viewing
inventory objects and settings in the Global Data Layer. Administrators
that have this role have read-only rights only on the local pod.
Note An administrator with the Local Administrators (Read Only) role
cannot access Horizon Help Desk Tool. Administrators in a non-CPA
environment do not have the Manage Global Sessions privilege, which
is required to perform tasks in Horizon Help Desk Tool.
Yes
Global Privileges
Global privileges control system-wide operations, such as viewing and changing global settings. Roles
that contain only global privileges cannot be applied to access groups.
Table 67 describes the global privileges and lists the predefined roles that contain each privilege.
View Administration
VMware, Inc. 129
Table 67. Global Privileges
Privilege User Capabilities Predefined Roles
Console Interaction Log in to and use View Administrator. Administrators
Administrators (Read only)
Inventory Administrators
Inventory Administrators (Read only)
Global Configuration and Policy Administrators
Global Configuration and Policy Administrators
(Read only)
Direct Interaction Run all PowerShell commands and command
line utilities, except for vdmadmin and
vdmimport.
Administrators must have the Administrators role
on the root access group to use the vdmadmin,
vdmimport, and lmvutil commands.
Administrators
Administrators (Read only)
Manage Global
Configuration and
Policies
View and modify global policies and
configuration settings except for administrator
roles and permissions.
Administrators
Global Configuration and Policy Administrators
Manage Global
Sessions
Manage global sessions in a Cloud Pod
Architecture environment.
Administrators
Manage Roles and
Permissions
Create, modify, and delete administrator roles
and permissions.
Administrators
Register Agent Install Horizon Agent on unmanaged machines,
such as physical systems, standalone virtual
machines, and RDS hosts.
During Horizon Agent installation, you must
provide your administrator login credentials to
register the unmanaged machine with the View
Connection Server instance.
Administrators
Agent Registration Administrators
Object-Specific Privileges
Object-specific privileges control operations on specific types of inventory objects. Roles that contain
object-specific privileges can be applied to access groups.
Table 68 describes the object-specific privileges. The predefined roles Administrators and Inventory
Administrators contain all of these privileges.
Table 68. Object-Specific Privileges
Privilege User Capabilities Object
Enable Farms and Desktop
Pools
Enable and disable desktop pools. Desktop pool, farm
Entitle Desktop and
Application Pools
Add and remove user entitlements. Desktop pool, application pool
Manage Composer Desktop
Pool Image
Resync, Refresh, and Rebalance linked-clone pools and
change the default pool image.
Desktop pool
View Administration
VMware, Inc. 130
Table 68. Object-Specific Privileges (Continued)
Privilege User Capabilities Object
Manage Machine Perform all machine and session-related operations. Machine
Manage Persistent Disks Perform all View Composer persistent disk operations,
including attaching, detaching, and importing persistent
disks.
Persistent disk
Manage Farms and Desktop
and Application Pools
Add, modify, and delete farms. Add, modify, delete, and
entitle desktop and application pools. Add and remove
machines.
Desktop pool, application pool,
farm
Manage Sessions Disconnect and log off sessions and send messages to
users.
Session
Manage Reboot Operation Reset virtual machines or restart virtual desktops. Machine
Internal Privileges
Some of the predefined administrator roles contain internal privileges. You cannot select internal
privileges when you create custom roles.
Table 69 describes the internal privileges and lists the predefined roles that contain each privilege.
Table 69. Internal Privileges
Privilege Description Predefined Roles
Full (Read only) Grants read-only access to all settings. Administrators (Read only)
Manage Inventory
(Read only)
Grants read-only access to inventory objects. Inventory Administrators (Read only)
Manage Global
Configuration and
Policies (Read only)
Grants read-only access to configuration
settings and global policies except for
administrators and roles.
Global Configuration and Policy Administrators
(Read only)
Required Privileges for Common Tasks
Many common administration tasks require a coordinated set of privileges. Some operations require
permission at the root access group in addition to access to the object that is being manipulated.
Privileges for Managing Pools
An administrator must have certain privileges to manage pools in Horizon Administrator.
Table 610 lists common pool management tasks and shows the privileges that are required to perform
each task.
Table 610. Pool Management Tasks and Privileges
Task Required Privileges
Enable or disable a desktop pool Enable Farms and Desktop Pools
Entitle or unentitle users to a pool Entitle Desktop and Application Pools
View Administration
VMware, Inc. 131
Table 610. Pool Management Tasks and Privileges (Continued)
Task Required Privileges
Add a pool Manage Farms and Desktop and Application Pools
Modify or delete a pool Manage Farms and Desktop and Application Pools
Add or remove desktops from a pool Manage Farms and Desktop and Application Pools
Refresh, Recompose, Rebalance, or change the default View
Composer image
Manage Composer Desktop Pool Image
Change access groups Manage Farms and Desktop and Application Pools on both
the source and target access groups.
Privileges for Managing Machines
An administrator must have certain privileges to manage machines in Horizon Administrator.
Table 611 lists common machine management tasks and shows the privileges that are required to
perform each task.
Table 611. Machine Management Tasks and Privileges
Task Required Privileges
Remove a virtual machine Manage Machine
Reset a virtual machine Manage Reboot Operation
Restart a virtual desktop Manage Reboot Operation
Assign or remove user ownership Manage Machine
Enter or exit maintenance mode Manage Machine
Disconnect or log off sessions Manage Sessions
Privileges for Managing Persistent Disks
An administrator must have certain privileges to manage persistent disks in Horizon Administrator.
Table 612 lists common persistent disk management tasks and shows the privileges that are required to
perform each task. You perform these tasks on the Persistent Disks page in Horizon Administrator.
Table 612. Persistent Disk Management Tasks and Privileges
Task Required Privileges
Detach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and
Application Pools on the pool.
Attach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and
Application Pools on the machine.
Edit a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and
Application Pools on the selected pool.
Change access groups Manage Persistent Disks on the source and target access groups.
View Administration
VMware, Inc. 132
Table 612. Persistent Disk Management Tasks and Privileges (Continued)
Task Required Privileges
Recreate desktop Manage Persistent Disks on the disk and Manage Farms and Desktop and
Application Pools on the last pool.
Import from vCenter Manage Persistent Disks on the folder and Manage Pool on the pool.
Delete a disk Manage Persistent Disks on the disk.
Privileges for Managing Users and Administrators
An administrator must have certain privileges to manage users and administrators in Horizon
Administrator.
Table 613 lists common user and administrator management tasks and shows the privileges that are
required to perform each task. You manage users on the Users and Groups page in Horizon
Administrator. You manage administrators on the Global Administrators View page in Horizon
Administrator.
Table 613. User and Administrator Management Tasks and Privileges
Task Required Privileges
Update general user information Manage Global Configuration and Policies
Send messages to users Manage Remote Sessions on the machine.
Add an administrator user or group Manage Roles and Permissions
Add, modify, or delete an administrator permission Manage Roles and Permissions
Add, modify, or delete an administrator role Manage Roles and Permissions
Privileges for Horizon Help Desk Tool Tasks
Horizon Help Desk Tool administrators must have certain privileges to perform troubleshooting tasks in
Horizon Administrator.
Table 614 lists common tasks that the Horizon Help Desk Tool administrator can perform and shows the
privileges to perform each task.
Table 614. Horizon Help Desk Tool Tasks and Privileges
Tasks Required Privileges
Read-only access to Horizon Help Desk Tool. Manage Help Desk (Read Only)
Manage global sessions. Manage Global Sessions
Can log in to Horizon Administrator. Console Interaction
Perform all machine and session-related commands. Manage Machine
Reset or restart machines. Manage Reboot Operation
Disconnect and log off sessions. Manage Sessions
Manage remote processes and applications. Manage Remote Processes and Applications
View Administration
VMware, Inc. 133
Table 614. Horizon Help Desk Tool Tasks and Privileges (Continued)
Tasks Required Privileges
Remote assistance to the virtual desktop or published desktop. Remote Assistance
Disconnect, logoff, reset, and restart operations for global
sessions.
Manage Help Desk (Read Only) and Manage Global
Sessions
Reset and restart operations for local sessions. Manage Help Desk (Read Only) and Manage Reboot
Operation
Remote assistance operations. Manage Help Desk (Read Only) and Remote Assistance
End remote processes and applications. Manage Help Desk (Read Only) and Manage Remote
Processes and Applications
Perform all tasks in Horizon Help Desk Tool. Manage Help Desk (Read Only), Mange Global Sessions,
Manage Reboot Operation, Remote Assistance, and Manage
Remote Processes and Applications
Remote assistance operations and end remote processes and
applications.
Manage Help Desk (Read Only), Remote Assistance, and
Manage Remote Processes and Applications
Disconnect and logoff operations for local sessions. Manage Help Desk (Read Only) and Manage Sessions
Privileges for General Administration Tasks and Commands
An administrator must have certain privileges to perform general administration tasks and run command
line utilities.
Table 615 shows the privileges that are required to perform general administration tasks and run
command line utilities.
Table 615. Privileges for General Administration Tasks and Commands
Task Required Privileges
Add or delete an access group Must have the Administrators role on the root access group.
Manage ThinApp applications and settings in View Administrator Must have the Administrators role on the root access group.
Install Horizon Agent on an unmanaged machine, such as a
physical system, standalone virtual machine, or RDS host
Register Agent
View or modify configuration settings (except for administrators)
in View Administrator
Manage Global Configuration and Policies
Run all PowerShell commands and command line utilities except
for vdmadmin and vdmimport.
Direct Interaction
Use the vdmadmin and vdmimport commands Must have the Administrators role on the root access group.
Use the vdmexport command Must have the Administrators role or the Administrators (Read
only) role on the root access group.
View Administration
VMware, Inc. 134
Best Practices for Administrator Users and Groups
To increase the security and manageability of your View environment, you should follow best practices
when managing administrator users and groups.
nCreate new user groups in Active Directory and assign View administrative roles to these groups.
Avoid using Windows built-in groups or other existing groups that might contain users who do not
need or should not have View privileges.
nKeep the number of users with View administrative privileges to a minimum.
nBecause the Administrators role has every privilege, it should not be used for day-to-day
administration.
nBecause it is highly visible and easily guessed, avoid using the name Administrator when creating
administrator users and groups.
nCreate access groups to segregate sensitive desktops and farms. Delegate the administration of
those access groups to a limited set of users.
nCreate separate administrators that can modify global policies and View configuration settings.
View Administration
VMware, Inc. 135
Configuring Policies in Horizon
Administrator and Active
Directory 7
You can use Horizon Administrator to set policies for client sessions. You can configure Active Directory
group policy settings to control the behavior of View Connection Server, the PCoIP display protocol, and
Horizon 7 logging and performance alarms.
You can also configure Active Directory group policy settings to control the behavior of Horizon Agent,
Horizon Client for Windows, Horizon Persona Management, and certain features. For information about
these policy settings, see the Configuring Remote Desktop Features in Horizon 7 document.
This section includes the following topics:
nSetting Policies in Horizon Administrator
nUsing Horizon 7 Group Policy Administrative Template Files
Setting Policies in Horizon Administrator
You use Horizon Administrator to configure policies for client sessions.
You can set these policies to affect specific users, specific desktop pools, or all client sessions users.
Policies that affect specific users and desktop pools are called user-level policies and desktop pool-level
policies. Policies that affect all sessions and users are called global policies.
User-level policies inherit settings from the equivalent desktop pool-level policy settings. Similarly,
desktop pool-level policies inherit settings from the equivalent global policy settings. A desktop pool-level
policy setting takes precedence over the equivalent global policy setting. A user-level policy setting takes
precedence over the equivalent global and desktop pool-level policy settings.
Lower-level policy settings can be more or less restrictive than the equivalent higher-level settings. For
example, you can set a global policy to Deny and the equivalent desktop pool-level policy to Allow, or
vice versa.
Note Only global policies are available for RDS desktop and application pools. You cannot set user-level
policies or pool-level policies for RDS desktop and application pools.
nConfigure Global Policy Settings
You can configure global policies to control the behavior of all client sessions users.
VMware, Inc. 136
nConfigure Policies for Desktop Pools
You can configure desktop-level policies to affect specific desktop pools. Desktop-level policy
settings take precedence over their equivalent global policy settings.
nConfigure Policies for Users
You can configure user-level policies to affect specific users. User-level policy settings always take
precedence over their equivalent global and desktop pool-level policy settings.
nHorizon 7 Policies
You can configure Horizon 7 policies to affect all client sessions, or you can apply them to affect
specific desktop pools or users.
Configure Global Policy Settings
You can configure global policies to control the behavior of all client sessions users.
Prerequisites
Familiarize yourself with the policy descriptions. See Horizon 7 Policies.
Procedure
1In Horizon Administrator, select Policies > Global Policies.
2Click Edit policies in the View Policies pane.
3Click OK to save your changes.
Configure Policies for Desktop Pools
You can configure desktop-level policies to affect specific desktop pools. Desktop-level policy settings
take precedence over their equivalent global policy settings.
Prerequisites
Familiarize yourself with the policy descriptions. See Horizon 7 Policies.
Procedure
1In Horizon Administrator, select Catalog > Desktop Pools.
2Double-click the ID of the desktop pool and click the Policies tab.
The Policies tab shows the current policy settings. When a setting is inherited from the equivalent
global policy, Inherit appears in the Desktop Pool Policy column.
3Click Edit Policies in the View Policies pane.
4Click OK to save your changes.
View Administration
VMware, Inc. 137
Configure Policies for Users
You can configure user-level policies to affect specific users. User-level policy settings always take
precedence over their equivalent global and desktop pool-level policy settings.
Prerequisites
Familiarize yourself with the policy descriptions. See Horizon 7 Policies.
Procedure
1In Horizon Administrator, select Catalog > Desktop Pools.
2Double-click the ID of the desktop pool and click the Policies tab.
The Policies tab shows the current policy settings. When a setting is inherited from the equivalent
global policy, Inherit appears in the Desktop Pool Policy column.
3Click User Overrides and then click Add User.
4To find a user, click Add, type the name or description of the user, and then click Find.
5Select one or more users from the list, click OK, and then click Next.
The Add Individual Policy dialog box appears.
6Configure the Horizon policies and click Finish to save your changes.
Horizon 7 Policies
You can configure Horizon 7 policies to affect all client sessions, or you can apply them to affect specific
desktop pools or users.
Table 71 describes each Horizon 7 policy setting.
View Administration
VMware, Inc. 138
Table 71. Horizon Policies
Policy Description
Multimedia redirection (MMR) Determines whether MMR is enabled for client systems.
MMR is a Windows Media Foundation filter that forwards multimedia data from specific
codecs on remote desktops directly through a TCP socket to the client system. The
data is then decoded directly on the client system, where it is played.
The default value is Deny.
If client systems have insufficient resources to handle local multimedia decoding, leave
the setting as Deny.
Multimedia Redirection (MMR) data is sent across the network without application-
based encryption and might contain sensitive data, depending on the content being
redirected. To ensure that this data cannot be monitored on the network, use MMR
only on a secure network.
USB Access Determines whether remote desktops can use USB devices connected to the client
system.
The default value is Allow. To prevent the use of external devices for security reasons,
change the setting to Deny.
PCoIP hardware acceleration Determines whether to enable hardware acceleration of the PCoIP display protocol
and specifies the acceleration priority that is assigned to the PCoIP user session.
This setting has an effect only if a PCoIP hardware acceleration device is present on
the physical computer that hosts the remote desktop.
The default value is Allow at Medium priority.
Using Horizon 7 Group Policy Administrative Template
Files
Horizon 7 provides several component-specific Group Policy Administrative ADMX template files. You can
optimize and secure remote desktops and applications by adding the policy settings in the ADMX
template files to a new or existing GPO in Active Directory.
All ADMX files that provide group policy settings for Horizon 7 are available in a bundled .zip file named
VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, where x.x.x is the version and yyyyyyy is the
build number. You can download the file from the VMware download site at
https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the
VMware Horizon 7 download, which includes the bundled .zip file.
The Horizon 7 ADMX template files contain both Computer Configuration and User Configuration group
policies.
nThe Computer Configuration policies set policies that apply to all remote desktops, regardless of who
connects to the desktop.
nThe User Configuration policies set policies that apply to all users, regardless of the remote desktop
or application they connect to. User Configuration policies override equivalent Computer
Configuration policies.
Microsoft Windows applies policies at desktop startup and when users log in.
View Administration
VMware, Inc. 139
Horizon 7 ADMX Template Files
The Horizon 7 ADMX template files provide group policy settings that allow you to control and optimize
Horizon 7 components.
Table 72. Horizon ADMX Template Files
Template Name Template File Description
VMware View Agent Configuration vdm_agent.admx Contains policy settings related to the authentication
and environmental components of Horizon Agent.
See the Configuring Remote Desktop Features in
Horizon 7 document.
VMware Horizon Client Configuration vdm_client.admx Contains policy settings related to Horizon Client for
Windows.
Clients that connect from outside the Connection
Server host domain are not affected by policies
applied to Horizon Client.
See the VMware Horizon Client for Windows
Installation and Setup Guide document.
VMware Horizon URL Redirection urlRedirection.admx Contains policy settings related to the URL Content
Redirection Feature. If you add this template to a
GPO for a remote desktop pool or application pool,
certain URL links clicked inside the remote desktops
or app can be redirected to a Windows-based client
and opened in a client-side browser.
If you add this template to a client-side GPO, when a
user clicks certain URL links in a Windows-based
client system, the URL can be opened in a remote
desktop or application.
See the Configuring Remote Desktop Features in
Horizon 7 document and see the VMware Horizon
Client for Windows Installation and Setup Guide
document.
VMware View Server Configuration vdm_server.admx Contains policy settings related to Connection
Server.
VMware View Common Configuration vdm_common.admx Contains policy settings that are common to all
Horizon components.
PCoIP Session Variables pcoip.admx Contains policy settings related to the PCoIP display
protocol.
See the Configuring Remote Desktop Features in
Horizon 7 document.
PCoIP Client Session Variables pcoip.client.admx Contains policy settings related to the PCoIP display
protocol that affect Horizon Client for Windows.
See the VMware Horizon Client for Windows
Installation and Setup Guide document.
View Administration
VMware, Inc. 140
Table 72. Horizon ADMX Template Files (Continued)
Template Name Template File Description
Persona Management ViewPM.admx Contains policy settings related to Horizon Persona
Management.
See the Setting Up Virtual Desktops in Horizon 7
document.
Remote Desktop Services vmware_rdsh_server.admx Contains policy settings related to Remote Desktop
Services.
See the Configuring Remote Desktop Features in
Horizon 7 document.
View RTAV Configuration vdm_agent_rtav.admx Contains policy settings related to webcams that are
used with the Real-Time Audio-Video feature.
See the Configuring Remote Desktop Features in
Horizon 7 document.
Scanner Redirection vdm_agent_scanner.admx Contains policy settings related to scanning devices
that are redirected for use in published desktops and
applications.
See the Configuring Remote Desktop Features in
Horizon 7 document.
Serial COM vdm_agent_serialport.admx Contains policy settings related to serial (COM) ports
that are redirected for use in virtual desktops.
See the Configuring Remote Desktop Features in
Horizon 7 document.
VMware Horizon Printer Redirection vdm_agent_printing.admx Contains policy settings related to filtering redirected
printers.
See the Configuring Remote Desktop Features in
Horizon 7 document.
Horizon Connection Server Configuration ADMX Template
Settings
The View Server Configuration ADMX (vdm_server.admx) template files contain policy settings related
to all Horizon Connection Servers.
Table 73 describes each policy setting in the Connection Server configuration ADMX template file. The
template contains only Computer Configuration settings. All of the settings are in the Computer
Configuration > Policies > Administrative Templates > VMware View Server Configuration folder in
the Group Policy Management Editor.
View Administration
VMware, Inc. 141
Table 73. Horizon Server Configuration Template Settings
Setting Properties
Enumerate Forest Trust Child Domains Determines if every domain trusted by the domain in which the server resides
is enumerated. In order to establish a complete chain of trust, the domains
trusted by each trusted domain are also enumerated and the process
continues recursively until all trusted domains are discovered. This information
is passed to Connection Server in order to ensure that all trusted domains are
available to the client on login.
This property is enabled by default. When disabled, only directly trusted
domains are enumerated and connection to remote domain controllers does
not take place.
Note In environments with complex domain relationships, such as those that
use multiple forest structures with trust between domains in their forests, the
process can take a few minutes to complete.
Recursive Enumeration of Trusted Domains Determines whether every domain trusted by the domain in which the server
resides is enumerated. To establish a complete chain of trust, the domains
trusted by each trusted domain are also enumerated and the process
continues recursively until all trusted domains are discovered. This information
is passed to View Connection Server so that all trusted domains are available
to the client on login.
This setting is enabled by default. When it is disabled, only directly trusted
domains are enumerated and connection to remote domain controllers does
not take place.
In environments with complex domain relationships, such as those that use
multiple forest structures with trust between domains in their forests, this
process can take a few minutes to complete.
Windows Password Authentication Mode Select the windows password authentication mode.
nKerberosOnly. Authenticate using Kerberos.
nKerberosWithFallbackToNTLM. Authenticate using Kerberos, but
fallback to using NTLM on failure.
nLegacy. Authenticate using NTLM, but fallback to using Kerberos on
failure. Used to support legacy NT domain controllers.
Default is KerberosOnly.
Horizon 7 Common Configuration ADMX Template Settings
The Horizon 7 Common Configuration ADMX (vdm_common.admx) template files contain policy settings
common to all Horizon components. These templates contain only Computer Configuration settings.
Log Configuration Settings
Table 74 describes the log configuration policy setting in the Horizon Common Configuration ADMX
template files. All of the settings are in the Computer Configuration > Policies > Administrative
Templates > VMware View Common Configuration > Log Configuration folder in the Group Policy
Management Editor.
View Administration
VMware, Inc. 142
Table 74. View Common Configuration Template: Log Configuration Settings
Setting Properties
Number of days to keep production logs Specifies the number of days for which log files are retained on the system. If
no value is set, the default applies and log files are kept for seven days.
Maximum number of debug logs Specifies the maximum number of debug log files to retain on the system.
When a log file reaches its maximum size, no further entries are added and a
new log file is created. When the number of previous log files reaches this
value, the oldest log file is deleted.
Maximum debug log size in Megabytes Specifies the maximum size in megabytes that a debug log can reach before
the log file is closed and a new log file is created.
Log Directory Specifies the full path to the directory for log files. If the location is not
writeable, the default location is used. For client log files, an extra directory
with the client name is created.
Send logs to a Syslog server Allows View server logs to be sent to a Syslog server such as VMware vCenter
Log Insight. Logs are sent from all View servers in the OU or domain in which
this GPO is configured.
You can send Horizon Agent logs to a Syslog server by enabling this setting in
a GPO that is linked to an OU that contains your desktops.
To send log data to a Syslog server, enable this setting and specify the log
level and the server's fully qualified domain name (FQDN) or IP address. You
can specify an alternate port if you do not want to use default port 514.
Separate each element in your specification with a vertical bar (|). Use the
following syntax:
Log Level|Server FQDN or IP [|Port number(514 default)]
For example: Debug|192.0.2.2
Important Syslog data is sent across the network without software-based
encryption. Because View server logs might contain sensitive data, avoid
sending Syslog data on an insecure network. If possible, use link-layer security
such as IPsec to prevent the possibility of this data being monitored on the
network.
Performance Alarm Settings
Table 75 describe the performance alarm settings in the Horizon Common Configuration ADMX template
files. All of the settings are in the Computer Configuration > Policies > Administrative Templates >
VMware View Common Configuration > Performance Alarms folder in the Group Policy Management
Editor.
Table 75. View Common Configuration Template: Performance Alarm Settings
Setting Properties
CPU and Memory Sampling Interval in
Seconds
Specifies the CPU and memory polling interval CPU. A low sampling interval
can result in an high level of output to the log.
Overall CPU usage percentage to issue
log info
Specifies the threshold at which the overall CPU use of the system is logged.
When multiple processors are available, this percentage represents the
combined usage.
View Administration
VMware, Inc. 143
Table 75. View Common Configuration Template: Performance Alarm Settings (Continued)
Setting Properties
Overall memory usage percentage to issue
log info
Specifies the threshold at which the overall committed system memory use is
logged. Committed system memory is memory that has been allocated by
processes and to which the operating system has committed physical memory
or a page slot in the pagefile.
Process CPU usage percentage to issue
log info
Specifies the threshold at which the CPU usage of any individual process is
logged.
Process memory usage percentage to issue
log info
Specifies the threshold at which the memory usage of any individual process is
logged.
Process to check, comma separated name
list allowing wild cards and exclusion
Specifies a comma-separated list of queries that correspond to the name of
one or more processes to be examined. You can filter the list by using
wildcards within each query.
nAn asterisk (*) matches zero or more characters.
nA question mark (?) matches exactly one character.
nAn exclamation mark (!) at the beginning of a query excludes any results
produced by that query.
For example, the following query selects all processes starting with ws and
excludes all processes ending with sys:
'!*sys,ws*'
Note Performance alarm settings apply to Horizon Connection Server and Horizon Agent systems only.
They do not apply to Horizon Client systems.
Security Settings
Table 76 describe the security settings in the Horizon Common Configuration ADMX template files. All of
the settings are in the Computer Configuration > Policies > Administrative Templates > VMware
View Common Configuration > Security Settings folder in the Group Policy Management Editor.
Table 76. View Common Configuration Template: Security Settings
Setting Properties
Only use cached revocation URLS Certificate revocation checking will only access cached URLs.
Default if not configured is false.
Revocation URL check timeout milliseconds The cumulative timeout across all revocation URL wire retrievals
in milliseconds.
Not configured or value set to 0 means that Microsoft default
handling is used.
Type of certificate revocation check Select the type of certificate revocation check to be done:
nNone
nEndCertificateOnly
nWholeChain
nWholeChain
Default is WholeChainButRoot.
View Administration
VMware, Inc. 144
General Settings
Table 77 describes the general settings in the Horizon Common Configuration ADMX template files. All of
the settings are in the Computer Configuration > Policies > Administrative Templates > VMware
View Common Configuration folder in the Group Policy Management Editor.
Table 77. View Common Configuration Template: General Settings
Setting Properties
Disk threshold for log and events in
Megabytes
Specifies the minimum remaining disk space threshold for logs and events. If
no value is specified, the default is 200. When the specified value is met, event
logging stops.
Enable extended logging Determines whether trace and debug events are included in the log files.
Override the default View Windows event
generation
The following values are supported:
n0 = Event log entries are only produced for view events (no event log
entries are generated for log messages)
n1 = Event log entries are produced in 4.5 (and earlier) compatibility mode.
Event log entries are not produced for standard view events. Event log
entries are based solely on log file text.
n2 = Event log entries are produced in 4.5 (and earlier) compatibility mode
with view events also being included.
View Administration
VMware, Inc. 145
Maintaining View Components 8
To keep your View components available and running, you can perform a variety of maintenance tasks.
This section includes the following topics:
nBacking Up and Restoring View Configuration Data
nMonitor View Components
nMonitor Machine Status
nUnderstanding View Services
nChange the Product License Key
nMonitoring Product License Usage
nUpdate General User Information from Active Directory
nMigrate View Composer to Another Machine
nUpdate the Certificates on a View Connection Server Instance, Security Server, or View Composer
nCustomer Experience Improvement Program
Backing Up and Restoring View Configuration Data
You can back up your View and View Composer configuration data by scheduling or running automatic
backups in View Administrator. You can restore your View configuration by manually importing the
backed-up View LDAP files and View Composer database files.
You can use the backup and restore features to preserve and migrate View configuration data.
Backing Up View Connection Server and View Composer Data
After you complete the initial configuration of View Connection Server, you should schedule regular
backups of your View and View Composer configuration data. You can preserve your View and View
Composer data by using View Administrator.
View stores View Connection Server configuration data in the View LDAP repository. View Composer
stores configuration data for linked-clone desktops in the View Composer database.
VMware, Inc. 146
When you use View Administrator to perform backups, View backs up the View LDAP configuration data
and View Composer database. Both sets of backup files are stored in the same location. The View LDAP
data is exported in encrypted LDAP data interchange format (LDIF). For a description of View LDAP, see
View LDAP Directory.
You can perform backups in several ways.
nSchedule automatic backups by using the View configuration backup feature.
nInitiate a backup immediately by using the Backup Now feature in View Administrator.
nManually export View LDAP data by using the vdmexport utility. This utility is provided with each
instance of View Connection Server.
The vdmexport utility can export View LDAP data as encrypted LDIF data, plain text, or plain text
with passwords and other sensitive data removed.
Note The vdmexport tool backs up the View LDAP data only. This tool does not back up View
Composer database information.
For more information about vdmexport, see Export Configuration Data from View Connection Server.
The following guidelines apply to backing up View configuration data:
nView can export configuration data from any View Connection Server instance.
nIf you have multiple View Connection Server instances in a replicated group, you only need to export
the data from one instance. All replicated instances contain the same configuration data.
nDo not rely on using replicated instances of View Connection Server to act as your backup
mechanism. When View synchronizes data in replicated instances of View Connection Server, any
data lost in one instance might be lost in all members of the group.
nIf View Connection Server uses multiple vCenter Server instances with multiple View Composer
services, View backs up all the View Composer databases associated with the vCenter Server
instances.
Schedule View Configuration Backups
You can schedule your View configuration data to be backed up at regular intervals. View backs up the
contents of the View LDAP repository in which your View Connection Server instances store their
configuration data.
You can back up the configuration immediately by selecting the View Connection Server instance and
clicking Backup Now.
Prerequisites
Familiarize yourself with the backup settings. See View Configuration Backup Settings.
Procedure
1In View Administrator, select View Configuration > Servers.
View Administration
VMware, Inc. 147
2On the Connection Servers tab, select the View Connection Server instance to be backed up and
click Edit.
3On the Backup tab, specify the View configuration backup settings to configure the backup
frequency, maximum number of backups, and the folder location of the backup files.
4(Optional) Change the data recovery password.
a Click Change data recovery password.
b Type and retype the new password.
c (Optional) Type a password reminder.
d Click OK.
5Click OK.
View Configuration Backup Settings
View can back up your View Connection Server and View Composer configuration data at regular
intervals. In View Administrator, you can set the frequency and other aspects of the backup operations.
Table 81. View Configuration Backup Settings
Setting Description
Automatic backup frequency Every Hour. Backups take place every hour on the hour.
Every 6 Hours. Backups take place at midnight, 6 am, noon, and 6 pm.
Every 12 Hours. Backups take place at midnight and noon.
Every Day. Backups take place every day at midnight.
Every 2 Days. Backups occur at midnight on Saturday, Monday, Wednesday, and Friday.
Every Week. Backups take place weekly at midnight on Saturday.
Every 2 Weeks. Backups take place every other week at midnight on Saturday.
Never. Backups do not take place automatically.
Max number of backups Number of backup files that can be stored on the View Connection Server instance. The number
must be an integer greater than 0.
When the maximum number is reached, View deletes the oldest backup file.
This setting also applies to backup files that are created when you use Backup Now.
Folder location Default location of the backup files on the computer where View Connection Server is running:
C:\Programdata\VMWare\VDM\backups
When you use Backup Now, View also stores the backup files in this location.
Export Configuration Data from View Connection Server
You can back up configuration data of a View Connection Server instance by exporting the contents of its
View LDAP repository.
You use the vdmexport command to export the View LDAP configuration data to an encrypted LDIF file.
You can also use the vdmexport -v (verbatim) option to export the data to a plain text LDIF file, or the
vdmexport -c (cleansed) option to export the data as plain text with passwords and other sensitive data
removed.
View Administration
VMware, Inc. 148
You can run the vdmexport command on any View Connection Server instance. If you have multiple View
Connection Server instances in a replicated group, you only need to export the data from one instance.
All replicated instances contain the same configuration data.
Note The vdmexport.exe command backs up the View LDAP data only. This command does not back
up View Composer database information.
Prerequisites
nLocate the vdmexport.exe command executable file installed with View Connection Server in the
default path.
C:\Program Files\VMware\VMware View\Server\tools\bin
nLog in to a View Connection Server instance as a user in the Administrators or Administrators (Read
only) role.
Procedure
1Select Start > Command Prompt.
2At the command prompt, type the vdmexport command and redirect the output to a file. For example:
vdmexport > Myexport.LDF
By default, the exported data is encrypted.
You can specify the output file name as an argument to the -f option. For example:
vdmexport -f Myexport.LDF
You can export the data in plain text format (verbatim) by using the -v option. For example:
vdmexport -f Myexport.LDF -v
You can export the data in plain text format with passwords and sensitive data removed (cleansed) by
using the -c option. For example:
vdmexport -f Myexport.LDF -c
Note Do not plan on using cleansed backup data to restore a View LDAP configuration. The
cleansed configuration data is missing passwords and other critical information.
For more information about the vdmexport command, see the View Integration document.
What to do next
You can restore or transfer the configuration information of View Connection Server by using the
vdmimport command.
View Administration
VMware, Inc. 149
For details about importing the LDIF file, see Restoring View Connection Server and View Composer
Configuration Data.
Restoring View Connection Server and View Composer
Configuration Data
You can manually restore the View Connection Server LDAP configuration files and View Composer
database files that were backed up by View.
You manually run separate utilities to restore View Connection Server and View Composer configuration
data.
Before you restore configuration data, verify that you backed up the configuration data in View
Administrator. See Backing Up View Connection Server and View Composer Data.
You use the vdmimport utility to import the View Connection Server data from the LDIF backup files to
the View LDAP repository in the View Connection Server instance.
You can use the SviConfig utility to import the View Composer data from the .svi backup files to the
View Composer SQL database.
Note In certain situations, you might have to install the current version of a View Connection Server
instance and restore the existing View configuration by importing the View Connection Server LDAP
configuration files. You might require this procedure as part of a business continuity and disaster recovery
(BC/DR) plan, as a step in setting up a second datacenter with the existing View configuration, or for
other reasons. For more information, see "Reinstall View Connection Server with a Backup Configuration"
in the View Installation document.
Import Configuration Data into View Connection Server
You can restore configuration data of a View Connection Server instance by importing a backup copy of
the data stored in an LDIF file.
You use the vdmimport command to import the data from the LDIF file to the View LDAP repository in the
View Connection Server instance.
If you backed up your View LDAP configuration by using View Administrator or the default vdmexport
command, the exported LDIF file is encrypted. You must decrypt the LDIF file before you can import it.
If the exported LDIF file is in plain text format, you do not have to decrypt the file.
Note Do not import an LDIF file in cleansed format, which is plain text with passwords and other
sensitive data removed. If you do, critical configuration information will be missing from the restored View
LDAP repository.
For information about backing up the View LDAP repository, see Backing Up View Connection Server and
View Composer Data.
View Administration
VMware, Inc. 150
Prerequisites
nLocate the vdmimport command executable file installed with View Connection Server in the default
path.
C:\Program Files\VMware\VMware View\Server\tools\bin
nLog in to a View Connection Server instance as a user with the Administrators role.
nVerify that you know the data recovery password. If a password reminder was configured, you can
display the reminder by running the vdmimport command without the password option.
Procedure
1Stop all instances of View Composer by stopping the Windows service VMware Horizon View
Composer on the servers where View Composer runs.
2Stop all security server instances by stopping the Windows service VMware Horizon Security Server
on all security servers.
3Uninstall all instances of View Connection Server.
Uninstall both VMware Horizon View Connection Server and AD LDS Instance VMwareVDMDS.
4Install one instance of View Connection Server.
5Stop the View Connection Server instance by stopping the Windows service VMware Horizon
Connection Server.
6Click Start > Command Prompt.
7Decrypt the encrypted LDIF file.
At the command prompt, type the vdmimport command. Specify the -d option, the -p option with the
data recovery password, and the -f option with an existing encrypted LDIF file followed by a name
for the decrypted LDIF file. For example:
vdmimport -d -p mypassword
-f MyEncryptedexport.LDF > MyDecryptedexport.LDF
If you do not remember your data recovery password, type the command without the -p option. The
utility displays the password reminder and prompts you to enter the password.
8Import the decrypted LDIF file to restore the View LDAP configuration.
Specify the -f option with the decrypted LDIF file. For example:
vdmimport -f MyDecryptedexport.LDF
9Uninstall View Connection Server.
Uninstall only the package VMware Horizon View Connection Server.
10 Reinstall View Connection Server.
11 Log in to View Administrator and valid