Horizon 7 Administration OCT 2020 VMware Horizon 7 7.
Horizon 7 Administration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright VMware, Inc. © 2014-2020 VMware, Inc. All rights reserved. Copyright and trademark information.
Contents Horizon 7 Administration 10 1 Using Horizon Administrator 11 Horizon Administrator and Horizon Connection Server Log In to Horizon Administrator 11 12 Tips for Using the Horizon Administrator Interface 13 Troubleshooting the Text Display in Horizon Administrator 15 2 Configuring Horizon Connection Server 16 Configuring vCenter Server and View Composer 16 Create a User Account for View Composer AD Operations Add vCenter Server Instances to Horizon 7 Configure View Composer Settings 16 17
Horizon 7 Administration View LDAP Directory 49 3 Setting Up Smart Card Authentication 51 Logging In with a Smart Card 52 Configure Smart Card Authentication on Horizon Connection Server Obtain the Certificate Authority Certificates Obtain the CA Certificate from Windows 53 54 Add the CA Certificate to a Server Truststore File 55 Modify Horizon Connection Server Configuration Properties Configure Smart Card Settings in Horizon Administrator 55 56 Configure Smart Card Authentication on Third-Par
Horizon 7 Administration Providing Unauthenticated Access for Published Applications Create Users for Unauthenticated Access 85 Enable Unauthenticated Access for Users 86 84 Entitle Unauthenticated Access Users to Published Applications Search Unauthenticated Access Sessions 86 87 Delete an Unauthenticated Access User 88 Unauthenticated Access From Horizon Client 88 Configure Login Deceleration for Unauthenticated Access to Published Applications Configure Users for Hybrid Logon 90 Using the
Horizon 7 Administration Add an Access Group 134 Move a Desktop Pool or a Farm to a Different Access Group Remove an Access Group 134 135 Review the Desktop Pools, Application Pools, or Farms in an Access Group Review the vCenter Virtual Machines in an Access Group Manage Custom Roles 136 Add a Custom Role 136 Modify the Privileges in a Custom Role Remove a Custom Role 136 137 137 Predefined Roles and Privileges 137 Predefined Administrator Roles Global Privileges 135 138 141 Object-Spec
Horizon 7 Administration Understanding Horizon 7 Services 171 Stop and Start Horizon 7 Services 171 Services on a Connection Server Host Services on a Security Server 172 Change the Product License Key 173 Monitoring Product License Usage 171 174 Reset Product License Usage Data 175 Update General User Information from Active Directory Migrate View Composer to Another Machine Guidelines for Migrating View Composer 175 176 177 Migrate View Composer with an Existing Database 178 Migrate Vie
Horizon 7 Administration Remove an Application Repository 203 Monitoring and Troubleshooting ThinApp Applications in Horizon Administrator Cannot Register an Application Repository 203 Cannot Add ThinApp Applications to Horizon Administrator Cannot Assign a ThinApp Template 204 204 ThinApp Application Is Not Installed 205 ThinApp Application Is Not Uninstalled MSI Package Is Invalid 203 206 206 ThinApp Configuration Example 207 10 Setting Up Clients in Kiosk Mode 209 Configure Clients in Kio
Horizon 7 Administration Create a Data Collection Tool Bundle for Horizon Agent 245 Save Diagnostic Information for Horizon Client for Windows 246 Collect Diagnostic Information for View Composer Using the Support Script Collect Diagnostic Information for Horizon Connection Server 247 248 Collect Diagnostic Information for Horizon Agent, Horizon Client, or Horizon Connection Server from the Console 249 Horizon Connection Server Integration with Skyline Collector Appliance Update Support Requests 25
Horizon 7 Administration ® Horizon 7 Administration describes how to configure and administer VMware Horizon 7, including how to configure Horizon Connection Server, create administrators, set up user authentication, ® configure policies, and manage VMware ThinApp applications in Horizon Administrator. This document also describes how to maintain and troubleshoot Horizon 7 components. Intended Audience This information is intended for anyone who wants to configure and administer VMware Horizon 7.
Using Horizon Administrator 1 Horizon Administrator is the Web interface through which you configure Horizon Connection Server and manage your remote desktops and applications. For a comparison of the operations that you can perform with Horizon Administrator, cmdlets, and vdmadmin, see the Horizon 7 Integration document.
Horizon 7 Administration Log In to Horizon Administrator To perform initial configuration tasks, you must log in to Horizon Administrator. You access Horizon Administrator by using a secure (TLS) connection. Note Horizon Administrator will be deprecated by early 2020. You can use Horizon Console to perform the same administrative tasks. For more information about using Horizon Console, see the VMware Horizon Console Administration document.
Horizon 7 Administration 3 Log in using an account that has the Administrators role. You make an initial assignment to the Administrators role when you install a standalone Connection Server instance or the first Connection Server instance in a replicated group. By default, the account that you use to install Connection Server is selected, but you can change this account to the Administrators local group or to a domain global group.
Horizon 7 Administration Table 1-1. Horizon Administrator Navigation and Display Features (continued) Horizon Administrator Feature Description Multicolumn sorting You can sort Horizon objects in a variety of ways by using multicolumn sorting. Click a heading in the top row of a Horizon Administrator table to sort the Horizon objects in alphabetical order based on that heading. For example, in the Resources > Machines page, you can click Desktop Pool to sort desktops by the pools that contain them.
Horizon 7 Administration Table 1-1. Horizon Administrator Navigation and Display Features (continued) Horizon Administrator Feature Description Expanding dialog boxes to view details You can expand Horizon Administrator dialog boxes to view details such as desktop names and user names in table columns. To expand a dialog box, place your mouse over the dots in the lower right corner of the dialog box and drag the corner.
Configuring Horizon Connection Server 2 After you install and perform initial configuration of Horizon Connection Server, you can add vCenter Server instances and View Composer services to your Horizon 7 deployment, set up roles to delegate administrator responsibilities, and schedule backups of your configuration data.
Horizon 7 Administration Procedure 1 In Active Directory, create a user account in the same domain as your Connection Server host or in a trusted domain. 2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
Horizon 7 Administration Prerequisites n Install the Connection Server product license key. n Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are necessary to support Horizon 7. To use View Composer, you must give the user additional privileges. For details about configuring a vCenter Server user for Horizon 7, see the Horizon 7 Installation document. n Verify that a TLS/SSL server certificate is installed on the vCenter Server host.
Horizon 7 Administration 3 In the vCenter Server Settings Server address text box, type the fully qualified domain name (FQDN) of the vCenter Server instance. The FQDN includes the host name and domain name. For example, in the FQDN myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is the domain.
Horizon 7 Administration There must be a one-to-one mapping between each VMware Horizon View Composer service and vCenter Server instance. A View Composer service can operate with only one vCenter Server instance. A vCenter Server instance can be associated with only one VMware Horizon View Composer service. After the initial Horizon 7 deployment, you can migrate the VMware Horizon View Composer service to a new host to support a growing or changing Horizon 7 deployment.
Horizon 7 Administration 3 If you are using View Composer, select the location of the View Composer host. Option Description View Composer is installed on the same host as vCenter Server. a Select View Composer co-installed with the vCenter Server. b Make sure that the port number is the same as the port that you specified when you installed the VMware Horizon View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate host.
Horizon 7 Administration Procedure 1 On the View Composer Domains page, click Add to add the View Composer user for AD operations account information. 2 Type the domain name of the Active Directory domain. For example: domain.com 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK.
Horizon 7 Administration To enable space reclamation operations, you must use Horizon Administrator to enable space reclamation for vCenter Server and reclaim VM disk space for individual desktop pools. The space reclamation setting for vCenter Server gives you the option to disable this feature on all desktop pools that are managed by the vCenter Server instance. Disabling the feature for vCenter Server overrides the setting at the desktop pool level.
Horizon 7 Administration Configure View Storage Accelerator for vCenter Server In vSphere 5.1 and later, you can configure ESXi hosts to cache virtual machine disk data. This feature, called View Storage Accelerator, uses the Content Based Read Cache (CBRC) feature in ESXi hosts. View Storage Accelerator improves Horizon 7 performance during I/O storms, which can take place when many virtual machines start up or run anti-virus scans at once.
Horizon 7 Administration In an ESXi cluster, verify that all the hosts are version 5.1 or later. n Verify that the vCenter Server user was assigned the Host > Configuration > Advanced settings privilege in vCenter Server. See the topics in the Horizon 7 Installation document that describe Horizon 7 and View Composer privileges required for the vCenter Server user. Procedure 1 2 In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page.
Horizon 7 Administration Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to Horizon 7 or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 2-1.
Horizon 7 Administration As a best practice, you can conduct a pilot phase to determine the correct value for this setting. For planning guidelines, see "Architecture Design Elements and Planning Guidelines" in the Horizon 7 Architecture Planning document. The required number of concurrent power operations is based on the peak rate at which desktops are powered on and the amount of time it takes for the desktop to power on, boot, and become available for connection.
Horizon 7 Administration After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box. Note You also must accept a certificate thumbprint when you upgrade from an earlier release and a vCenter Server certificate is untrusted, or if you replace a trusted certificate with an untrusted certificate. On the Horizon Console dashboard, the vCenter Server icon turns red and an Invalid Certificate Detected dialog box appears.
Horizon 7 Administration Remove a vCenter Server Instance from Horizon 7 You can remove the connection between Horizon 7 and a vCenter Server instance. When you do so, Horizon 7 no longer manages the virtual machines created in that vCenter Server instance. Prerequisites Delete all the virtual machines that are associated with the vCenter Server instance. For more information about deleting virtual machines, see "Delete a Desktop Pool" in the Setting Up Virtual Desktops in Horizon 7 document.
Horizon 7 Administration c Click OK. The virtual machines are deleted from vCenter Server. In addition, the associated View Composer database entries and the replicas that were created by View Composer are removed. d Repeat these steps for each linked-clone desktop pool that was created by View Composer. 2 Select View Configuration > Servers. 3 On the vCenter Servers tab, select the vCenter Server instance with which View Composer is associated. 4 Click Edit.
Horizon 7 Administration Backing Up Horizon Connection Server After you complete the initial configuration of Horizon Connection Server, you should schedule regular backups of your Horizon 7 and View Composer configuration data. For information about backing up and restoring your Horizon 7 configuration, see Backing Up and Restoring Horizon 7 Configuration Data.
Horizon 7 Administration Change the Data Recovery Password You provide a data recovery password when you install Connection Server version 5.1 or later. After installation, you can change this password in View Administrator. The password is required when you restore the View LDAP configuration from a backup. When you back up Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup Horizon 7 configuration, you must provide the data recovery password.
Horizon 7 Administration Table 2-2. General Global Settings for Client Sessions Setting Description View Administrator session timeout Determines how long an idle Horizon Administrator session continues before the session times out. Important Setting the Horizon Administrator session timeout to a high number of minutes increases the risk of unauthorized use of Horizon Administrator. Use caution when you allow an idle session to persist a long time.
Horizon 7 Administration Table 2-2. General Global Settings for Client Sessions (continued) Setting Description For clients that support applications. Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, Horizon 7 disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are not disconnected.
Horizon 7 Administration Table 2-2. General Global Settings for Client Sessions (continued) Setting Description Display warning before forced logoff Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off. Check the box to display a warning message.
Horizon 7 Administration Table 2-2. General Global Settings for Client Sessions (continued) Setting Description Hide server information in client user interface Enable this security setting to hide server URL information in Horizon Client 4.4 or later. Hide domain list in client user interface Enable this security setting to hide the Domain drop-down menu in Horizon Client 4.4 or later.
Horizon 7 Administration Table 2-3. Global Security Settings for Client Sessions and Connections Setting Description Reauthenticate secure tunnel connections after network interruption Determines if user credentials must be reauthenticated after a network interruption when Horizon clients use secure tunnel connections to remote desktops. When you select this setting, if a secure tunnel connection is interrupted, Horizon Client requires the user to reauthenticate before reconnecting.
Horizon 7 Administration Note If you upgrade to View 5.1 or later from an earlier Horizon 7 release, the global setting Require SSL for client connections is displayed in Horizon Administrator, but only if the setting was disabled in your Horizon 7 configuration before you upgraded. Because TLS is required for all Horizon Client connections and Horizon Administrator connections to Horizon 7, this setting is not displayed in fresh installations of Horizon 7 5.
Horizon 7 Administration When you first install Horizon 7 on a system, the message security mode is set to Enhanced. If you upgrade Horizon 7 from a previous release, the message security mode remains unchanged from its existing setting. Important If you plan to change an upgraded Horizon 7 environment from Enabled to Enhanced, you must first upgrade all Connection Server instances, security servers, and Horizon 7 desktops to Horizon 6 version 6.1 or a later release.
Horizon 7 Administration The additional options that you can use depend on the command option. This topic focuses on the options for message security mode. For the other options, which relate to Cloud Pod Architecture, see the Administering Cloud Pod Architecture in Horizon 7 document. By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH environment variable.
Horizon 7 Administration Table 2-6. vdmutil Command Options (continued) Option Description --createPendingConnectionServerCertificates Creates a new pending security certificate for a Connection Server instance in the local pod. --getMsgSecLevel Gets the enhanced message security status for the local pod. This status pertains to the process of changing the JMS message security mode from Enabled to Enhanced for all the components in an Horizon 7 environment.
Horizon 7 Administration When the secure tunnel or PCoIP Secure Gateway is not enabled, a session is established directly between the client system and the remote desktop virtual machine, bypassing the Connection Server or security server host. This type of connection is called a direct connection. Important A typical network configuration that provides secure connections for external clients includes a security server.
Horizon 7 Administration The Blast Secure Gateway includes Blast Extreme Adaptive Transport (BEAT) networking, which dynamically adjusts to network conditions such as varying speeds and packet loss. n Blast Secure Gateway supports BEAT networking only when running on a Unified Access Gateway appliance. n Horizon Clients using IPv4 and Horizon Clients using IPv6 can be handled concurrently on TCP port 8443 and on UDP port 8443 (for BEAT) when connecting to a Unified Access Gateway appliance version 3.
Horizon 7 Administration Prerequisites If users select remote desktops by using VMware Identity Manager, verify that VMware Identity Manager is installed and configured for use with Connection Server and that Connection Server is paired with a SAML 2.0 Authentication server. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select a Connection Server instance and click Edit. 3 Configure use of the Blast Secure Gateway.
Horizon 7 Administration Do not confuse load balancing with TLS off-loading. The preceding requirement applies to any device that is configured to provide TLS off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices. For information about importing certificates to Horizon 7 servers, see "Import a Signed Server Certificate into a Windows Certificate Store" in the Horizon 7 Installation document.
Horizon 7 Administration Procedure Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the 1 Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\SSLgateway\conf\locked.properties To configure the Horizon 7 server's protocol, add the serverProtocol property and set it to 2 http. The value http must be typed in lower case.
Horizon 7 Administration Procedure 1 Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the Horizon Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following line to the locked.properties file: gatewayLocation=value value can be either External or Internal.
Horizon 7 Administration Edit the External URLs You can use Horizon Administrator to edit external URLs for Connection Server instances and security servers. By default, a Connection Server or security server host can be contacted only by tunnel clients that reside within the same network. Tunnel clients that run outside of your network must use a client-resolvable URL to connect to a Connection Server or security server host.
Horizon 7 Administration 4 Type the Blast Secure Gateway external URL in the Blast External URL text box. The URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://myserver.example.com:8443 By default, the URL includes the FQDN of the secure tunnel external URL and the default port number, 8443. The URL must contain the FQDN and port number that a client system can use to reach this host.
Horizon 7 Administration n Access control lists (ACLs) View LDAP contains directory entries that represent Horizon 7 objects. n Remote desktop entries that represent each accessible desktop. Each entry contains references to the Foreign Security Principal (FSP) entries of Windows users and groups in Active Directory who are authorized to use the desktop.
Setting Up Smart Card Authentication 3 For added security, you can configure a Connection Server instance or security server so that users and administrators can authenticate by using smart cards. A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).
Horizon 7 Administration Logging In with a Smart Card When a user or administrator inserts a smart card into a smart card reader, the user certificates on the smart card are copied to the local certificate store on the client system if the client operating system is Windows. The certificates in the local certificate store are available to all of the applications running on the client computer, including Horizon Client.
Horizon 7 Administration authentication settings. Depending on your particular environment, you might need to perform additional steps. Procedure 1 Obtain the Certificate Authority Certificates You must obtain all applicable CA (certificate authority) certificates for all trusted user certificates on the smart cards presented by your users and administrators.
Horizon 7 Administration n The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a smart card infrastructure and a standardized approach to smart card distribution and authentication. What to do next Add the root certificate, intermediate certificate, or both to a server truststore file.
Horizon 7 Administration Add the CA Certificate to a Server Truststore File You must add root certificates, intermediate certificates, or both to a server truststore file for all users and administrators that you trust. Connection Server instances and security servers use this information to authenticate smart card users and administrators. Prerequisites n Obtain the root or intermediate certificates that were used to sign the certificates on the smart cards presented by your users or administrators.
Horizon 7 Administration Prerequisites Add the CA (certificate authority) certificates for all trusted user certificates to a server truststore file. These certificates include root certificates and can include intermediate certificates if the user's smart card certificate was issued by an intermediate certificate authority. Procedure Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the 1 Connection Server or security server host. For example: install_directory\V
Horizon 7 Administration n Verify that Horizon clients make HTTPS connections directly to your Connection Server or security server host. Smart card authentication is not supported if you off-load TLS to an intermediate device. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select the Connection Server instance and click Edit. VMware, Inc.
Horizon 7 Administration 3 To configure smart card authentication for remote desktop and application users, perform these steps. a On the Authentication tab, select a configuration option from the Smart card authentication for users drop-down menu in the View Authentication section. Option Action Not allowed Smart card authentication is disabled on the Connection Server instance. Optional Users can use smart card authentication or password authentication to connect to the Connection Server instance.
Horizon 7 Administration The smart card removal policy does not apply to users who connect to the Connection Server instance with the Log in as current user check box selected, even if they log in to their client system with a smart card. c Configure the smart card user name hints feature. You cannot configure the smart card user name hints feature when smart card authentication is set to Not Allowed.
Horizon 7 Administration Configure Smart Card Authentication on Third-Party Solutions Third-party solutions such as load balancers and gateways can perform smart card authentication by passing a SAML assertion that contains the smart card's X.590 certificate and encrypted PIN. This topic outlines the tasks involved in setting up third-party solutions to provide the relevant X.590 certificate to Connection Server after the certificate has been validated by the partner device.
Horizon 7 Administration n Add the Root Certificate to Trusted Root Certification Authorities If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Horizon 7 Administration Procedure u On your Active Directory server, use the certutil command to publish the certificate to the Enterprise NTAuth store. For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA Results The CA is now trusted to issue certificates of this type.
Horizon 7 Administration What to do next If an intermediate certification authority (CA) issues your smart card login or domain controller certificates, add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. See Add an Intermediate Certificate to Intermediate Certification Authorities.
Horizon 7 Administration Verify Your Smart Card Authentication Configuration After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration. Procedure u Verify that each client system has smart card middleware, a smart card with a valid certificate, and a smart card reader. For end users, verify that they have Horizon Client.
Horizon 7 Administration u If the domain a smart card user resides in is different from the domain your root certificate was issued from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA. a Find the SAN contained in the root certificate of the trusted CA by viewing the certificate properties. b On your Active Directory server, select Start > Administrative Tools > Active Directory Users and Computers.
Horizon 7 Administration n Logging in with OCSP Certificate Revocation Checking When you configure OCSP certificate revocation checking, Horizon 7 sends a request to an OCSP Responder to determine the revocation status of a specific user certificate. Horizon 7 uses an OCSP signing certificate to verify that the responses it receives from the OCSP Responder are genuine.
Horizon 7 Administration Prerequisites Familiarize yourself with the locked.properties file properties for CRL checking. See Smart Card Certificate Revocation Checking Properties. Procedure Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the 1 Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties Add the enableRevocationChecking and crlLocation properties to the 2 locked.
Horizon 7 Administration Add the enableRevocationChecking, enableOCSP, ocspURL, and ocspSigningCert 2 properties to the locked.properties file. a Set enableRevocationChecking to true to enable smart card certificate revocation checking. b Set enableOCSP to true to enable OCSP certificate revocation checking. c Set ocspURL to the URL of the OCSP Responder. d Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
Horizon 7 Administration Table 3-1. Properties for Smart Card Certificate Revocation Checking Property Description enableRevocationChecking Set this property to true to enable certificate revocation checking. When this property is set to false, certificate revocation checking is disabled and all other certificate revocation checking properties are ignored. The default value is false. crlLocation Specifies the location of the CRL, which can be either a URL or a file path.
Setting Up Other Types of User Authentication 4 Horizon 7 uses your existing Active Directory infrastructure for user and administrator authentication and management. You can also integrate Horizon 7 with other forms of authentication besides smart cards, such as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to authenticate remote desktop and application users.
Horizon 7 Administration If you have multiple Connection Server instances, you can configure two-factor authentication on some instances and a different user authentication method on others. For example, you can configure two-factor authentication only for users who access remote desktops and applications from outside the corporate network, over the Internet.
Horizon 7 Administration n Because some RADIUS vendors provide the ability to import users from Active Directory, end users might first be prompted to supply Active Directory credentials before being prompted for a RADIUS authentication user name and passcode. Enable Two-Factor Authentication in Horizon Administrator You enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Administrator.
Horizon 7 Administration 6 For RADIUS authentication, complete the rest of the fields: a Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-ofband transmission of a token code, and this token code is used as part of a RADIUS challenge.
Horizon 7 Administration Troubleshooting RSA SecurID Access Denial Access is denied when Horizon Client connects with RSA SecurID authentication. Problem A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication Manager Log Monitor displays the error Node Verification Failed. Cause The RSA Agent host node secret needs to be reset. Solution 1 In Horizon Administrator, select View Configuration > Servers.
Horizon 7 Administration n The shared secret values on the Connection Server instance and the RADIUS server do not match. Using SAML Authentication The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions.
Horizon 7 Administration Setting up VMware Identity Manager and Horizon 7 integration involves configuring VMware Identity Manager with Horizon 7 information and configuring Horizon 7 to delegate responsibility for authentication to VMware Identity Manager. To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML authenticator in Horizon 7. A SAML authenticator contains the trust and metadata exchange between Horizon 7 and VMware Identity Manager.
Horizon 7 Administration n Make a note of the FQDN or IP address of the Workspace ONE server, VMware Identity Manager server, or external-facing load balancer. n (Optional) If you are using Workspace ONE or VMware Identity Manager, make a note of the URL of the connector Web interface.
Horizon 7 Administration Option Description Metadata URL (For dynamic authenticators) URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the Connection Server instance. In the URL https:///SAAS/API/1.0/GET/metadata/idp.xml, click and replace it with the FQDN or IP address of the VMware Identity Manager server or external-facing load balancer (third-party device).
Horizon 7 Administration Procedure 1 Start the ADSI Edit utility on your Connection Server host. 2 Expand the ADAM ADSI tree under the object path: dc=vdi,dc=vmware,dc=int,ou=Properties,ou=Global,cn=Common Attributes. 3 Select Action > Properties, and add the values for the entries pae-SAMLProxyName and paeSAMLProxyPort.
Horizon 7 Administration Generate SAML Metadata So That Connection Server Can Be Used as a Service Provider After you create and enable a SAML authenticator for the identity provider you want to use, you might need to generate Connection Server metadata. You use this metadata to create a service provider on the Unified Access Gateway appliance or a third-party load balancer that is the identity provider.
Horizon 7 Administration Configure Workspace ONE Access Policies in Horizon Administrator Workspace ONE, or VMware Identity Manager (vIDM) administrators can configure access policies to restrict access to entitled desktops and applications in Horizon 7. To enforce policies created in vIDM you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements.
Horizon 7 Administration Procedure 1 Start the ADSI Edit utility on the Connection Server host. 2 In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int. 3 In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the Connection Server host followed by port 389. For example: localhost:389 or mycomputer.mydomain.
Authenticating Users Without Requiring Credentials 5 After users log in to a client device or to VMware Identity Manager, they can connect to a published application or desktop without being prompted for Active Directory credentials. Administrators can choose to set up the configuration based on user requirements. n Provide users unauthenticated access to published applications.
Horizon 7 Administration Providing Unauthenticated Access for Published Applications Administrators can set up the configuration for unauthenticated users to access their published applications from a Horizon Client without requiring AD credentials. Consider setting up unauthenticated access if your users require access to a seamless application that has its own security and user management.
Horizon 7 Administration n Unauthenticated access is not supported with a security server or an Unified Access Gateway appliance. n User preferences are not preserved for unauthenticated users. n Virtual desktops are not supported for unauthenticated users. n Horizon Administrator displays a red status for the Connection Server, if the Connection Server is configured with a CA signed certificate and enabled for unauthenticated access but a default unauthenticated user is not configured.
Horizon 7 Administration 6 (Optional) Review the user details and add comments. 7 Click Finish. Results Connection Server creates the unauthenticated access user and displays the user details including user alias, user name, first and last name, number of source pods, application entitlements, and sessions. You can click the number in the Source Pods column to display pod information. What to do next Enable unauthenticated access for users in Connection Server.
Horizon 7 Administration Prerequisites n Create a farm based on a group of RDS hosts. See "Creating Farms" in the Setting Up Published Desktops and Applications in Horizon 7 document. n Create an application pool for published applications that run on a farm of RDS hosts. See "Creating Application Pools" in the Setting Up Published Desktops and Applications in Horizon 7 document. Procedure 1 In Horizon Administrator, select Catalog > Application Pools and click the name of the application pool.
Horizon 7 Administration Delete an Unauthenticated Access User When you delete an unauthenticated access user, you must also remove the application pool entitlements for the user. You cannot delete an unauthenticated access user who is the default user. Note If you delete an unauthenticated access user and if there is an existing client session for that AD user, then you must restart the client session to make the changes take effect. Procedure 1 In Horizon Administrator, select Users and Groups.
Horizon 7 Administration Configure Login Deceleration for Unauthenticated Access to Published Applications Because users do not enter credentials when using unauthenticated access, it is possible for RDS hosts to become overwhelmed by requests for published applications. Login deceleration alleviates this. You can adjust the level of deceleration. You can also block clients that do not support deceleration. Prerequisites n Verify that you have enabled unauthenticated access for users.
Horizon 7 Administration Configure Users for Hybrid Logon After you create an unauthenticated access user, you can enable hybrid logon for the user. Enabling hybrid logon provides unauthenticated access users domain access to network resources such as fileshare or network printers without the need to enter credentials. Note The hybrid logon feature uses the same domain user for all logged on users for a given unauthenticated access user configured for hybrid logon.
Horizon 7 Administration 7 Select Enable Hybrid Logon. The Enable True SSO option is selected by default. You must have True SSO enabled for the Horizon 7 environment. Then, unauthenticated access users enabled for hybrid logon use True SSO to log in to the Connection Server instance from Horizon Client. Note If the Connection Server pod is not configured for True SSO, then the user can start an entitled application with unauthenticated access.
Horizon 7 Administration To support this feature, user credentials are stored on both the Connection Server instance and on the client system. n On the Connection Server instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails.
Horizon 7 Administration Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user setting in the Options menu and to specify its default value. Administrators can also use group policy to specify which Connection Server instances accept the user identity and credential information that is passed when users select Log in as current user in Horizon Client.
Horizon 7 Administration To enable this feature, you must set a value in View LDAP to indicate how long to save credential information in the client. For Horizon Client for Mac, this feature is supported only in version 4.1 or later. Note On Windows-based Horizon clients, the feature for logging in as the current user avoids requiring users to supply credentials multiple times.
Horizon 7 Administration an Unified Access Gateway appliance, users are not required to also enter Active Directory credentials in order to use a virtual desktop or published desktop or application. Note To set up True SSO in Horizon Console, see the "Setting Up True SSO" topics available in the VMware Horizon documentation at https://docs.vmware.com/en/VMwareHorizon/index.html.
Horizon 7 Administration Very Simple True SSO Architecture AD Certificate Authority VMware Identity Manager Appliance Enrollment Server SAML Trust Connection Server Client The following figure illustrates True SSO in a single-domain architecture.
Horizon 7 Administration True SSO Single Forest Multiple Domain Architecture (non HA) Forest Domain #2 Domain #1 (Root Domain) CA AD AD CA Enrollment Server VMware Identity Manager Appliance Connection Server Client The following figure illustrates True SSO in a multiple-forest architecture.
Horizon 7 Administration Set Up an Enterprise Certificate Authority If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA. If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure. You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing.
Horizon 7 Administration 3 On the Select Server Roles page, select Active Directory Certificate Services. 4 In the Add Roles and Features wizard, click Add Features, and leave the Include management tools check box selected. 5 On the Select Features page, accept the defaults. 6 On the Select Role Services page, select Certification Authority. 7 Follow the prompts and finish the installation.
Horizon 7 Administration 13 Enter the following commands to restart the service: sc stop certsvc sc start certsvc What to do next Create a certificate template. See Create Certificate Templates Used with True SSO. Create Certificate Templates Used with True SSO You must create a certificate template that can be used for issuing short-lived certificates, and you must specify which computers in the domain can request this type of certificate. You can create more than one certificate template.
Horizon 7 Administration c Make the following changes on the following tabs: Tab Action Compatibility tab n For Certificate Authority, select Windows Server 2008 R2. n For Certificate Recipient, select Windows 7/Windows Server 2008 R2. n Change the template display name to a name of your choice. Example: True SSO. n Change the validity period to a period that is as long as a typical working day; that is, as long as the user is likely to remain logged into the system.
Horizon 7 Administration f Right-click Certificate Templates and select New > Certificate Template to Issue. Note This step is required for all certificate authorities that issue certificates based on this template. g 2 In the Enable Certificate Templates window, select the template you just created (for example, True SSO Template) and click OK.
Horizon 7 Administration If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. For best performance, VMware recommends combining the configuration to prefer using the local CA with the configuration to load balance the enrollment servers.
Horizon 7 Administration In the MMC console, if you expand the Personal folder and select Certificates in the left pane, you will see a new certificate listed in the right pane. 3 Install the enrollment server: a Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes View Connection Server.
Horizon 7 Administration The Enrollment Service Client certificate is automatically created when a Horizon 7 or later Connection Server is installed and the VMware Horizon Connection Server service starts. The certificate is distributed through View LDAP to other Horizon 7 Connection Servers that get added to the cluster later. The certificate is then stored in a custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the computer.
Horizon 7 Administration Import the Enrollment Service Client Certificate on the Enrollment Server To complete the pairing process, you use the MMC Certificates snap-in to import the Enrollment Service Client certificate into the enrollment server. You must perform this procedure on every enrollment server. Prerequisites n Verify that you have a Horizon 7 or later enrollment server. See Install and Set Up an Enrollment Server. n Verify that you have the correct certificate to import.
Horizon 7 Administration 6 Right-click the imported certificate and add a friendly name such as vdm.ec (for Enrollment Client certificate). VMware recommends you use a friendly name that identifies the Horizon 7 cluster, but you can use any name that helps you easily identify the client certificate. What to do next Configure the SAML authenticator used for delegating authentication to VMware Identity Manager. See Configure SAML Authentication to Work with True SSO.
Horizon 7 Administration 2 On the Connection Servers tab, select a server instance to associate with the SAML authenticator and click Edit. 3 On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu, select Allowed or Required. You can configure each Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements. 4 Click Manage SAML Authenticators and click Add.
Horizon 7 Administration What to do next n Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See Change the Expiration Period for Service Provider Metadata on Connection Server. n Use the vdmutil command-line interface to configure True SSO on a connection server. See Configure Horizon Connection Server for True SSO. For more information about how SAML authentication works, see Using SAML Authentication.
Horizon 7 Administration Procedure 1 On a Connection Server in the cluster, open a command prompt and enter the command to add an enrollment server. vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-userpassword --truesso --environment --add --enrollmentServer enroll-server-fqdn The enrollment server is added to the global list. 2 Enter the command to list the information for that enrollment server.
Horizon 7 Administration The output shows the name of the authenticator and shows whether True SSO is enabled. Important You will be required to specify the authenticator name in the next step. 5 Enter the command to enable the authenticator to use True SSO mode.
Horizon 7 Administration Table 5-1. vdmutil Command Authentication Options Option Description --authAs Name of a Horizon 7 administrator user. Do not use domain\username or user principal name (UPN) format. --authDomain Fully qualified domain name or Netbios name of the domain for the Horizon 7 administrator user specified in the --authAs option. --authPassword Password for the Horizon 7 administrator user specified in the --authAs option.
Horizon 7 Administration Table 5-2. vdmutil truesso Command Options for Managing Enrollment Servers (continued) Command and Options Description --environment --list --enrollmentServers Lists the FQDNs of all enrollment servers in the environment. --environment --list --enrollmentServer List s the FQDNs of the domains and forests that are trusted by the domains and forests to which the enrollment server belongs, and the state of the enrollment certificate, which can be VALID or INVALID.
Horizon 7 Administration Table 5-3. vdmutil truesso Command Options for Managing Connectors Options Description --create --connector --domain domain- Creates a connector for the specified domain and configures the connector to use the following settings: fqdn --template template-name --primaryEnrollmentServer enroll-server1fqdn [--secondaryEnrollmentServer enrollserver2-fqdn] --certificateServer CAcommon-name --mode {enabled |disabled} n template-name is the name of the certificate template to use.
Horizon 7 Administration For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included.
Horizon 7 Administration Horizon Agent Configuration Settings You can use GPO template on the agent OS to turn off True SSO at the pool level or to change defaults for certificate settings such as key size and count and settings for reconnect attempts. Note The following table shows the settings to use for configuring the agent on individual virtual machines, but you can alternatively use the Horizon Agent Configuration template files. The ADMX template file is named (vdm_agent.admx).
Horizon 7 Administration Table 5-6. Registry Keys for Configuring True SSO on the Enrollment Server Registry Key Min & Max ConnectToDomains N/A Type Description REG_MULT I_SZ List of domains the enrollment server attempts to connect to automatically. For this multi-string registry type, the DNS fully qualified domain name (FQDN) of each domain is listed on its own line. The default is to trust all domains.
Horizon 7 Administration Table 5-6. Registry Keys for Configuring True SSO on the Enrollment Server (continued) Registry Key SubmitLatencyWarningTime Min & Max 500 5000 Type Description DWORD Submit latency warning time when the interface is marked "Degraded" (in milliseconds). The default is 1500. The enrollment server uses this setting to determine whether a CA should be considered to be in a degraded state.
Horizon 7 Administration Table 5-7. Advanced True SSO Settings for Connection Servers Registry Key Description cs-view-certsso-enable-esloadbalance=[true|false] Specifies whether to enable load balancing CSR requests between two enrollment servers. The default is false. For example, add cs-view-certsso-enable-es-loadbalance=true to enable load balancing so that when certificate requests arrive, the connection server will use alternate enrollment servers,.
Horizon 7 Administration n "sn" n "canonicalName" n "sAMAccountName" n "member" n "memberOf" n "distinguishedName" n "telephoneNumber" n "primaryGroupID" Unlock a Desktop With True SSO and Workspace ONE After users use True SSO to login to the desktop, they can unlock the desktop after reauthentication from the Workspace ONE portal using the same logon credentials. Prerequisites n Verify that you have Horizon 7 version 7.8 or later.
Horizon 7 Administration HKLM\Software\VMware, Inc.\VMware VDM\Agent\CertSSO[DisableCertSSOUnlock=true] You can also disable this feature by setting the registry key DisabledFeatures=TrueSSOUnlock on Horizon Client for Windows in the following locations: n On a Windows 32-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMware VDM\Client] or [HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client]. n On a Windows, 64-bit operating system: [HKEY_CURRENT_USER\Software\VMware, Inc.\VMwar
Horizon 7 Administration n You can click to expand Other Components > SAML 2.0 Authenticators to see a list of the SAML authenticators that have been created for delegating authentication to VMware Identity Manager instances. You can click the authenticator name to examine the details and status. Note In order for True SSO to be used, the global setting for SSO must be enabled. In Horizon Administrator, select Configuration > Global Settings, and verify that Single sign-on (SSO) is set to Enabled.
Horizon 7 Administration Table 5-9. Enrollment Server Connectivity (continued) Status Text Description The enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time. As long as the enrollment server reads the PKI configuration from a domain controller, it keeps polling for changes once every two minutes. This status will be set if the domain controller (DC) has been unreachable for a short period of time.
Horizon 7 Administration Table 5-12. Certificate Server Configuration Status Status Text Description The certificate server does not exist in the domain. Verify that you specified the correct name for the CA. You must specify the Common Name (CN). The certificate is not in the NTAuth (Enterprise) store. This CA is not an enterprise CA or its CA certificate has not been added to the NTAUTH store.
Configuring Role-Based Delegated Administration 6 One key management task in an Horizon 7 environment is to determine who can use Horizon Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
Horizon 7 Administration Administrator roles typically combine all of the individual privileges required to perform a higher-level administration task. Horizon Administrator includes predefined roles that contain the privileges required to perform common administration tasks. You can assign these predefined roles to your administrator users and groups, or you can create your own roles by combining selected privileges. You cannot modify the predefined roles.
Horizon 7 Administration You can use Horizon Administrator to create access groups and to move existing desktop pools to access groups. When you create an automated desktop pool, a manual pool, or a farm, you can accept the default root access group or select a different access group.
Horizon 7 Administration Table 6-2. Different Administrators for the Same Access Group Administrator Role Access Group view-domain.com\Admin1 Inventory Administrators /CorporateDesktops view-domain.com\Admin2 Inventory Administrators (Read only) /CorporateDesktops In this example, the administrator called Admin1 has the Inventory Administrators role on the access group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators (Read only) role on the same access
Horizon 7 Administration The first permission is the same as the first permission shown in Table 6-3. Permissions on the Administrators and Groups Tab for Admin 1. The second permission is inherited from the second permission shown in Table 6-3. Permissions on the Administrators and Groups Tab for Admin 1. Because access groups inherit permissions from the root access group, Admin1 has the Administrators (Read only) role on the MarketingDesktops access group.
Horizon 7 Administration Prerequisites n Become familiar with the predefined administrator roles. See Predefined Roles and Privileges. n Become familiar with the best practices for creating administrator users and groups. See Best Practices for Administrator Users and Groups. n To assign a custom role to the administrator, create the custom role. See Add a Custom Role.
Horizon 7 Administration 2 On the Administrators and Groups tab, select the administrator user or group, click Remove User or Group, and click OK. Results The administrator user or group no longer appears on the Administrators and Groups tab. Manage and Review Permissions You can use Horizon Administrator to add, delete, and review permissions for specific administrator users and groups, for specific roles, and for specific access groups.
Horizon 7 Administration 2 Create the permission. Option Action Create a permission that includes a specific administrator user or group a On the Administrators and Groups tab, select the administrator or group and click Add Permission. b Select a role. Create a permission that includes a specific role Create a permission that includes a specific access group c If the role does not apply to access groups, click Finish.
Horizon 7 Administration 2 3 Select the permission to delete. Option Action Delete a permission that applies to a specific administrator or group Select the administrator or group on the Administrators and Groups tab. Delete a permission that applies to a specific role Select the role on the Roles tab. Delete a permission that applies to a specific access group Select the folder on the Access Groups tab. Select the permission and click Delete Permission.
Horizon 7 Administration n Remove an Access Group You can remove an access group if it does not contain any object. You cannot remove the root access group. n Review the Desktop Pools, Application Pools, or Farms in an Access Group You can see the desktop pools, the application pools, or the farms in a particular access group in Horizon Administrator. n Review the vCenter Virtual Machines in an Access Group You can see the vCenter virtual machines in a particular access group in Horizon Administrator.
Horizon 7 Administration 2 Select a pool or a farm. 3 Select Change Access Group from the Access Group drop-down menu in the top window pane. 4 Select the access group and click OK. Results Horizon Administrator moves the pool to the access group that you selected. Remove an Access Group You can remove an access group if it does not contain any object. You cannot remove the root access group.
Horizon 7 Administration Review the vCenter Virtual Machines in an Access Group You can see the vCenter virtual machines in a particular access group in Horizon Administrator. A vCenter virtual machine inherits the access group from its pool. Procedure 1 In Horizon Administrator, select Resources > Machines. 2 Select the vCenter VMs tab. By default, the vCenter virtual machines in all access groups are displayed. 3 Select an access group from the Access Group drop-down menu.
Horizon 7 Administration 3 Enter a name and description for the new role, select one or more privileges, and click OK. The new role appears in the left pane. Modify the Privileges in a Custom Role You can modify the privileges in a custom role. You cannot modify the predefined administrator roles. Prerequisites Familiarize yourself with the administrator privileges that you can use to create custom roles. See Predefined Roles and Privileges.
Horizon 7 Administration n Global Privileges Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups. n Object-Specific Privileges Object-specific privileges control operations on specific types of inventory objects. Roles that contain object-specific privileges can be applied to access groups. n Internal Privileges Some of the predefined administrator roles contain internal privileges.
Horizon 7 Administration Table 6-6. Predefined Roles in Horizon Administrator Role User Capabilities Administrators Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.
Horizon 7 Administration Table 6-6. Predefined Roles in Horizon Administrator (continued) Role User Capabilities Help Desk Administrators Perform desktop and application actions such as shutdown, reset, restart, and perform remote assistance actions such as end processes for a user's desktop or application. An administrator must have permissions on the root access group to access Horizon Help Desk Tool.
Horizon 7 Administration Table 6-6. Predefined Roles in Horizon Administrator (continued) Role User Capabilities Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
Horizon 7 Administration Table 6-7. Global Privileges Privilege User Capabilities Predefined Roles Console Interaction Log in to and use Horizon Administrator.
Horizon 7 Administration Table 6-8. Object-Specific Privileges Privilege User Capabilities Object Enable Farms and Desktop Pools Enable and disable desktop pools. Desktop pool, farm Entitle Desktop and Application Pools Add and remove user entitlements. Desktop pool, application pool Manage Composer Desktop Pool Image Resync, Refresh, and Rebalance linked-clone pools and change the default pool image. Desktop pool Manage Machine Perform all machine and session-related operations.
Horizon 7 Administration Privileges for Managing Pools An administrator must have certain privileges to manage pools in Horizon Administrator. The following table lists common pool management tasks and shows the privileges that are required to perform each task. Table 6-10.
Horizon 7 Administration The following table lists common persistent disk management tasks and shows the privileges that are required to perform each task. You perform these tasks on the Persistent Disks page in Horizon Administrator. Table 6-12. Persistent Disk Management Tasks and Privileges Task Required Privileges Detach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the pool. For detaching primary disks, manage machines is also required.
Horizon 7 Administration The following table lists common tasks that the Horizon Help Desk Tool administrator can perform and shows the privileges to perform each task. Table 6-14. Horizon Help Desk Tool Tasks and Privileges Tasks Required Privileges Read-only access to Horizon Help Desk Tool. Manage Help Desk (Read Only) Manage global sessions. Manage Global Sessions Can log in to Horizon Administrator. Console Interaction Perform all machine and session-related commands.
Horizon 7 Administration Table 6-15. Privileges for General Administration Tasks and Commands Task Required Privileges Add or delete an access group Must have the Local Administrators role or Administrators role on the root access group for deleting an access group. Must have the Inventory Administrators or Local Administrators or Administrators role on the root access group. Manage ThinApp applications and settings in Horizon Administrator Must have the Administrators role on the root access group.
Configuring Policies in Horizon Administrator and Active Directory 7 You can use Horizon Administrator to set policies for client sessions. You can configure Active Directory group policy settings to control the behavior of View Connection Server, the PCoIP display protocol, and Horizon 7 logging and performance alarms. You can also configure Active Directory group policy settings to control the behavior of Horizon Agent, Horizon Client for Windows, Horizon Persona Management, and certain features.
Horizon 7 Administration n Configure Policies for Desktop Pools You can configure desktop-level policies to affect specific desktop pools. Desktop-level policy settings take precedence over their equivalent global policy settings. n Configure Policies for Users You can configure user-level policies to affect specific users. User-level policy settings always take precedence over their equivalent global and desktop pool-level policy settings.
Horizon 7 Administration Prerequisites Familiarize yourself with the policy descriptions. See Horizon 7 Policies. Procedure 1 In Horizon Administrator, select Catalog > Desktop Pools. 2 Double-click the ID of the desktop pool and click the Policies tab. The Policies tab shows the current policy settings. When a setting is inherited from the equivalent global policy, Inherit appears in the Desktop Pool Policy column. 3 Click User Overrides and then click Add User.
Horizon 7 Administration Table 7-1. Horizon Policies Policy Description Multimedia redirection (MMR) Determines whether MMR is enabled for client systems. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on remote desktops directly through a TCP socket to the client system. The data is then decoded directly on the client system, where it is played. The default value is Deny.
Horizon 7 Administration Horizon 7 ADMX Template Files The Horizon 7 ADMX template files provide group policy settings that allow you to control and optimize Horizon 7 components. The ADMX files are available in VMware-Horizon-Extras-Bundle-x.x.x-yyyyyyy.zip, which you can download from the VMware Downloads site at https://my.vmware.com/web/vmware/ downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes the ZIP file. Table 7-2.
Horizon 7 Administration Table 7-2. Horizon ADMX Template Files (continued) Template Name Template File Description PCoIP Client Session Variables pcoip.client.admx Contains policy settings related to the PCoIP display protocol that affect Horizon Client for Windows. See the VMware Horizon Client for Windows Installation and Setup Guide document. Persona Management ViewPM.admx Contains policy settings related to Horizon Persona Management. See the Setting Up Virtual Desktops in Horizon 7 document.
Horizon 7 Administration Table 7-2. Horizon ADMX Template Files (continued) Template Name Template File Description VMware Horizon Performance Tracker perf_tracker.admx Contains policy settings related to the VMware Horizon Performance Tracker feature. See Using VMware Horizon Performance Tracker. VMware Horizon Client Drive Redirection vdm_agent_cdr.admx Contains policy settings related to the client drive redirection feature. See the Configuring Remote Desktop Features in Horizon 7 document.
Horizon 7 Administration Table 7-3. Horizon Server Configuration Template Settings Setting Properties Enumerate Forest Trust Child Domains Determines if every domain trusted by the domain in which the server resides is enumerated. In order to establish a complete chain of trust, the domains trusted by each trusted domain are also enumerated and the process continues recursively until all trusted domains are discovered.
Horizon 7 Administration Table 7-4. View Common Configuration Template: Log Configuration Settings Setting Properties Number of days to keep production logs Specifies the number of days for which log files are retained on the system. If no value is set, the default applies and log files are kept for seven days. Maximum number of debug logs Specifies the maximum number of debug log files to retain on the system.
Horizon 7 Administration Table 7-5. View Common Configuration Template: Performance Alarm Settings (continued) Setting Properties Overall memory usage percentage to issue log info Specifies the threshold at which the overall committed system memory use is logged. Committed system memory is memory that has been allocated by processes and to which the operating system has committed physical memory or a page slot in the pagefile.
Horizon 7 Administration Table 7-6. View Common Configuration Template: Security Settings Setting Properties Only use cached revocation URLS Certificate revocation checking will only access cached URLs. Default if not configured is false. Revocation URL check timeout milliseconds The cumulative timeout across all revocation URL wire retrievals in milliseconds. Not configured or value set to 0 means that Microsoft default handling is used.
Maintaining Horizon 7 Components 8 To keep your Horizon 7 components available and running, you can perform a variety of maintenance tasks.
Horizon 7 Administration Horizon 7 stores Connection Server configuration data in the View LDAP repository. View Composer stores configuration data for linked-clone desktops in the View Composer database. Note By default, Horizon 7 automatically backs up Connection Server and View Composer data every day at 12 AM. When you use Horizon Administrator to perform backups, Horizon 7 backs up the View LDAP configuration data and View Composer database. Both sets of backup files are stored in the same location.
Horizon 7 Administration You can back up the configuration immediately by selecting the Connection Server instance and clicking Backup Now. Prerequisites Familiarize yourself with the backup settings. See Horizon 7 Configuration Backup Settings. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select the Connection Server instance to be backed up and click Edit.
Horizon 7 Administration Table 8-1. Horizon 7 Configuration Backup Settings Setting Description Automatic backup frequency Every Hour. Backups take place every hour on the hour. Every 6 Hours. Backups take place at midnight, 6 am, noon, and 6 pm. Every 12 Hours. Backups take place at midnight and noon. Every Day. Backups take place every day at midnight. Every 2 Days. Backups occur at midnight on Saturday, Monday, Wednesday, and Friday. Every Week. Backups take place weekly at midnight on Saturday.
Horizon 7 Administration 2 At the command prompt, type the vdmexport command and redirect the output to a file. For example: vdmexport > Myexport.LDF By default, the exported data is encrypted. You can specify the output file name as an argument to the -f option. For example: vdmexport -f Myexport.LDF You can export the data in plain text format (verbatim) by using the -v option. For example: vdmexport -f Myexport.
Horizon 7 Administration You can use the SviConfig utility to import the View Composer data from the .svi backup files to the View Composer SQL database. Note In certain situations, you might have to install the current version of a Connection Server instance and restore the existing Horizon 7 configuration by importing the Connection Server LDAP configuration files.
Horizon 7 Administration 3 Uninstall all instances of Horizon Connection Server. Uninstall both VMware Horizon Connection Server and AD LDS Instance VMwareVDMDS. 4 Install one instance of Connection Server. 5 Stop the Connection Server instance by stopping the Windows service VMware Horizon Connection Server. 6 Click Start > Command Prompt. 7 Decrypt the encrypted LDIF file. At the command prompt, type the vdmimport command.
Horizon 7 Administration The vdmimport command updates the View LDAP repository in Connection Server with the configuration data from the LDIF file. For more information about the vdmimport command, see the Horizon 7 Installation document. Note Make sure that the configuration that is being restored matches the virtual machines that are known to vCenter Server, and to View Composer if it is in use. If necessary, restore the View Composer configuration from backup. See Restore a View Composer Database.
Horizon 7 Administration Procedure 1 Copy the View Composer backup files from the Connection Server computer to a location that is accessible from the computer where the VMware Horizon View Composer service is installed. 2 On the computer where View Composer is installed, stop the VMware Horizon View Composer service. 3 Open a Windows command prompt and navigate to the SviConfig executable file. The file is located with the View Composer application. The default path is C:\Program Files (x86)\VMware\
Horizon 7 Administration Table 8-2. Restoredata Result Codes (continued) Code Description 14 Another application is using the VMware Horizon View Composer service. Shut down the service before executing the command. 15 A problem occurred during the restore process. Details are provided in the onscreen log output. Export Data in View Composer Database You can export data from your View Composer database to file.
Horizon 7 Administration For example: sviconfig -operation=exportdata -dsnname=LinkedClone -username=Admin -password=Pass -outputfilepath="C:\Program Files\VMware\VMware View Composer\Export-20090304000010-foobar_test_org.SVI" What to do next For export result codes for the SviConfig exportdata command, see Result Codes for Exporting the View Composer Database.
Horizon 7 Administration 2 3 In the System Health pane, expand View components, vSphere components, or Other components. n A green up arrow indicates that a component has no problems. n A red down arrow indicates that a component is unavailable or not functioning. n A yellow double arrow indicates that a component is in a warning state. n A question mark indicates that the status of a component is unknown. Click a component name.
Horizon 7 Administration What to do next You can click a machine name to see details about the machine or click the Horizon Administrator back arrow to return to the Dashboard page. Understanding Horizon 7 Services The operation of Connection Server instances and security servers depends on several services that run on the system. These systems are started and stopped automatically, but you might sometimes find it necessary to adjust the operation of these services manually.
Horizon 7 Administration Table 8-4. Horizon Connection Server Host Services Service Name Startup Type Description VMware Horizon View Blast Secure Gateway Automatic Provides secure HTML Access and Blast Extreme services. This service must be running if clients connect to Connection Server through the Blast Secure Gateway. VMware Horizon View Connection Server Automatic Provides connection broker services. This service must always be running.
Horizon 7 Administration Table 8-5. Security Server Services (continued) Service Name Startup Type Description VMware Horizon View Framework Component Manual Provides event logging, security, and COM+ framework services. This service must always be running. VMware Horizon View PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services. This service must be running if clients connect to this security server through the PCoIP Secure Gateway.
Horizon 7 Administration 4 To change from a perpetual license to a subscription license for a Horizon 7 pod, click Use Subscription License and click OK. The VMware Horizon Cloud Service administrator can then enable the Horizon 7 pod for a subscription license. The Licensing panel shows the updated licensing information. 5 Verify the license expiration date.
Horizon 7 Administration For concurrent users, the Highest column on the Product Licensing and Usage page displays the highest number of concurrent desktop sessions and published desktop and application users since your Horizon deployment was first configured or since you last reset the Highest Count. You can monitor the number of collaborative sessions and session collaborators connected to a session.
Horizon 7 Administration This feature scans Active Directory for the latest user information and refreshes the Horizon 7 configuration. Updating the general user information also resets the number of named users to 0. This number appears on the Product Licensing and Usage page in Horizon Administrator. See Reset Product License Usage Data. You can also use the vdmadmin command to update user and domain information. See Updating Foreign Security Principals Using the ‑F Option.
Horizon 7 Administration n Migrate View Composer Without Linked-Clone Virtual Machines If the current VMware Horizon View Composer service does not manage any linked-clone virtual machines, you can migrate View Composer to a new physical or virtual machine without migrating the RSA keys to the new machine. The migrated VMware Horizon View Composer service can connect to the original View Composer database, or you can prepare a new database for View Composer. n Prepare a Microsoft .
Horizon 7 Administration Migrate View Composer with an Existing Database When you migrate View Composer to another physical or virtual machine, if you intend to preserve your current linked-clone virtual machines, the new VMware Horizon View Composer service must continue to use the existing View Composer database.
Horizon 7 Administration Procedure 1 2 Disable virtual machine provisioning in the vCenter Server instance that is associated with the VMware Horizon View Composer service. a In Horizon Administrator, select View Configuration > Servers. b On the vCenter Servers tab, select the vCenter Server instance and click Disable Provisioning. (Optional) Migrate the View Composer database to a new location. If you need to take this step, consult your database administrator for migration instructions.
Horizon 7 Administration Migrate View Composer Without Linked-Clone Virtual Machines If the current VMware Horizon View Composer service does not manage any linked-clone virtual machines, you can migrate View Composer to a new physical or virtual machine without migrating the RSA keys to the new machine. The migrated VMware Horizon View Composer service can connect to the original View Composer database, or you can prepare a new database for View Composer.
Horizon 7 Administration c In the View Composer Server Settings pane, click Edit. d Provide the new View Composer settings. If you are installing View Composer with vCenter Server on the new machine, select View Composer co-installed with the vCenter Server. If you are installing View Composer on a standalone machine, select Standalone View Composer Server and provide the FQDN of the View Composer machine and the user name and password of the View Composer user.
Horizon 7 Administration Prerequisites Verify that the Microsoft .NET Framework and the ASP.NET IIS registration tool are installed on the source and destination machines. See Prepare a Microsoft .NET Framework for Migrating RSA Keys. Procedure 1 On the source machine on which the existing VMware Horizon View Composer service resides, open a command prompt and navigate to the %windir% \Microsoft.NET\Framework\v2.0xxxxx directory.
Horizon 7 Administration Update the Certificates on a Connection Server Instance, Security Server, or View Composer When you receive updated server TLS certificates or intermediate certificates, you import the certificates into the Windows local computer certificate store on each Connection Server, security server, or View Composer host. Typically, server certificates expire after 12 months. Root and intermediate certificates expire after 5 or 10 years.
Horizon 7 Administration 4 For a server certificate that is issued to View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer. This utility replaces the old certificate binding with the new certificate binding. a Stop the VMware Horizon View Composer service. b Open a Windows command prompt and navigate to the SviConfig executable file. The file is located with the View Composer application. The default path is C:\Program Files (x86)\VMw
Horizon 7 Administration 4 Click OK. VMware, Inc.
Managing ThinApp Applications in Horizon Administrator 9 You can use Horizon Administrator to distribute and manage applications packaged with VMware ThinApp. Managing ThinApp applications in Horizon Administrator involves capturing and storing application packages, adding ThinApp applications to Horizon Administrator, and assigning ThinApp applications to machines and desktop pools. You must have a license to use the ThinApp management feature in Horizon Administrator.
Horizon 7 Administration n You must configure the file and sharing permissions on the network share that hosts the MSI packages to give Read access to the built-in Active Directory group Domain Computers. If you plan to distribute ThinApp applications to domain controllers, you must also give Read access to the built-in Active Directory group Domain Controllers.
Horizon 7 Administration 4 Add ThinApp Applications to Horizon Administrator You add ThinApp applications to Horizon Administrator by scanning an application repository and selecting ThinApp applications. After you add a ThinApp application to Horizon Administrator, you can assign it to machines and desktop pools. 5 Create a ThinApp Template You can create a template in Horizon Administrator to specify a group of ThinApp applications.
Horizon 7 Administration n Verify that the network share meets Horizon 7 requirements for storing ThinApp applications. See Horizon 7 Requirements for ThinApp Applications for more information. Procedure 1 Create a shared folder on a computer in an Active Directory domain that it accessible to both your Connection Server host and remote desktops. 2 Configure the file and sharing permissions on the shared folder to give Read access to the built-in Active Directory group Domain Computers.
Horizon 7 Administration Add ThinApp Applications to Horizon Administrator You add ThinApp applications to Horizon Administrator by scanning an application repository and selecting ThinApp applications. After you add a ThinApp application to Horizon Administrator, you can assign it to machines and desktop pools. Prerequisites Register an application repository with Horizon Administrator. Procedure 1 In Horizon Administrator, select Catalog > ThinApps. 2 On the Summary tab, click Scan New ThinApps.
Horizon 7 Administration Creating ThinApp templates is optional. Note If you add an application to a ThinApp template after assigning the template to a machine or desktop pool, Horizon Administrator does not automatically assign the new application to the machine or desktop pool. If you remove an application from a ThinApp template that was previously assigned to a machine or desktop pool, the application remains assigned to the machine or desktop pool.
Horizon 7 Administration The amount of time it takes to install a ThinApp application depends on the size of the application. Important You can assign ThinApp applications to virtual machine-based desktops and automated desktop pools or manual pools that contains vCenter Server virtual machines. You cannot assign ThinApp applications to published desktops or traditional PCs.
Horizon 7 Administration n To streamline the distribution of multiple ThinApp applications, include the applications in a ThinApp template. When you assign a ThinApp template to a machine or desktop pool, Horizon Administrator installs all of the applications currently in the template. n Do not assign a ThinApp template to a machine or desktop pool if the template contains a ThinApp application that is already assigned to that machine or desktop pool.
Horizon 7 Administration Results Horizon Administrator begins installing the ThinApp application a few minutes later. After the installation is finished, the application is available to all of the users of the desktops hosted by the virtual machines. Assign Multiple ThinApp Applications to a Machine You can assign one or more ThinApp applications to a particular machine. Prerequisites Scan an application repository and add selected ThinApp applications to Horizon Administrator.
Horizon 7 Administration If you assign a ThinApp application to a linked-clone pool and later refresh, recompose, or rebalance the pool, Horizon Administrator reinstalls the application for you. You do not have to manually reinstall the application. Prerequisites Scan an application repository and add selected ThinApp applications to Horizon Administrator. See Add ThinApp Applications to Horizon Administrator.
Horizon 7 Administration Prerequisites Scan an application repository and add selected ThinApp applications to Horizon Administrator. See Add ThinApp Applications to Horizon Administrator. Procedure 1 In Horizon Administrator, select Catalog > Desktop Pools and double-click the pool ID. 2 On the Inventory tab, click ThinApps and then click Add Assignment. The ThinApp applications that are not already assigned to the pool appear in the table.
Horizon 7 Administration 3 Select Assign Machines or Assign Desktop Pools from the Add Assignment drop-down menu. All machines or desktop pools appear in the table. 4 Option Action Find a specific machine or desktop pool Type the name of the machine or desktop pool in the Find text box and click Find. Find all of the machines or desktop pools that follow the same naming convention Type a partial machine or desktop pool name in the Find text box and click Find.
Horizon 7 Administration Procedure u Select the ThinApp application assignments that you want to review. Option Action Review all of the machines and desktop pools that a particular ThinApp application is assigned to Select Catalog > ThinApps and double-click the name of the ThinApp application. The Assignments tab shows the machines and desktop pools that the application is currently assigned to, including the installation type.
Horizon 7 Administration Display MSI Package Information After you add a ThinApp application to Horizon Administrator, you can display information about its MSI package. Procedure 1 In Horizon Administrator, select Catalog > ThinApps. The Summary tab lists the applications that are currently available and shows the number of full and streaming assignments. 2 Double-click the name of the application in the ThinApp column. 3 Select the Summary tab to see general information about the MSI package.
Horizon 7 Administration n Remove an Application Repository You can remove an application repository from Horizon Administrator. Remove a ThinApp Application Assignment from Multiple Machines You can remove an assignment to a particular ThinApp application from one or more machines. Prerequisites Notify the users of the remote desktops that are hosted by the machines that you intend to remove the application.
Horizon 7 Administration Results Horizon Administrator uninstalls the ThinApp application a few minutes later. Important If an end user is using the ThinApp application at the time when Horizon Administrator attempts to uninstall the application, the uninstallation fails and the application status changes to Uninstall Error. When this error occurs, you must first manually uninstall the ThinApp application files from the machine and then click Remove App Status For Desktop in Horizon Administrator.
Horizon 7 Administration Results Horizon Administrator uninstalls the ThinApp applications the first time a user logs in to a remote desktop in the pool. Remove a ThinApp Application from Horizon Administrator When you remove a ThinApp application from Horizon Administrator, you can no longer assign the application to machinse and desktop pools. You might need to remove a ThinApp application if your organization decides to replace it with a different vendor's application.
Horizon 7 Administration Remove an Application Repository You can remove an application repository from Horizon Administrator. You might need to remove an application repository if you no longer need the MSI packages that it contains, or if you need to move the MSI packages to a different network share. You cannot edit the share path of an application repository in Horizon Administrator.
Horizon 7 Administration Solution n If the network share path is incorrect, type the correct network share path. Network share paths that contain IP addresses are not supported. n If the network share is not in an accessible domain, copy your application packages to a network share in a domain that is accessible from the Connection Server host. n Verify that the file and sharing permissions on the shared folder give Read access to the built-in Active Directory group Domain Computers.
Horizon 7 Administration Cause Either the ThinApp template contains an application that is already assigned to the machine or desktop pool, or the ThinApp template was previously assigned to the machine or desktop pool with a different installation type. Solution If the template contains a ThinApp application that is already assigned to the machine or desktop pool, create a new template that does not contain the application or edit the existing template and remove the application.
Horizon 7 Administration ThinApp Application Is Not Uninstalled Horizon Administrator cannot uninstall a ThinApp application. Problem The ThinApp application installation status shows Uninstall Error. Cause Common causes for this error include the following: n The ThinApp application was busy when Horizon Administrator tried to uninstall it. n Network connectivity was lost between the Connection Server host and the machine.
Horizon 7 Administration Cause Common causes of this problem include the following: n The MSI file is corrupted. n The MSI file was not created with ThinApp. n The MSI file was created or repackaged with an unsupported version of ThinApp. You must use ThinApp version 4.6 or later. Solution See the ThinApp User's Guide for information on troubleshooting problems with MSI packages.
Horizon 7 Administration 5 Register the shared folder as an application repository in Horizon Administrator. 6 In Horizon Administrator, scan the MSI packages in the application repository and add selected ThinApp applications to Horizon Administrator. 7 Decide whether to assign the ThinApp applications to machines or desktop pools.
Setting Up Clients in Kiosk Mode 10 You can set up unattended clients that can obtain access to their desktops from Horizon 7. A client in kiosk mode is a thin client or a lock-down PC that runs Horizon Client to connect to a Connection Server instance and launch a session. End users do not typically need to log in to access the client device, although the published desktop might require them to provide authentication information for some applications.
Horizon 7 Administration Configure Clients in Kiosk Mode To configure Active Directory and Horizon 7 to support clients in kiosk mode, you must perform several tasks in sequence. Prerequisites Verify that you have the privileges required to perform the configuration tasks. n Domain Admins or Account Operators credentials in Active Directory to make changes to the accounts of users and groups in a domain.
Horizon 7 Administration Prepare Active Directory and Horizon 7 for Clients in Kiosk Mode You must configure Active Directory to accept the accounts that you create to authenticate client devices. Whenever you create a group, you must also entitle that group to the desktop pool that a client accesses. You can also prepare the desktop pool that the clients use. As a best practice, create a separate organizational unit and group to help minimize your work in administering clients in kiosk mode.
Horizon 7 Administration 6 Configure other policies that you need to optimize and secure the remote desktops of the clients. For example, you might want to override the policies that connect local USB devices to the remote desktop when it is launched or when the devices are plugged in. By default, Horizon Client for Windows enables these policies for clients in kiosk mode.
Horizon 7 Administration Option Description -nogroup Clears the setting for the default group. -ou DN Specifies the distinguished name of the default organizational unit to which client accounts are added. For example: OU=kiosk-ou,DC=myorg,DC=com Note You cannot use the command to change the configuration of an organizational unit. The command updates the default values for clients in the Connection Server group.
Horizon 7 Administration What to do next Add accounts for the clients. Add Accounts for Clients in Kiosk Mode You can use the vdmadmin command to add accounts for clients to the configuration of a Connection Server group. After you add a client, it is available for use with a Connection Server instance on which you have enabled authentication of clients. You can also update the configuration of clients, or remove their accounts from the system.
Horizon 7 Administration Option Description -genpassword Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword. A generated password is 16 characters long, contains at least one uppercase letter, one lowercase letter, one symbol, and one number, and can contain repeated characters. If you require a stronger password, use the -password option to specify the password.
Horizon 7 Administration Enable Authentication of Clients in Kiosk Mode You can use the vdmadmin command to enable authentication of clients that attempt to connect to their remote desktops via a Connection Server instance. You must run the vdmadmin command on one of the Connection Server instances in the group that contains the Connection Server instance that clients will use to connect to their remote desktops.
Horizon 7 Administration Enable authentication of clients for the Connection Server instance csvr-3, and require that the clients specify their passwords to Horizon Client. Clients with automatically generated passwords cannot authenticate themselves. vdmadmin -Q -enable -s csvr-3 -requirepassword What to do next Verify the configuration of the Connection Server instances and the clients.
Horizon 7 Administration Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false What to do next Verify that the clients can connect to their remote desktops. Connect to Remote Desktops from Clients in Kiosk Mode You can run the client from the command line or use a script to connect a client to a remote session.
Horizon 7 Administration Procedure u To connect to a remote session, type the appropriate command for your platform. Option Description Windows Enter C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe -unattended [-serverURL connection_server] [-userName user_name] [-password password] -password password Specifies the password for the client's account. If you defined a password for the account, you must specify this password.
Horizon 7 Administration Example: Running Horizon Client on Clients in Kiosk Mode Run Horizon Client on a Windows client whose account name is based on its MAC address, and which has an automatically generated password. C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe -unattended -serverURL consvr2.myorg.com Run Horizon Client on a Linux client using an assigned name and password. vmware-view -unattended -s 145.124.24.100 --once -u custom-Terminal21 -p "Secret1!" VMware, Inc.
Troubleshooting Horizon 7 11 You can use a variety of procedures for diagnosing and fixing problems that you might encounter when using Horizon 7. You can use Horizon Help Desk Tool for troubleshooting, use other troubleshooting procedures to investigate and correct problems, or obtain assistance from VMware Technical Support. For information about troubleshooting desktops and desktop pools, see the Setting Up Virtual Desktops in Horizon 7 document.
Horizon 7 Administration To configure Horizon Help Desk Tool, you must meet the following requirements: n Horizon Enterprise edition license or Horizon Apps Advanced edition license for Horizon 7. To verify that you have the correct license, see Verify Horizon Help Desk Tool License. n An event database to store information about Horizon 7 components. For more information about configuring an event database, see the Horizon 7 Installation document.
Horizon 7 Administration What to do next Log in to Horizon Help Desk Tool. Configure Role-Based Access for Horizon Help Desk Tool You can assign predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users. You can also create custom roles and add privileges based on the predefined administrator roles.
Horizon 7 Administration What to do next To troubleshoot problems, click the related tabs in the user card. Troubleshooting Users in Horizon Help Desk Tool In Horizon Help Desk Tool, you can view basic user information in a user card. You can click tabs in the user card to get more details about specific components. The user details can sometimes appear in tables. You can sort these user details by table columns. n To sort a column by ascending order, click the column once.
Horizon 7 Administration Table 11-1. Sessions tab Option Description State Displays information about the state of the desktop or application session. Computer Name n Appears green, if the session is connected. n L, if the session is a local session or a session running in the local pod. n G, if the session is running in a different pod in the pod federation. Name of the desktop or application session. Click the name to open the session information in a card.
Horizon 7 Administration Table 11-2. Desktop Entitlements (continued) Option Description Type Displays information about the type of desktop entitlement. vCenter n Local, for a local entitlement. n Global, for a global entitlement. Displays the name of the virtual machine in vCenter Server. Note Does not display any information if the session is running in a different pod in the pod federation. Default Protocol Default display protocol for the desktop or application session.
Horizon 7 Administration Table 11-4. Activities Option Description Time Select a time range. Default is the last 12 hours. n Last 12 Hours n Last 24 Hours n Last 7 Days n Last 30 Days n All Admins Name of the administrator user. Message Displays messages for a user or administrator that are specific to the activities that the user or administrator performed. Resource Name Displays information about the desktop pool or virtual machine name on which the activity was performed.
Horizon 7 Administration Table 11-5. VM Details (continued) Option Description Logon Duration The time the user remained logged in to the session. Session Duration The time the session remained connected to Connection Server. Connection Server The Connection Server that the session connects to. Unifted Access Gateway Name Name of the Unified Access Gateway appliance. This information might take 30 seconds to 60 seconds to display after connecting to the session.
Horizon 7 Administration CPU, Memory, and Latency Displays charts for CPU and memory usage of the virtual or published desktop or application and the latency for the PCoIP or Blast display protocol. Table 11-7. CPU, Memory, and Latency Details Option Description Session CPU CPU usage of the current session. Host CPU CPU usage of the virtual machine to which the session is assigned. Session Memory Memory usage of the current session.
Horizon 7 Administration Table 11-8. Session Logon Segments Option Description Logon duration The length of time calculated from the time the user clicks the desktop or application pool to the time when Windows Explorer starts. Session Logon Time The length of time that the user was logged in to the session. Logon Segments Displays the segments that are created during logon. n Brokering. Total time for Connection Server to process a session connect or reconnect.
Horizon 7 Administration Processes For each session, you can view additional details about CPU and memory related processes. For example, if you notice that the CPU and memory usage for a session is abnormally high, you can view the details for the process on the Processes tab. Table 11-9. Session Process Details Option Description Process Name Name of the session process. For example, chrome.exe. CPU CPU usage of the process in percent. Memory Memory usage of the process in KB.
Horizon 7 Administration Table 11-10. Application Details (continued) Option Description Status Status of the application. Displays whether the application is running or not. Host CPU CPU usage of the virtual machine to which the session is assigned. Host Memory Memory usage of the virtual machine to which the session is assigned. Applications List of applications that are running. Refresh The refresh icon refreshes the list of applications.
Horizon 7 Administration 2 Choose a troubleshooting option. Option Action Send Message Sends a message to the user on the published desktop or virtual desktop. You can choose the severity of the message to include Warning, Info, or Error. Click Send Message and enter the type of severity and the message details, and then click Submit. Remote Assistance You can generate remote assistance tickets for connected desktop or application sessions.
Horizon 7 Administration Metrics include logon time, logon script time, CPU/memory usage, and network connection speed. Logon Monitor can also receive metrics from other VMware products to provide more information on the logon process. Supported Platforms Logon Monitor supports the same Windows platforms as the Horizon Agent. Key Features Logon Monitor provides the following features: n Installed as part of Horizon Agent. To start the service, see KB 57051.
Horizon 7 Administration Table 11-11. Logon Monitor Metrics Metric Parameters Logon time n Start n End n Total Time Description Metrics include the time logon starts on the guest, logon is completed and the profile is loaded and the desktop is visible, and the total time spent processing logon on the guest. Excludes any time spent outside of the guest. Session start to logon start time Total time Time from when Windows created a user session until logon began.
Horizon 7 Administration Table 11-11. Logon Monitor Metrics (continued) Metric Parameters Profile size distribution n Number of Files Between 0 and 1MB n Number of Files Between 1MB and 10MB n Number of Files Between 10MB and 100MB n Number of Files Between 100MB and 1GB n Number of Files Between 1GB and 10GB Processes started during logon n Name n Process ID n Parent process ID n Session ID Description A count of the number of files in various size ranges in the user profile.
Horizon 7 Administration Table 11-11. Logon Monitor Metrics (continued) Metric Parameters Domain Controller Discovery n Error code n Total time Estimated network bandwidth Bandwidth Network connection details n Bandwidth Settings that can affect logon time n Slow link threshold n Slow link detected: True/False n Computer\Administrative Templates\Logon\Always wait for network at computer startup and logon n Computer\Administrative Templates\Logon\Run these programs at user logon n Comp
Horizon 7 Administration Registry Settings To change the configuration settings, navigate to the registry key HKLM\Software\VMware, Inc.\VMware Logon Monitor. Table 11-12. Logon Monitor Configuration Values Registry Key Type Description RemoteLogPath REG_SZ Path to remote share to upload logs. When logs are copied to remote log share they are placed in folders specified by the RemoteLogPath registry key. Example: \\server\share\%username%.%userdomain%. Logon Monitor creates the folders as needed.
Horizon 7 Administration Configuring VMware Horizon Performance Tracker You can run Horizon Performance Tracker in a remote desktop. You can also run Horizon Performance Tracker as a published application. Horizon Performance Tracker Features Horizon Performance Tracker displays critical data of the following features: Table 11-13.
Horizon 7 Administration Table 11-14. Horizon Performance Tracker System Requirements System Requirements Virtual desktop operating systems All operating systems that support Horizon Agent, except Linux agents. Client machine operating systems All Horizon Client versions are supported, except Horizon Client for Linux and Horizon Client for Windows 10 UWP as published applications are not supported. Display protocols VMware Blast and PCoIP .NET Framework Horizon Performance Tracker requires .
Horizon 7 Administration 2 Extract the perf_tracker.adml file from the VMware-Horizon-Extras-Bundle-x.x.xyyyyyyy.zip file and copy it to the appropriate language subfolder in the %systemroot% \PolicyDefinitions\ folder on the agent machine. For example, copy the en_us version of the perf_tracker.adml file to the %systemroot% \PolicyDefinitions\en_us subfolder. 3 Start the Local Group Policy Editor (gpedit.
Horizon 7 Administration Procedure u To run Horizon Performance Tracker in a remote desktop, use Horizon Client or HTML Access to connect to the server and start the remote desktop. If Horizon Performance Tracker does not start automatically when the remote desktop opens, you can double-click the VMware Horizon Performance Tracker shortcut on the Windows desktop, or start Horizon Performance Tracker in the same way that you start any Windows application.
Horizon 7 Administration The system health dashboard in the top left of the Horizon Administrator display provides a number of links that you can use to view reports about the operation of Horizon 7: Sessions Provides a link to the Sessions screen, which displays information about the status of remote desktop and application sessions.
Horizon 7 Administration Monitor Events in Horizon 7 The event database stores information about events that occur in the Connection Server host or group, Horizon Agent, and Horizon Administrator, and notifies you of the number of events on the dashboard. You can examine the events in detail on the Events screen. Note Events are listed in the Horizon Administrator interface for a limited time period. After this time, the events are only available in the historical database tables.
Horizon 7 Administration You might need to take some action if you see messages that are associated with Audit Failure, Error, or Warning events. You do not need to take any action for Audit Success or Information events. Collecting Diagnostic Information for Horizon 7 You can collect diagnostic information to help VMware Technical Support diagnose and resolve issues with Horizon 7. You can collect diagnostic information for various components of Horizon 7.
Horizon 7 Administration You can alternatively log in to a specific remote desktop and run a support command that creates the DCT bundle on that desktop. If User Account Control (UAC) is turned on, you must obtain the DCT bundle in this fashion. Procedure 1 2 Log in as a user with the required privileges. Option Action On View Connection Server, using vdmadmin Log in to a standard or replica instance Connection Server as a user with the Administrators role.
Horizon 7 Administration You can attempt to resolve connection problems for Horizon Client for Windows before saving the diagnostic information and contacting VMware Technical Support. For more information, see "Connection Problems Between Horizon Client and Horizon Connection Server" in the Setting Up Virtual Desktops in Horizon 7 document. For information about collecting support data for other Horizon Client platforms, see the Installation and Setup Guide for that platform.
Horizon 7 Administration 2 Type the command to run the svi-support script. cscript ".\svi-support.wsf" /zip You can use the /? option to display information about other command options that are available with the script. When the script finishes, it informs you of the name and location of the output file. 3 File a support request on the Support page of the VMware Web site and attach the output file.
Horizon 7 Administration Collect Diagnostic Information for Horizon Agent, Horizon Client, or Horizon Connection Server from the Console If you have direct access to the console, you can use the support scripts to generate log files for Connection Server, Horizon Client, or remote desktops that are running Horizon Agent. This information helps VMware Technical Support diagnose any issues that arise with these components. Prerequisites Log in to the system that you want to collect information for.
Horizon 7 Administration Option Description 6 Selects informational logging for virtual channels (Horizon Agent and Horizon Client only). 7 Selects debug logging for virtual channels (Horizon Agent and Horizon Client only). 8 Selects trace logging for virtual channels (Horizon Agent and Horizon Client only). The script writes the zipped log files to the folder vdm-sdct on the desktop. 3 You can find the View Composer guest agent logs in the C:\Program Files\Common Files\VMware\View Composer Guest
Horizon 7 Administration If the output file is too large to include as an attachment (10MB or more), contact VMware Technical Support, tell them the number of your support request, and request FTP upload instructions. Alternatively, you can attach the file to your existing support request at the Support Web site. Procedure 1 Visit the Support page at the VMware Web site and log in. 2 Click Support Request History and find the applicable support request number.
Horizon 7 Administration 4 Install the security server again. If you intend to remove the security server entry from your Horizon 7 environment, run the vdmadmin -S command.
Horizon 7 Administration 4 Type show proxy and press Enter. Netshell shows that the proxy was set to DIRECT connection. With this setting, the Connection Server computer cannot connect to the Internet if a proxy is in use in your organization. 5 Configure the proxy settings. For example, at the netsh winhttp> prompt, type import proxy source=ie. The proxy settings are imported to the Connection Server computer. 6 Verify the proxy settings by typing show proxy.
Horizon 7 Administration 2 Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\SSLgateway\conf\locked.properties 3 Add the enableRevocationChecking and crlLocation properties in the locked.properties file to the local path to where the CRL is stored. 4 Restart the Connection Server service or security server service to make your changes take effect.
Using the vdmadmin Command 12 You can use the vdmadmin command line interface to perform a variety of administration tasks on a Connection Server instance. You can use vdmadmin to perform administration tasks that are not possible from within the user interface or to perform administration tasks that need to run automatically from scripts. n vdmadmin Command Usage The syntax of the vdmadmin command controls its operation.
Horizon 7 Administration n Assigning Dedicated Machines Using the ‑L Option You can use the vdmadmin command with the -L option to assign machines from a dedicated pool to users. n Displaying Information About Machines Using the -M Option You can use the vdmadmin command with the -M option to display information about the configuration of virtual machines or physical computers.
Horizon 7 Administration n Displaying Information About Users Using the ‑U Option You can use the vdmadmin command with the -U option to display detailed information about users. n Unlocking or Locking Virtual Machines Using the ‑V Option You can use the vdmadmin command with the -V option to unlock or lock virtual machines in the data center.
Horizon 7 Administration If you are logged in as a user with insufficient privileges, you can use the -b option to run the command as a user who has been assigned the Administrators role, if you know that user's password. You can specify the -b option to run the vdmadmin command as the specified user in the specified domain. The following usage forms of the -b option are equivalent. -b username domain [password | *] -b username@domain [password | *] -b domain\username [password | *] If you specify an a
Horizon 7 Administration Table 12-2. Vdmadmin Command Options Option Description -A Administers the information that Horizon Agent records in its log files. See Configuring Logging in Horizon Agent Using the -A Option. Overrides the IP address reported by Horizon Agent. See Overriding IP Addresses Using the -A Option -F Updates the Foreign Security Principals (FSPs) in Active Directory for all users or for specified users. See Updating Foreign Security Principals Using the ‑F Option.
Horizon 7 Administration Syntax vdmadmin -A [-b authentication_arguments] -getDCT-outfile local_file -d desktop -m machine vdmadmin -A [-b authentication_arguments] -getlogfile logfile -outfile local_file -d desktop -m machine vdmadmin -A [-b authentication_arguments] -getloglevel [-xml] -d desktop [-m machine] vdmadmin -A [-b authentication_arguments] -getstatus [-xml] -d desktop [-m machine] vdmadmin -A [-b authentication_arguments] -getversion [-xml] -d desktop [-m machine] vdmadmin -A [-b authenti
Horizon 7 Administration Table 12-3. Options for Configuring Logging in Horizon Agent (continued) Option Description -outfile local_file Specifies the name of the local file in which to save a DCT bundle or a copy of a log file. -setloglevel level Sets the logging level of Horizon Agent. debug Logs error, warning, and debugging events. normal Logs error and warning events. trace Logs error, warning, informational, and debugging events.
Horizon 7 Administration Create the DCT bundle for the machine machine1 in the desktop pool dtpool2 and write it to the zip file C:\myfile.zip. vdmadmin -A -d dtpool2 -m machine1 -getDCT -outfile C:\myfile.zip Overriding IP Addresses Using the -A Option You can use the vdmadmin command with the -A option to override the IP address reported by Horizon Agent.
Horizon 7 Administration Examples Override the IP address for the machine machine2 in the desktop pool dtpool2. vdmadmin -A -override -i 10.20.54.165 -d dtpool2 -m machine2 Display the IP addresses that are defined for the machine machine2 in the desktop pool dtpool2. vdmadmin -A -override -list -d dtpool2 -m machine2 Remove the IP addresses that is defined for the machine machine2 in the desktop pool dtpool2.
Horizon 7 Administration Listing and Displaying Health Monitors Using the ‑H Option You can use the vdmadmin command -H to list the existing health monitors, to monitor instances for Horizon 7 components, and to display the details of a specific health monitor or monitor instance.
Horizon 7 Administration Table 12-6. Options for Listing and Displaying Health Monitors Option Description -instanceid instance_id Specifies a health monitor instance -list Displays the existing health monitors if a health monitor ID is not specified. -list -monitorid monitor_id Displays the monitor instances for the specified health monitor ID. -monitorid monitor_id Specifies a health monitor ID. Examples List all existing health monitors in XML using Unicode characters.
Horizon 7 Administration You can also use the vdmadmin command with the -I option to generate Horizon 7 log messages in syslog format. See Generating Horizon 7 Event Log Messages in Syslog Format Using the ‑I Option. Options The following table shows the options that you can specify to list and display reports and views. Table 12-7. Options for Listing and Displaying Reports and Views Option Description -enddate yyyy-MM-dd-HH:mm:ss Specifies a upper limit for the date of information to be displayed.
Horizon 7 Administration Syntax vdmadmin -I -eventSyslog -disable vdmadmin -I -eventSyslog -enable -localOnly vdmadmin -I -eventSyslog -enable -path path vdmadmin -I -eventSyslog -enable -path path -user DomainName\username -password password Usage Notes You can use the command to generate Horizon 7 event log messages in Syslog format. In a Syslog file, Horizon 7 event log messages are formatted in key-value pairs, which makes the logging data accessible to analytics software.
Horizon 7 Administration Table 12-8. Options for Generating Horizon 7 Event Log Messages in Syslog Format (continued) Option Description -path Determines the destination UNC path for the Syslog output. -u|-user DomainName\username Specifies the domain and username that can access the destination path for the Syslog output. Examples Disable generating Horizon 7 events in Syslog format. vdmadmin -I -eventSyslog -disable Direct Syslog output of Horizon 7 events to the local system only.
Horizon 7 Administration You can assign a machine to any entitled user. You might want to do this when recovering from the loss of View LDAP data on a Connection Server instance, or when you want to change ownership of a particular machine. After a user connects to a remote desktop that Horizon 7 assigns from a dedicated pool, that remote desktop remains assigned to the user for the life span of the virtual machine that hosts the desktop.
Horizon 7 Administration Displaying Information About Machines Using the -M Option You can use the vdmadmin command with the -M option to display information about the configuration of virtual machines or physical computers. Syntax vdmadmin -M [-b authentication_arguments] [-m machine | [-u domain\user][-d desktop]] [-xml | -csv] [-w | -n] Usage Notes The command displays information about a remote desktop's underlying virtual machine or physical computer. n Display name of the machine.
Horizon 7 Administration Table 12-10. Options for Displaying Information About Machines Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine. -u domain\user Specifies the login name and domain of the user. Examples Display information about the underlying machine for the remote desktop in the pool dtpool2 that is assigned to the user Jo in the CORP domain and format the output as XML using ASCII characters. vdmadmin -M -u CORP\Jo
Horizon 7 Administration n Verify that VMware Tools that are provided with vSphere version 5.1 or later are installed on the virtual machine. n Verify that the virtual machine is virtual hardware version 9 or later. n In Horizon Administrator, verify that the Enable space reclamation option is selected for vCenter Server. See Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines.
Horizon 7 Administration Syntax vdmadmin -N [-b authentication_arguments] -domains {-exclude | -include | -search} -domain domain -add [-s connsvr] vdmadmin -N [-b authentication_arguments] -domains -list [-w | -n] [-xml] vdmadmin -N [-b authentication_arguments] -domains -list -active [-w | -n] [-xml] vdmadmin -N [-b authentication_arguments] -domains {-exclude | -include | -search} -domain domain -remove [-s connsvr] vdmadmin -N [-b authentication_arguments] -domains {-exclude | -include | -search} -
Horizon 7 Administration Table 12-12. Options for Configuring Domain Filters (continued) Option Description -list Displays the domains that are configured in the search exclusion list, exclusion list, and inclusion list on each Connection Server instance and for the Connection Server group. -list -active Displays the available domains for the Connection Server instance on which you run the command. -remove Removes a domain from a list. -removeall Removes all domains from a list.
Horizon 7 Administration Broker Settings: CONSVR-2 Include: Exclude: Search : Horizon 7 limits the domain search on each Connection Server host in the group to exclude the domains FARDOM and DEPTX. The characters (*) next to the exclusion list for CONSVR-1 indicates that Horizon 7 excludes the YOURDOM domain from the results of the domain search on CONSVR-1. Display the domain filters in XML using ASCII characters.
Horizon 7 Administration Horizon 7 determines which domains are accessible by traversing trust relationships, starting with the domain in which a Connection Server instance or security server resides. For a small, well-connected set of domains, Horizon 7 can quickly determine a full list of domains, but the time that this operation takes increases as the number of domains increases or as the connectivity between the domains decreases.
Horizon 7 Administration n The primary domain will always be available in the list even though it is added to the search exclusion list or the exclusion list. n Connection server configurations take precedence over cluster settings. Adding or removing domains for the connection server ignores the cluster-level configuration. n When you add a domain to the inclusion list, ensure it is not present in the search exclusion list or the exclusion list.
Horizon 7 Administration Horizon 7 applies the include list to the results of a domain search. If the domain hierarchy is very complex or network connectivity to some domains is poor, the domain search can be slow. In such cases, use search exclusion instead. Example of Filtering to Exclude Domains You can use an exclusion list to specify the domains that Horizon 7 excludes from the results of a domain search.
Horizon 7 Administration Domain: DEPTY DNS:depty.mycorp.com Domain: DEPTZ DNS:deptz.mycorp.com Extend the search exclusion list to exclude the DEPTX domain and all its trusted domains from the domain search for all Connection Server instances in a group. Also, exclude the YOURDOM domain from being available on CONSVR-1. vdmadmin -N -domains -search -domain DEPTX -add vdmadmin -N -domains -exclude -domain YOURDOM -add -s CONSVR-1 Display the new domain search configuration. C:\ vdmadmin -N -domains -list
Horizon 7 Administration Domain Information (CONSVR-2) ============================= Primary Domain: MYDOM Domain: MYDOM DNS:mydom.mycorp.com Domain: YOURDOM DNS:yourdom.mycorp.com Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options You can use the vdmadmin command with the -O and -P options to display the virtual machines and policies that are assigned to users who are no longer entitled to use the system.
Horizon 7 Administration Table 12-15. XSL Stylesheets shows the stylesheets that you can apply to the XML output to transform it into HTML. The stylesheets are located in the directory C:\Program Files\VMware\VMware View\server\etc. Table 12-15. XSL Stylesheets Stylesheet File Name Description unentitled-machines.xsl Transforms reports containing a list of unentitled virtual machines, grouped either by user or system, and which are currently assigned to a user. This is the default stylesheet.
Horizon 7 Administration Syntax vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-ou DN] [-expirepassword | -noexpirepassword] [-group group_name | -nogroup] [-description "description_text"] vdmadmin -Q -disable [-b authentication_arguments] -s connection_server vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword] vdmadmin -Q -clientauth -getdefaults [-b authentication_arguments]
Horizon 7 Administration You can define alternate prefixes to "custom-" in the pae-ClientAuthPrefix multi-valued attribute under cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int in ADAM on a Connection Server instance. Avoid using these prefixes with ordinary user accounts. If you do not specify a name for a client, Horizon 7 generates a name from the MAC address that you specify for the client device.
Horizon 7 Administration Table 12-16. Options for Configuring Clients in Kiosk Mode (continued) Option Description -disable Disables authentication of clients in kiosk mode on a specified Connection Server instance. -domain domain_name Specifies the domain for the account for the client device. -enable Enables authentication of clients in kiosk mode on a specified Connection Server instance.
Horizon 7 Administration Table 12-16. Options for Configuring Clients in Kiosk Mode (continued) Option Description -s connection_server Specifies the NetBIOS name of the Connection Server instance on which to enable or disable the authentication of clients in kiosk mode. -setdefaults Sets the default values that are used for adding client accounts. -update Updates an account for a client in kiosk mode.
Horizon 7 Administration Remove the account for a kiosk client specified by its MAC address from the MYORG domain. vdmadmin -Q -clientauth -remove -domain MYORG -clientid 00:10:db:ee:54:12 Remove the accounts of all clients without prompting to confirm the removal. vdmadmin -Q -clientauth -removeall -force Enable authentication of clients for the Connection Server instance csvr-2. Clients with automatically generated passwords can authenticate themselves without providing a password.
Horizon 7 Administration Client Authentication Enabled : true Password Required : false Displaying the First User of a Machine Using the -R Option You can use the vdmadmin command with the -R option to find out the initial assignment of a managed virtual machine. For example, in the event of the loss of LDAP data, you might need this information so that you can reassign virtual machines to users.
Horizon 7 Administration Usage Notes To ensure high availability, Horizon 7 allows you to configure one or more replica Connection Server instances in a Connection Server group. If you disable a Connection Server instance in a group, the entry for the server persists within the Horizon 7 configuration. You can also use the vdmadmin command with the -S option to remove a security server from your Horizon 7 environment.
Horizon 7 Administration Usage Notes If your users and groups are in a domain with a one-way trust relationship with the Connection Server domain, you must provide secondary credentials for the administrator users in Horizon Administrator. Administrators must have secondary credentials to give them access to the oneway trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.
Horizon 7 Administration Table 12-17. Options for Providing Secondary Credentials (continued) Option Description -list Displays the security credentials for the owner account. Passwords are not displayed. -remove Removes a security credential from the owner account. -removeall Removes all security credentials from the owner account. Examples Add a secondary credential for the specified owner account. A Windows logon is performed to verify that the specified credentials are valid.
Horizon 7 Administration n Membership of Active Directory groups. n Machine entitlements including the machine ID, display name, description, folder, and whether a machine has been disabled. n ThinApp assignments. n Administrator roles including the administrative rights of a user and the folders in which they have those rights. Options The -u option specifies the name and domain of the user. Examples Display information about the user Jo in the CORP domain in XML using ASCII characters.
Horizon 7 Administration If a remote desktop is locked and the entry for its virtual machine no longer exists in ADAM, use the -vmpath and -vcdn options to specify the inventory path of the virtual machine and the vCenter Server. You can use vCenter Client to find out the inventory path of a virtual machine for a remote desktop under Home/Inventory/VMs and Templates. You can use ADAM ADSI Edit to find out the distinguished name of the vCenter Server under the OU=Properties heading.
Horizon 7 Administration Usage Notes Duplicate LDAP entries on two or more Connection Server instances can cause problems with the integrity of LDAP data in Horizon 7. This condition can occur during an upgrade, while LDAP replication is inoperative. Although Horizon 7 checks for this error condition at regular intervals, you can run the vdmadmin command on one of the Connection Server instances in the group to detect and resolve LDAP entry collisions manually.
Horizon 7 Administration Detect and resolve LDAP entry collisions in the local LDAP instance. vdmadmin -X -collisions -resolve Detect and resolve LDAP schema collisions in the global LDAP instance. vdmadmin -X -schemacollisions -resolve -global VMware, Inc.
