View Administration VMware Horizon 7 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Administration You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2014–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Administration 7 1 Using Horizon Administrator 9 Horizon Administrator and Horizon Connection Server 9 Log In to Horizon Administrator 10 Tips for Using the Horizon Administrator Interface 10 Troubleshooting the Text Display in Horizon Administrator 12 2 Configuring View Connection Server 13 Configuring vCenter Server and View Composer 13 Backing Up View Connection Server 25 Configuring Settings for Client Sessions 25 Disable or Enable View Connection Server 38 Edit the External URLs 38
View Administration Using Access Groups to Delegate Administration of Pools and Farms 100 Understanding Permissions 101 Manage Administrators 102 Manage and Review Permissions 103 Manage and Review Access Groups 105 Manage Custom Roles 107 Predefined Roles and Privileges 109 Required Privileges for Common Tasks 113 Best Practices for Administrator Users and Groups 115 7 Configuring Policies in Horizon Administrator and Active Directory 117 Setting Policies in Horizon Administrator 117 Using Horizon 7 Gr
Contents 12 Using the vdmadmin Command 207 vdmadmin Command Usage 209 Configuring Logging in Horizon Agent Using the -A Option 211 Overriding IP Addresses Using the -A Option 212 Setting the Name of a View Connection Server Group Using the -C Option 213 Updating Foreign Security Principals Using the -F Option 214 Listing and Displaying Health Monitors Using the -H Option 215 Listing and Displaying Reports of View Operation Using the -I Option 216 Generating View Event Log Messages in Syslog Format Using t
View Administration 6 VMware, Inc.
View Administration ® View Administration describes how to configure and administer VMware Horizon 7, including how to configure Horizon Connection Server, create administrators, set up user authentication, configure policies, ® and manage VMware ThinApp applications in Horizon Administrator. This document also describes how to maintain and troubleshoot Horizon 7 components. Intended Audience This information is intended for anyone who wants to configure and administer VMware Horizon 7.
View Administration 8 VMware, Inc.
Using Horizon Administrator 1 Horizon Administrator is the Web interface through which you configure Horizon Connection Server and manage your remote desktops and applications. For a comparison of the operations that you can perform with View Administrator, View cmdlets, and vdmadmin, see the View Integration document. Note In Horizon 7, View Administrator is named Horizon Administrator. References in this document might use View Administrator.
View Administration Log In to Horizon Administrator To perform initial configuration tasks, you must log in to Horizon Administrator. You access Horizon Administrator by using a secure (SSL) connection. Prerequisites n Verify that Horizon Connection Server is installed on a dedicated computer. n Verify that you are using a Web browser supported by Horizon Administrator. For Horizon Administrator requirements, see the View Installation document.
Chapter 1 Using Horizon Administrator Table 1-1 describes a few additional features that can help you to use Horizon Administrator. Table 1‑1. Horizon Administrator Navigation and Display Features Horizon Administrator Feature Description Navigating backward and forward in Horizon Administrator pages Click your browser's Back button to go to the previously displayed Horizon Administrator page. Click the Forward button to return to the current page.
View Administration Table 1‑1. Horizon Administrator Navigation and Display Features (Continued) Horizon Administrator Feature Description Selecting Horizon objects and displaying Horizon object details In Horizon Administrator tables that list Horizon objects, you can select an object or display object details. n To select an object, click anywhere in the object's row in the table. At the top of the page, menus and commands that manage the object become active.
Configuring View Connection Server 2 After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and View Composer services to your View deployment, set up roles to delegate administrator responsibilities, and schedule backups of your configuration data.
View Administration 2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
Chapter 2 Configuring View Connection Server n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host. Check if the root CA certificate is in the Trusted Root Certification Authorities > Certificates folder in the Windows local computer certificate stores on the View Connection Server hosts. If it is not, import the root CA certificate into the Windows local computer certificate stores.
View Administration n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 22. If View uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server instances.
Chapter 2 Configuring View Connection Server 3 If you are using View Composer, select the location of the View Composer host. Option Description View Composer is installed on the same host as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the VMware Horizon View Composer service on vCenter Server. The default port number is 18443.
View Administration 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View. Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines In vSphere 5.1 and later, you can enable the disk space reclamation feature for View.
Chapter 2 Configuring View Connection Server Procedure 1 2 In View Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b On the vCenter Servers tab, click Add. c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains pages. On the Storage Settings page, make sure that Enable space reclamation is selected.
View Administration View Storage Accelerator is now qualified to work in configurations that use Horizon 7 replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with Horizon 7 replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 2 Configuring View Connection Server Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 2‑1.
View Administration For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute. The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur.
Chapter 2 Configuring View Connection Server Procedure 1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate. 2 Examine the certificate thumbprint in the Certificate Information window. 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store.
View Administration Remove View Composer from View You can remove the connection between View and the VMware Horizon View Composer service that is associated with a vCenter Server instance. Before you disable the connection to View Composer, you must remove from View all the linked-clone virtual machines that were created by View Composer. View prevents you from removing View Composer if any associated linked clones still exist.
Chapter 2 Configuring View Connection Server Solution 1 In vSphere Client, click Administration > vCenter Server Settings > Runtime Settings. 2 Type a new unique ID and click OK. For details about editing vCenter Server unique ID values, see the vSphere documentation. Backing Up View Connection Server After you complete the initial configuration of View Connection Server, you should schedule regular backups of your View and View Composer configuration data.
View Administration Change the Data Recovery Password You provide a data recovery password when you install View Connection Server version 5.1 or later. After installation, you can change this password in View Administrator. The password is required when you restore the View LDAP configuration from a backup. When you back up View Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup View configuration, you must provide the data recovery password.
Chapter 2 Configuring View Connection Server Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Single sign-on (SSO) If SSO is enabled, View caches a user's credentials so that the user can launch remote desktops or applications without having to provide credentials to log in to the remote Windows session. The default is Enabled. If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be enabled.
View Administration Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Display warning before forced logoff Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off. Check the box to display a warning message.
Chapter 2 Configuring View Connection Server Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Hide server information in client user interface Enable this security setting to hide server URL information in Horizon Client 4.4 or later. Hide domain list in client user interface Enable this security setting to hide the Domain drop-down menu in Horizon Client 4.4 or later.
View Administration Table 2‑3. Global Security Settings for Client Sessions and Connections (Continued) Setting Description Enhanced Security Status (Readonly) Read-only field that appears when Message security mode is changed from Enabled to Enhanced. Because the change is made in phases, this field shows the progress through the phases: n Waiting for Message Bus restart is the first phase.
Chapter 2 Configuring View Connection Server Table 2‑4. Message Security Mode Options (Continued) Option Description Enabled Message security mode is enabled, using a combination of message signing and encryption. JMS messages are rejected if the signature is missing or invalid, or if a message was modified after it was signed. Some JMS messages are encrypted because they carry sensitive information such as user credentials.
View Administration The additional options that you can use depend on the command option. This topic focuses on the options for message security mode. For the other options, which relate to Cloud Pod Architecture, see the Administering Cloud Pod Architecture in Horizon 7 document. By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH environment variable.
Chapter 2 Configuring View Connection Server Table 2‑6. vdmutil Command Options (Continued) Option Description --listMsgBusSecStatus Lists the message bus security status for all connection servers in the local pod. --listPendingMsgSecStatus List machines preventing a transition to or from Enhanced mode. Limited to 25 entries by default. --setMsgSecMode Sets the message security mode for the local pod. --verbose Enables verbose logging.
View Administration 3 Configure use of the secure tunnel. Option Description Enable the secure tunnel Select Use Secure Tunnel connection to machine. Disable the secure tunnel Deselect Use Secure Tunnel connection to machine. The secure tunnel is enabled by default. 4 Configure use of the PCoIP Secure Gateway.
Chapter 2 Configuring View Connection Server When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the VMware Blast Extreme protocol to establish direct connections to remote desktop virtual machines and applications, bypassing the Blast Secure Gateway. Important A typical network configuration that provides secure connections for external users includes a security server.
View Administration Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices. For information about importing certificates to View servers, see "Import a Signed Server Certificate into a Windows Certificate Store" in the View Installation document.
Chapter 2 Configuring View Connection Server 3 (Optional) Add properties to configure a non-default HTTP listening port and a network interface on the View server. n To change the HTTP listening port from 80, set serverPortNonSSL to another port number to which the intermediate device is configured to connect.
View Administration Disable or Enable View Connection Server You can disable a View Connection Server instance to prevent users from logging in to their remote desktops and applications. After you disable an instance, you can enable it again. When you disable a View Connection Server instance, users who are currently logged in to remote desktops and applications are not affected. Your View deployment determines how users are affected by disabling an instance.
Chapter 2 Configuring View Connection Server 2 Type the secure tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable host name and port number. For example: https://view.example.com:443 Note You can use the IP address if you have to access a View Connection Server instance or security server when the host name is not resolvable.
View Administration View LDAP Directory View LDAP is the data repository for all View configuration information. View LDAP is an embedded Lightweight Directory Access Protocol (LDAP) directory that is provided with the View Connection Server installation. View LDAP contains standard LDAP directory components that are used by View. n View schema definitions n Directory information tree (DIT) definitions n Access control lists (ACLs) View LDAP contains directory entries that represent View objects.
Chapter 2 Configuring View Connection Server The pae-ReplicationStatusDataExpiryInMins attribute value should be between 10 minutes and 1440 minutes (one day). If the attribute value is less than 10 minutes, View treats it as 10 minutes. If the attribute value is greater than 1440, View treats it as 1440 minutes. VMware, Inc.
View Administration 42 VMware, Inc.
Setting Up Smart Card Authentication 3 For added security, you can configure a View Connection Server instance or security server so that users and administrators can authenticate by using smart cards. A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).
View Administration Logging In with a Smart Card When a user or administrator inserts a smart card into a smart card reader, the user certificates on the smart card are copied to the local certificate store on the client system if the client operating system is Windows. The certificates in the local certificate store are available to all of the applications running on the client computer, including Horizon Client.
Chapter 3 Setting Up Smart Card Authentication 3 Add the CA Certificate to a Server Truststore File on page 46 You must add root certificates, intermediate certificates, or both to a server truststore file for all users and administrators that you trust. View Connection Server instances and security servers use this information to authenticate smart card users and administrators.
View Administration 5 On the Certification Path tab, select the certificate at the top of the tree and click View Certificate. If the user certificate is signed as part of a trust hierarchy, the signing certificate might be signed by another higher-level certificate. Select the parent certificate (the one that actually signed the user certificate) as your root certificate. In some cases, the issuer might be an intermediate CA. 6 On the Details tab, click Copy to File.
Chapter 3 Setting Up Smart Card Authentication Modify View Connection Server Configuration Properties To enable smart card authentication, you must modify View Connection Server configuration properties on your View Connection Server or security server host. Prerequisites Add the CA (certificate authority) certificates for all trusted user certificates to a server truststore file.
View Administration 2 On the Connection Servers tab, select the View Connection Server instance and click Edit. 3 To configure smart card authentication for remote desktop and application users, perform these steps. a b On the Authentication tab, select a configuration option from the Smart card authentication for users drop-down menu in the View Authentication section. Option Action Not allowed Smart card authentication is disabled on the View Connection Server instance.
Chapter 3 Setting Up Smart Card Authentication 4 To configure smart card authentication for administrators logging in to View Administrator, click the Authentication tab and select a configuration option from the Smart card authentication for administrators drop-down menu in the View Administration Authentication section. Option Action Not allowed Smart card authentication is disabled on the View Connection Server instance.
View Administration Prepare Active Directory for Smart Card Authentication You might need to perform certain tasks in Active Directory when you implement smart card authentication. n Add UPNs for Smart Card Users on page 50 Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in View must have a valid UPN.
Chapter 3 Setting Up Smart Card Authentication Add the Root Certificate to the Enterprise NTAuth Store If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA. Procedure u On your Active Directory server, use the certutil command to publish the certificate to the Enterprise NTAuth store.
View Administration Add an Intermediate Certificate to Intermediate Certification Authorities If you use an intermediate certification authority (CA) to issue smart card login or domain controller certificates, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory. Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in.
Chapter 3 Setting Up Smart Card Authentication n If you configured smart card authentication on a View Connection Server instance, check the smart card authentication setting in View Administrator. a Select View Configuration > Servers. b On the Connection Servers tab, select the View Connection Server instance and click Edit. c If you configured smart card authentication for users, on the Authentication tab, verify that Smart card authentication for users is set to either Optional or Required.
View Administration n Logging in with OCSP Certificate Revocation Checking on page 54 When you configure OCSP certificate revocation checking, View sends a request to an OCSP Responder to determine the revocation status of a specific user certificate. View uses an OCSP signing certificate to verify that the responses it receives from the OCSP Responder are genuine.
Chapter 3 Setting Up Smart Card Authentication 2 3 Add the enableRevocationChecking and crlLocation properties to the locked.properties file. a Set enableRevocationChecking to true to enable smart card certificate revocation checking. b Set crlLocation to the location of the CRL. The value can be a URL or a file path. Restart the View Connection Server service or security server service to make your changes take effect. Example: locked.
View Administration Smart Card Certificate Revocation Checking Properties You set values in the locked.properties file to enable and configure smart card certificate revocation checking. Table 3-1 lists the locked.properties file properties for certificate revocation checking. Table 3‑1. Properties for Smart Card Certificate Revocation Checking Property Description enableRevocationChecking Set this property to true to enable certificate revocation checking.
Setting Up Other Types of User Authentication 4 View uses your existing Active Directory infrastructure for user and administrator authentication and management. You can also integrate View with other forms of authentication besides smart cards, such as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to authenticate remote desktop and application users.
View Administration n Enable Two-Factor Authentication in View Administrator on page 58 You enable a View Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying View Connection Server settings in View Administrator. n Troubleshooting RSA SecurID Access Denial on page 60 Access is denied when Horizon Client connects with RSA SecurID authentication.
Chapter 4 Setting Up Other Types of User Authentication 3 On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RSA SecureID or RADIUS. 4 To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching.
View Administration Troubleshooting RSA SecurID Access Denial Access is denied when Horizon Client connects with RSA SecurID authentication. Problem A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication Manager Log Monitor displays the error Node Verification Failed. Cause The RSA Agent host node secret needs to be reset. Solution 1 In View Administrator, select View Configuration > Servers.
Chapter 4 Setting Up Other Types of User Authentication Using SAML Authentication The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions.
View Administration Configure a SAML Authenticator in Horizon Administrator To launch remote desktops and applications from VMware Identity Manager or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon Administrator. A SAML authenticator contains the trust and metadata exchange between Horizon 7 and the device to which clients connect. You associate a SAML authenticator with a Connection Server instance.
Chapter 4 Setting Up Other Types of User Authentication 3 On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator. Option Description Disabled SAML authentication is disabled. You can launch remote desktops and applications only from Horizon Client. Allowed SAML authentication is enabled.
View Administration What to do next Extend the expiration period of the Connection Server metadata so that remote sessions are not terminated after only 24 hours. See “Change the Expiration Period for Service Provider Metadata on Connection Server,” on page 64. Configure Proxy Support for VMware Identity Manager Horizon 7 provides proxy support for the VMware Identity Manager (vIDM) server.
Chapter 4 Setting Up Other Types of User Authentication 6 In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values cs-samlencryptionkeyvaliditydays=number-of-days cs-samlsigningkeyvaliditydays=number-of-days In this example, number-of-days is the number of days that can elapse before a remote Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated.
View Administration Configure Workspace ONE Access Policies in Horizon Administrator Workspace ONE, or VMware Identity Manager (vIDM) administrators can configure access policies to restrict access to entitled desktops and applications in Horizon 7. To enforce policies created in vIDM you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements.
Chapter 4 Setting Up Other Types of User Authentication 4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and add the value BioMetricsTimeout=. The following BioMetricsTimeout values are valid: BioMetricsTimeout Value Description 0 Biometric authentication is not supported. This is the default. -1 Biometric authentication is supported without any time limit.
View Administration 68 VMware, Inc.
Authenticating Users Without Requiring Credentials 5 After users log in to a client device or to VMware Identity Manager, they can connect to a published application or desktop without being prompted for Active Directory credentials. Administrators can choose to set up the configuration based on user requirements. n Provide users unauthenticated access to published applications.
View Administration 2 Enable unauthenticated access to users and set a default unauthenticated user. See, “Enable Unauthenticated Access for Users,” on page 71. 3 Entitle unauthenticated users to published applications. See, “Entitle Unauthenticated Access Users to Published Applications,” on page 72. 4 Enable unauthenticated access from the Horizon Client. See, “Unauthenticated Access From Horizon Client,” on page 73.
Chapter 5 Authenticating Users Without Requiring Credentials Create Users for Unauthenticated Access Administrators can create users for unauthenticated access to published applications. After an administrator configures a user for unauthenticated access, the user can log in to the Connection Server instance from Horizon Client only with unauthenticated access. Prerequisites n Verify that the Active Directory (AD) user for whom you want to configure unauthenticated access for has a valid UPN.
View Administration 6 From the Default unauthenticated access user drop-down menu, select a user as the default user. The default user must be present on the local pod in a Cloud Pod Architecture environment. If you select a default user from a different pod, Connection Server creates the user on the local pod before it makes the user the default user. 7 (Optional) Enter the default session timeout for the user. The default session timeout is 10 minutes after being idle. 8 Click OK.
Chapter 5 Authenticating Users Without Requiring Credentials 3 Select search criteria and being the search. The search results include the user, type of session (desktop or application), machine, pool or farm, DNS name, client ID and security gateway. The session start time, duration, state, and last session also appear in the search results. Delete an Unauthenticated Access User When you delete an unauthenticated access user, you must also remove the application pool entitlements for the user.
View Administration Using the Log In as Current User Feature Available with WindowsBased Horizon Client With Horizon Client for Windows, when users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the Horizon Connection Server instance and to the remote desktop. No further user authentication is required.
Chapter 5 Authenticating Users Without Requiring Credentials If users choose to save their credentials, the credentials are added to the login fields in Horizon Client on subsequent connections. To enable this feature, you must set a value in View LDAP to indicate how long to save credential information in the client. For Horizon Client for Mac, this feature is supported only in version 4.1 or later.
View Administration Following is a list tasks you must perform to set up your environment for True SSO: 1 “Determining an Architecture for True SSO,” on page 76 2 “Set Up an Enterprise Certificate Authority,” on page 78 3 “Create Certificate Templates Used with True SSO,” on page 80 4 “Install and Set Up an Enrollment Server,” on page 81 5 “Export the Enrollment Service Client Certificate,” on page 83 6 “Configure SAML Authentication to Work with True SSO,” on page 85 7 “Configure View Connect
Chapter 5 Authenticating Users Without Requiring Credentials Typical HA True SSO Architecture (Single Domain) CAs AD VMware Identity Manager Appliance Enrollment Servers Optionally; co-host Enrollment Server on CA SAML Trust Connection Servers Client The following figure illustrates True SSO in a single-forest with multiple domains architecture.
View Administration The following figure illustrates True SSO in a multiple-forest architecture.
Chapter 5 Authenticating Users Without Requiring Credentials Procedure 1 Log in to the virtual machine operating system as an administrator and start Server Manager. 2 Select the settings for adding roles. Operating System Selections Windows Server 2012 R2 a b Windows Server 2008 R2 c Select Add roles and features. On the Select Installation Type page, select Role-based or featurebased installation. On the Select Destination Server page, select a server. a b Select Roles in the navigation tree.
View Administration 13 Enter the following commands to restart the service: sc stop certsvc sc start certsvc What to do next Create a certificate template. See “Create Certificate Templates Used with True SSO,” on page 80. Create Certificate Templates Used with True SSO You must create a certificate template that can be used for issuing short-lived certificates, and you must specify which computers in the domain can request this type of certificate.
Chapter 5 Authenticating Users Without Requiring Credentials Tab Action Server tab Select Do not store certificates and requests in the CA database. Important Make sure to deselect Do not include revocation information in issued certificates. (This box gets selected when you select the first one, and you have to deselect (clear) it.) Issuance Requirements tab n n n Security tab Select This number of authorized signatures, and type 1 in the box.
View Administration Prerequisites n Create a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine with at least 4GB of memory, or use the virtual machine that hosts the enterprise CA. Do not use a machine that is a domain controller. n Verify that no other View component, including View Connection Server, View Composer, security server, Horizon Client, or View Agent or Horizon Agent is installed on the virtual machine.
Chapter 5 Authenticating Users Without Requiring Credentials What to do next n If you installed the enrollment server on the same machine that hosts an enterprise CA, configure the enrollment server to prefer using the local CA. See “Enrollment Server Configuration Settings,” on page 92. n If you install and set up more than one enrollment server, configure connection servers to enable load balancing between the enrollment servers. See “Connection Server Configuration Settings,” on page 93.
View Administration 5 When you are prompted to name the file, type a file name such as EnrollClient, for Enrollment Service Client certificate, and follow the prompts to finish exporting the certificate. What to do next Import the certificate into the enrollment server. See “Import the Enrollment Service Client Certificate on the Enrollment Server,” on page 84.
Chapter 5 Authenticating Users Without Requiring Credentials What to do next Configure the SAML authenticator used for delegating authentication to VMware Identity Manager. See “Configure SAML Authentication to Work with True SSO,” on page 85. Configure SAML Authentication to Work with True SSO With the True SSO feature introduced in Horizon 7, users can log in to VMware Identity Manager 2.
View Administration 6 Option Description Metadata URL URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the View Connection Server instance. In the URL https:///SAAS/API/1.0/GET/metadata/idp.xml, click and replace it with the FQDN of the VMware Identity Manager server instance.
Chapter 5 Authenticating Users Without Requiring Credentials n Enrollment server For more information, see “Install and Set Up an Enrollment Server,” on page 81. n Enterprise certificate authority For more information, see “Set Up an Enterprise Certificate Authority,” on page 78. n Verify that you have the Netbios name or the FQDN of the domain. n Verify that you have created a certificate template. See “Create Certificate Templates Used with True SSO,” on page 80.
View Administration 5 Enter the command to enable the authenticator to use True SSO mode. vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-fqdn --truessoMode {ENABLED|ALWAYS} For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password.
Chapter 5 Authenticating Users Without Requiring Credentials Command Output The vdmutil command returns 0 when an operation succeeds and a failure-specific non-zero code when an operation fails. The vdmutil command writes error messages to standard error. When an operation produces output, or when verbose logging is enabled by using the --verbose option, the vdmutil command writes output to standard output, in US English.
View Administration Commands for Managing Connectors You create one connector for each domain. The connector defines the parameters that are used for True SSO. For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included.
Chapter 5 Authenticating Users Without Requiring Credentials Commands for Managing Authenticators Authenticators are created when you configure SAML authentication between VMware Identity Manager and a connection server. The only management task is to enable or disable True SSO for the authenticator. For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included.
View Administration Table 5‑5. Keys for Configuring True SSO on Horizon Agent Key Min & Max Disable True SSO N/A Set this key to true to disable the feature on the agent. Use this setting in the group policy to disable True SSO at the pool level. The default is false. Certificate wait timeout 10 -120 Specifies timeout period of certificates to arrive on the agent, in seconds. The default is 40. Minimum key size 1024 8192 Minimum allowed size for a key.
Chapter 5 Authenticating Users Without Requiring Credentials Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server (Continued) Registry Key Min & Max Type Description ConnectToTrustingDomains N/A REG_SZ Specifies whether to connect to explicitly trusting/incoming domains. The default is TRUE. Use one of the following values: PreferLocalCa N/A REG_SZ n 0 means false; do not connect to explicitly trusting/incoming domains. n !=0 means true.
View Administration Table 5‑7. Advanced True SSO Settings for Connection Servers Registry Key Description cs-view-certsso-enable-esloadbalance=[true|false] Specifies whether to enable load balancing CSR requests between two enrollment servers. The default is false. For example, add cs-view-certsso-enable-es-loadbalance=true to enable load balancing so that when certificate requests arrive, the connection server will use alternate enrollment servers,.
Chapter 5 Authenticating Users Without Requiring Credentials Using the System Health Dashboard to Troubleshoot Issues Related to True SSO You can use the system health dashboard in View Administrator to quickly see problems that might affect the operation of the True SSO feature. For end users, if True SSO stops working, when the system attempts to log the user in to the remote desktop or application, the user sees the following message: "The user name or password is incorrect.
View Administration Table 5‑9. Enrollment Server Connectivity Status Text Description This domain does not exist on the enrollment server. The True SSO connector has been configured to use this enrollment server for this domain, but the enrollment server has not yet been configured to connect to this domain. If the state remains for longer than one minute, you need to check the state of the broker currently responsible for refreshing the enrollment configuration.
Chapter 5 Authenticating Users Without Requiring Credentials Table 5‑11. Certificate Template Status Status Text Description The template does not exist on the enrollment server domain. Check that you specified the correct template name. Certificates generated by this template can NOT be used to log on to windows. This template does not have the smart card usage enabled and data signing enabled. Check that you specified the correct template name. Verify that you have .
View Administration 98 VMware, Inc.
Configuring Role-Based Delegated Administration 6 One key management task in a View environment is to determine who can use View Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
View Administration To create administrators, you select users and groups from your Active Directory users and groups and assign administrator roles. Administrators obtain privileges through their role assignments. You cannot assign privileges directly to administrators. An administrator that has multiple role assignments acquires the sum of all the privileges contained in those roles.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑1. Different Administrators for Different Access Groups Administrator Role Access Group view-domain.com\Admin1 Inventory Administrators /CorporateDesktops view-domain.com\Admin2 Inventory Administrators /DeveloperDesktops In this example, the administrator called Admin1 has the Inventory Administrators role on the access group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators role on the a
View Administration Table 6‑4. Permissions on the Folders Tab for MarketingDesktops Admin Role Inherited view-domain.com\Admin1 Inventory Administrators view-domain.com\Admin1 Administrators (Read only) Yes The first permission is the same as the first permission shown in Table 6-3. The second permission is inherited from the second permission shown in Table 6-3.
Chapter 6 Configuring Role-Based Delegated Administration n To assign a custom role to the administrator, create the custom role. See “Add a Custom Role,” on page 108. n To create an administrator that can manage specific desktop pools, create an access group and move the desktop pools to that access group. See “Manage and Review Access Groups,” on page 105. Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Administrators and Groups tab, click Add User or Group.
View Administration n Delete a Permission on page 104 You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group. n Review Permissions on page 105 You can review the permissions that include a specific administrator or group, a specific role, or a specific access group. Add a Permission You can add a permission that includes a specific administrator user or group, a specific role, or a specific access group.
Chapter 6 Configuring Role-Based Delegated Administration Procedure 1 In View Administrator, select View Configuration > Administrators. 2 Select the permission to delete. 3 Option Action Delete a permission that applies to a specific administrator or group Select the administrator or group on the Administrators and Groups tab. Delete a permission that applies to a specific role Select the role on the Roles tab.
View Administration n Review the vCenter Virtual Machines in an Access Group on page 107 You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter virtual machine inherits the access group from its pool. Add an Access Group You can delegate the administration of specific machines, desktop pools, or farms to different administrators by creating access groups. By default, desktop pools, application pools, and farms reside in the root access group.
Chapter 6 Configuring Role-Based Delegated Administration Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Access Groups tab, select the access group and click Remove Access Group. 3 Click OK to remove the access group. Review the Desktop Pools, Application Pools, or Farms in an Access Group You can see the desktop pools, the application pools, or the farms in a particular access group in View Administrator.
View Administration Add a Custom Role If the predefined administrator roles do not meet your needs, you can combine specific privileges to create your own roles in View Administrator. Prerequisites Familiarize yourself with the administrator privileges that you can use to create custom roles. See “Predefined Roles and Privileges,” on page 109. Procedure 1 In View Administrator, select View Configuration > Administrators. 2 On the Roles tab, click Add Role.
Chapter 6 Configuring Role-Based Delegated Administration Predefined Roles and Privileges View Administrator includes predefined roles that you can assign to your administrator users and groups. You can also create your own administrator roles by combining selected privileges. n Predefined Administrator Roles on page 109 The predefined administrator roles combine all of the individual privileges required to perform common administration tasks. You cannot modify the predefined roles.
View Administration Table 6‑6. Predefined Roles in View Administrator Role User Capabilities Administrators Perform all administrator operations, including creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role can configure and manage a pod federation and manage remote pod sessions.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑6. Predefined Roles in View Administrator (Continued) Applies to an Access Group Role User Capabilities Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
View Administration Object-Specific Privileges Object-specific privileges control operations on specific types of inventory objects. Roles that contain objectspecific privileges can be applied to access groups. Table 6-8 describes the object-specific privileges. The predefined roles Administrators and Inventory Administrators contain all of these privileges. Table 6‑8. Object-Specific Privileges Privilege User Capabilities Object Enable Farms and Desktop Pools Enable and disable desktop pools.
Chapter 6 Configuring Role-Based Delegated Administration Required Privileges for Common Tasks Many common administration tasks require a coordinated set of privileges. Some operations require permission at the root access group in addition to access to the object that is being manipulated. Privileges for Managing Pools An administrator must have certain privileges to manage pools in View Administrator.
View Administration Table 6‑12. Persistent Disk Management Tasks and Privileges Task Required Privileges Detach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the pool. Attach a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the machine. Edit a disk Manage Persistent Disks on the disk and Manage Farms and Desktop and Application Pools on the selected pool.
Chapter 6 Configuring Role-Based Delegated Administration Table 6‑14. Privileges for General Administration Tasks and Commands (Continued) Task Required Privileges Use the vdmadmin and vdmimport commands Must have the Administrators role on the root access group. Use the vdmexport command Must have the Administrators role or the Administrators (Read only) role on the root access group.
View Administration 116 VMware, Inc.
Configuring Policies in Horizon Administrator and Active Directory 7 You can use Horizon Administrator to set policies for client sessions. You can configure Active Directory group policy settings to control the behavior of View Connection Server, the PCoIP display protocol, and Horizon 7 logging and performance alarms. You can also configure Active Directory group policy settings to control the behavior of Horizon Agent, Horizon Client for Windows, Horizon Persona Management, and certain features.
View Administration n Horizon 7 Policies on page 119 You can configure Horizon 7 policies to affect all client sessions, or you can apply them to affect specific desktop pools or users. Configure Global Policy Settings You can configure global policies to control the behavior of all client sessions users. Prerequisites Familiarize yourself with the policy descriptions. See “Horizon 7 Policies,” on page 119. Procedure 1 In Horizon Administrator, select Policies > Global Policies.
Chapter 7 Configuring Policies in Horizon Administrator and Active Directory 5 Select one or more users from the list, click OK, and then click Next. The Add Individual Policy dialog box appears. 6 Configure the Horizon policies and click Finish to save your changes. Horizon 7 Policies You can configure Horizon 7 policies to affect all client sessions, or you can apply them to affect specific desktop pools or users. Table 7-1 describes each Horizon 7 policy setting. Table 7‑1.
View Administration n The User Configuration policies set policies that apply to all users, regardless of the remote desktop or application they connect to. User Configuration policies override equivalent Computer Configuration policies. Microsoft Windows applies policies at desktop startup and when users log in. Horizon 7 ADMX Template Files The Horizon 7 ADMX template files provide group policy settings that allow you to control and optimize Horizon 7 components. Table 7‑2.
Chapter 7 Configuring Policies in Horizon Administrator and Active Directory Table 7‑2. Horizon ADMX Template Files (Continued) Template Name Template File Description Remote Desktop Services vmware_rdsh.admx Contains policy settings related to Remote Desktop Services. See the Configuring Remote Desktop Features in Horizon 7 document. Real-Time Audio-Video Configuration vdm_agent_rtav.admx Contains policy settings related to webcams that are used with the Real-Time Audio-Video feature.
View Administration Table 7‑3. Horizon Server Configuration Template Settings Setting Properties Enumerate Forest Trust Child Domains Determines if every domain trusted by the domain in which the server resides is enumerated. In order to establish a complete chain of trust, the domains trusted by each trusted domain are also enumerated and the process continues recursively until all trusted domains are discovered.
Chapter 7 Configuring Policies in Horizon Administrator and Active Directory Table 7‑4. View Common Configuration Template: Log Configuration Settings (Continued) Setting Properties Maximum debug log size in Megabytes Specifies the maximum size in megabytes that a debug log can reach before the log file is closed and a new log file is created. Log Directory Specifies the full path to the directory for log files. If the location is not writeable, the default location is used.
View Administration Table 7‑5. View Common Configuration Template: Performance Alarm Settings (Continued) Setting Properties Process memory usage percentage to issue log info Specifies the threshold at which the memory usage of any individual process is logged. Process to check, comma separated name list allowing wild cards and exclusion Specifies a comma-separated list of queries that correspond to the name of one or more processes to be examined.
Chapter 7 Configuring Policies in Horizon Administrator and Active Directory Table 7‑7. View Common Configuration Template: General Settings Setting Properties Disk threshold for log and events in Megabytes Specifies the minimum remaining disk space threshold for logs and events. If no value is specified, the default is 200. When the specified value is met, event logging stops. Enable extended logging Determines whether trace and debug events are included in the log files.
View Administration 126 VMware, Inc.
Maintaining View Components 8 To keep your View components available and running, you can perform a variety of maintenance tasks.
View Administration You can perform backups in several ways. n Schedule automatic backups by using the View configuration backup feature. n Initiate a backup immediately by using the Backup Now feature in View Administrator. n Manually export View LDAP data by using the vdmexport utility. This utility is provided with each instance of View Connection Server.
Chapter 8 Maintaining View Components View Configuration Backup Settings View can back up your View Connection Server and View Composer configuration data at regular intervals. In View Administrator, you can set the frequency and other aspects of the backup operations. Table 8‑1. View Configuration Backup Settings Setting Description Automatic backup frequency Every Hour. Backups take place every hour on the hour. Every 6 Hours. Backups take place at midnight, 6 am, noon, and 6 pm. Every 12 Hours.
View Administration You can specify the output file name as an argument to the -f option. For example: vdmexport -f Myexport.LDF You can export the data in plain text format (verbatim) by using the -v option. For example: vdmexport -f Myexport.LDF -v You can export the data in plain text format with passwords and sensitive data removed (cleansed) by using the -c option. For example: vdmexport -f Myexport.LDF -c Note Do not plan on using cleansed backup data to restore a View LDAP configuration.
Chapter 8 Maintaining View Components If the exported LDIF file is in plain text format, you do not have to decrypt the file. Note Do not import an LDIF file in cleansed format, which is plain text with passwords and other sensitive data removed. If you do, critical configuration information will be missing from the restored View LDAP repository. For information about backing up the View LDAP repository, see “Backing Up View Connection Server and View Composer Data,” on page 127.
View Administration 13 Reinstall the replica server instances. 14 Start the security server instances. If there is a risk that the security servers have inconsistent configuration, they should also be uninstalled rather than stopped and then reinstalled at the end of the process. The vdmimport command updates the View LDAP repository in View Connection Server with the configuration data from the LDIF file. For more information about the vdmimport command, see the View Integration document.
Chapter 8 Maintaining View Components 3 Open a Windows command prompt and navigate to the SviConfig executable file. The file is located with the View Composer application. The default path is C:\Program Files (x86)\VMware\VMware View Composer\sviconfig.exe. 4 Run the SviConfig restoredata command.
View Administration n Username - The user name that is used to connect to the database. If this parameter is not specified, Windows authentication is used. n Password - The password for the user that connects to the database. If this parameter is not specified and Windows authentication is not used, you are prompted to enter the password later. n OutputFilePath - The path to the output file. Procedure 1 On the computer where View Composer is installed, stop the VMware Horizon View Composer service.
Chapter 8 Maintaining View Components Monitor View Components You can quickly survey the status of the View and vSphere components in your View deployment by using the View Administrator dashboard. View Administrator displays monitoring information about View Connection Server instances, the event database, security servers, View Composer services, datastores, vCenter Server instances, and domains. Note View cannot determine status information about Kerberos domains.
View Administration The Machines page displays all machines with the selected status. What to do next You can click a machine name to see details about the machine or click the View Administrator back arrow to return to the Dashboard page. Understanding View Services The operation of View Connection Server instances and security servers depends on several services that run on the system.
Chapter 8 Maintaining View Components Services on a View Connection Server Host The operation of View depends on several services that run on a View Connection Server host. Table 8‑4. View Connection Server Host Services Service Name Startup Type Description VMware Horizon View Blast Secure Gateway Automatic Provides secure HTML Access and Blast Extreme services. This service must be running if clients connect to View Connection Server through the Blast Secure Gateway.
View Administration Table 8‑5. Security Server Services (Continued) Service Name Startup Type Description VMware Horizon View PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services. This service must be running if clients connect to this security server through the PCoIP Secure Gateway. VMware Horizon View Security Gateway Component Manual Provides common gateway services. This service must always be running.
Chapter 8 Maintaining View Components For named users, View counts the number of unique users that have accessed the View environment. If a named user runs multiple single-user desktops, RDS desktops, and remote applications, the user is counted once. For named users, the Current column on the Product Licensing and Usage page displays the number of users since your View deployment was first configured or since you last reset the Named Users Count. The Highest column is not applicable to named users.
View Administration You can also use the vdmadmin command to update user and domain information. See “Updating Foreign Security Principals Using the -F Option,” on page 214. Prerequisites Verify that you can log in to View Administrator as an administrator with the Manage Global Configuration and Policies privilege. Procedure 1 In View Administrator, click Users and Groups. 2 Choose whether to update information for all users or an individual user.
Chapter 8 Maintaining View Components Guidelines for Migrating View Composer The steps you take to migrate the VMware Horizon View Composer service depend on whether you intend to preserve existing linked-clone virtual machines. To preserve the linked-clone virtual machines in your deployment, the VMware Horizon View Composer service that you install on the new virtual or physical machine must continue to use the existing View Composer database.
View Administration n Familiarize yourself with installing the VMware Horizon View Composer service. See "Installing View Composer" in the View Installation document. n Familiarize yourself with configuring an SSL certificate for View Composer. See "Configuring SSL Certificates for View Servers" in the View Installation document. n Familiarize yourself with configuring View Composer in View Administrator.
Chapter 8 Maintaining View Components Migrate View Composer Without Linked-Clone Virtual Machines If the current VMware Horizon View Composer service does not manage any linked-clone virtual machines, you can migrate View Composer to a new physical or virtual machine without migrating the RSA keys to the new machine. The migrated VMware Horizon View Composer service can connect to the original View Composer database, or you can prepare a new database for View Composer.
View Administration e In the Domains pane, click Verify Server Information and add or edit the View Composer domains as needed. f Click OK. Prepare a Microsoft .NET Framework for Migrating RSA Keys To use an existing View Composer database, you must migrate the RSA key container between machines. You migrate the RSA key container by using the ASP.NET IIS registration tool provided with the Microsoft .NET Framework. Prerequisites Download the .NET Framework and read about the ASP.
Chapter 8 Maintaining View Components 5 Type the aspnet_regiis command to migrate the RSA key pair data. aspnet_regiis -pi "SviKeyContainer" "path\keys.xml" -exp where path is the path to the exported file. The -exp option creates an exportable key pair. If a future migration is required, the keys can be exported from this machine and imported to another machine.
View Administration 3 4 For View Connection Server or security server, add the certificate Friendly name, vdm, to the new certificate that is replacing the previous certificate. a Right-click the new certificate and click Properties b On the General tab, in the Friendly name field, type vdm. c Click Apply and click OK. For a server certificate that is issued to View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.
Chapter 8 Maintaining View Components How VMware Ensures Your Privacy VMware is committed to protecting your privacy and takes several steps to ensure that no data collected by the customer experience improvement program (CEIP) includes sensitive information that could uniquely identify a particular customer or user. The program does not collect any information that can be used to identify you or contact you. No data that identifies your organization or users is collected.
View Administration Additional Information About the Customer Experience Improvement Program After you choose to participate in the CEIP, data is collected on the first View Connection Server instance that starts in a View deployment. Configuration data is collected on a weekly basis. Performance and usage data is collected on an hourly basis.
Chapter 8 Maintaining View Components Table 8‑6.
View Administration Table 8‑8.
Chapter 8 Maintaining View Components Table 8‑9.
View Administration Table 8‑10. Dynamic Usage Data Collected from View Connection Server (Continued) Is This Field Made Anonymous? Example Value Number of times application connections have been launched for a user who is entitled to n number of applications No List of integers Number of times n protocol (such as PCoIP) sessions have been in existence when a user launches another application.
Chapter 8 Maintaining View Components Table 8‑12.
View Administration Table 8‑12.
Chapter 8 Maintaining View Components Table 8‑12.
View Administration Table 8‑13.
Chapter 8 Maintaining View Components Table 8‑14.
View Administration Table 8‑18. ESX Node Information Description Identifier of the vCenter Server that manages a particular ESXi host, along with an identifier for the ESXi host Is This Field Made Anonymous? No Example Value 1234-ADEE-BECF-41AA-4950BCDAhost-14 Table 8‑19.
Chapter 8 Maintaining View Components Cloud Pod Architecture Information Collected by VMware If you join the customer experience improvement program, VMware collects data from certain Cloud Pod Architecture fields. Fields containing sensitive information are made anonymous. Table 8‑21.
View Administration Table 8‑22. Data Collected from Horizon Clients for the Customer Experience Improvement Program Is This Field Made Anonymous ? Example Value Company that produced the Horizon Client application No VMware Product name No VMware Horizon Client Client product version No (The format is x.x.x-yyyyyy, where x.x.x is the client version number and yyyyyy is the build number.
Chapter 8 Maintaining View Components Table 8‑22. Data Collected from Horizon Clients for the Customer Experience Improvement Program (Continued) Description Is This Field Made Anonymous ? MB of memory on the host system No Example Value Examples include the following: 4096 n unknown (for Windows Store) n Number of USB devices connected No 2 (USB device redirection is supported only for Linux, Windows, and Mac clients.
View Administration Table 8‑23. Client Data Collected for the Customer Experience Improvement Program (Continued) 162 Description Field name Is This Field Made Anonymous ? Native architecture of the browser No Examples include the following values: n Win32 n Win64 n MacIntel n iPad Browser user agent string No Examples include the following values: n Mozilla/5.0 (Windows NT 6.1; WOW64) n AppleWebKit/703.00 (KHTML, like Gecko) n Chrome/3.0.1750 n Safari/703.
Managing ThinApp Applications in View Administrator 9 You can use View Administrator to distribute and manage applications packaged with VMware ThinApp. Managing ThinApp applications in View Administrator involves capturing and storing application packages, adding ThinApp applications to View Administrator, and assigning ThinApp applications to machines and desktop pools. You must have a license to use the ThinApp management feature in View Administrator.
View Administration n Make sure that a disjoint namespace does not prevent domain member computers from accessing the network share that hosts the MSI packages. A disjoint namespace occurs when an Active Directory domain name is different from the DNS namespace that is used by machines in that domain. See VMware Knowledge Base (KB) article 1023309 for more information. n To run streamed ThinApp applications on remote desktops, users must have access to the network share that hosts the MSI packages.
Chapter 9 Managing ThinApp Applications in View Administrator Procedure 1 Start the ThinApp Setup Capture wizard and follow the prompts in the wizard. 2 When the ThinApp Setup Capture wizard prompts you for a project location, select Build MSI package. 3 If you plan to stream the application to remote desktops, set the MSIStreaming property to 1 in the package.ini file.
View Administration Procedure 1 In View Administrator, select View Configuration > ThinApp Configuration and click Add Repository. 2 Type a display name for the application repository in the Display name text box. 3 Type the path to the Windows network share that hosts your application packages in the Share path text box. The network share path must be in the form \\ServerComputerName\ShareName where ServerComputerName is the DNS name of the server computer. Do not specify an IP address.
Chapter 9 Managing ThinApp Applications in View Administrator Creating ThinApp templates is optional. Note If you add an application to a ThinApp template after assigning the template to a machine or desktop pool, View Administrator does not automatically assign the new application to the machine or desktop pool. If you remove an application from a ThinApp template that was previously assigned to a machine or desktop pool, the application remains assigned to the machine or desktop pool.
View Administration n Assign a ThinApp Application to Multiple Desktop Pools on page 170 You can assign a particular ThinApp application to one or more desktop pools. n Assign Multiple ThinApp Applications to a Desktop Pool on page 170 You can assign one more ThinApp applications to a particular desktop pool.
Chapter 9 Managing ThinApp Applications in View Administrator 2 Select Assign Machines from the Add Assignment drop-down menu. The machines that the ThinApp application is not already assigned to appear in the table. 3 Option Action Find a specific machine Type the name of the machine in the Find text box and click Find. Find all of the machines that follow the same naming convention Type a partial machine name in the Find text box and click Find.
View Administration View Administrator begins installing the ThinApp applications a few minutes later. After the installation is finished, the applications are available to all of the users of the remote desktop that is hosted by the virtual machine. Assign a ThinApp Application to Multiple Desktop Pools You can assign a particular ThinApp application to one or more desktop pools.
Chapter 9 Managing ThinApp Applications in View Administrator Procedure 1 In View Administrator, select Catalog > Desktop Pools and double-click the pool ID. 2 On the Inventory tab, click ThinApps and then click Add Assignment. The ThinApp applications that are not already assigned to the pool appear in the table. 3 To find a particular application, type the name of the ThinApp application in the Find text box and click Find. 4 Select a ThinApp application to assign to the pool and click Add.
View Administration 5 Select an installation type and click OK. Option Action Streaming Installs a shortcut to the application on the machine. The shortcut points to the application on the network share that hosts the repository. Users must have access to the network share to run the application. Full Installs the full application on the machine's local file system. Some ThinApp applications do not support both installation types.
Chapter 9 Managing ThinApp Applications in View Administrator Table 9‑1. ThinApp Application Installation Status Status Description Assigned The ThinApp application is assigned to the machine. Install Error An error occurred when View Administrator attempted to install the ThinApp application. Uninstall Error An error occurred when View Administrator attempted to uninstall the ThinApp application. Installed The ThinApp application is installed.
View Administration n Modify or Delete a ThinApp Template on page 176 You can add and remove applications from a ThinApp template. You can also delete a ThinApp template. n Remove an Application Repository on page 176 You can remove an application repository from View Administrator. Remove a ThinApp Application Assignment from Multiple Machines You can remove an assignment to a particular ThinApp application from one or more machines.
Chapter 9 Managing ThinApp Applications in View Administrator Remove a ThinApp Application Assignment from Multiple Desktop Pools You can remove an assignment to a particular ThinApp application from one or more desktop pools. Prerequisites Notify the users of the remote desktops in the pools that you intend to remove the application. Procedure 1 In View Administrator, select Catalog > ThinApps and double-click the name of the ThinApp application.
View Administration Modify or Delete a ThinApp Template You can add and remove applications from a ThinApp template. You can also delete a ThinApp template. If you add an application to a ThinApp template after assigning the template to a machine or desktop pool, View Administrator does not automatically assign the new application to the machine or desktop pool.
Chapter 9 Managing ThinApp Applications in View Administrator Cause The View Connection Server host cannot access the network share that hosts the application repository. The network share path that you typed in the Share path text box might be incorrect, the network share that hosts the application repository is in a domain that is not accessible from the View Connection Server host, or the network share permissions have not been set up properly.
View Administration Solution If the template contains a ThinApp application that is already assigned to the machine or desktop pool, create a new template that does not contain the application or edit the existing template and remove the application. Assign the new or modified template to the machine or desktop pool. To change the installation type of a ThinApp application, you must remove the existing application assignment from the machine or desktop pool.
Chapter 9 Managing ThinApp Applications in View Administrator Horizon Agent log files are located on the machine in drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs for Windows XP systems and drive:\ProgramData\VMware\VDM\logs for Windows 7 systems. View Connection Server log files are located on the View Connection Server host in the drive:\Documents and Settings\All Users\Application Data\VMware\VDM\logs directory. Solution 1 In View Administrator, select Catalog > ThinApps.
View Administration Procedure 1 Download the ThinApp software from http://www.vmware.com/products/thinapp and install it on a clean computer. View supports ThinApp version 4.6 and later. 2 Use the ThinApp Setup Capture wizard to capture and package your applications in MSI format.
Setting Up Clients in Kiosk Mode 10 You can set up unattended clients that can obtain access to their desktops from View. A client in kiosk mode is a thin client or a lock-down PC that runs Horizon Client to connect to a View Connection Server instance and launch a remote session. End users do not typically need to log in to access the client device, although the remote desktop might require them to provide authentication information for some applications.
View Administration n Administrators, Inventory Administrators, or an equivalent role to use View Administrator to entitle users or groups to remote desktops. n Administrators or an equivalent role to run the vdmadmin command. Procedure 1 Prepare Active Directory and View for Clients in Kiosk Mode on page 182 You must configure Active Directory to accept the accounts that you create to authenticate client devices.
Chapter 10 Setting Up Clients in Kiosk Mode 3 Configure the guest operating system so that the clients are not locked when they are left unattended. View suppresses the pre-login message for clients that connect in kiosk mode. If you require an event to unlock the screen and display a message, you can configure a suitable application on the guest operating system. 4 In View Administrator, create the desktop pool that the clients will use and entitle the group to this pool.
View Administration Option Description -noexpirepassword Specifies that passwords on client accounts do not expire. -nogroup Clears the setting for the default group. -ou DN Specifies the distinguished name of the default organizational unit to which client accounts are added. For example: OU=kiosk-ou,DC=myorg,DC=com Note You cannot use the command to change the configuration of an organizational unit. The command updates the default values for clients in the View Connection Server group.
Chapter 10 Setting Up Clients in Kiosk Mode Add Accounts for Clients in Kiosk Mode You can use the vdmadmin command to add accounts for clients to the configuration of a View Connection Server group. After you add a client, it is available for use with a View Connection Server instance on which you have enabled authentication of clients. You can also update the configuration of clients, or remove their accounts from the system.
View Administration The command creates a user account in Active Directory for the client in the specified domain and group (if any). Example: Adding Accounts for Clients Add an account for a client specified by its MAC address to the MYORG domain, using the default settings for the group kc-grp. vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp Add an account for a client specified by its MAC address to the MYORG domain, using an automatically generated password.
Chapter 10 Setting Up Clients in Kiosk Mode 2 If the remote desktop is provided by a Microsoft RDS host, log in to the RDS host and add the user account to the Remote Desktop Users group. For example, say that on the View server, you entitle the user account custom-11 to a session-based View desktop on an RDS host.
View Administration Password Generated: false Client Authentication Connection Servers ======================================== Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false What to do next Verify that the clients can connect to their remote desktops.
Chapter 10 Setting Up Clients in Kiosk Mode Procedure u To connect to a remote session, type the appropriate command for your platform. Option Description Windows Enter C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe -unattended [-serverURL connection_server] [-userName user_name] [-password password] Linux -password password Specifies the password for the client's account. If you defined a password for the account, you must specify this password.
View Administration Run Horizon Client on a Linux client using an assigned name and password. vmware-view -unattended -s 145.124.24.100 --once -u custom-Terminal21 -p "Secret1!" 190 VMware, Inc.
Troubleshooting Horizon 7 11 You can use a variety of procedures for diagnosing and fixing problems that you might encounter when using Horizon 7. You can use Horizon Help Desk Tool for troubleshooting, use other troubleshooting procedures to investigate and correct problems, or obtain assistance from VMware Technical Support. For information about troubleshooting desktops and desktop pools, see the Setting Up Virtual Desktops in Horizon 7 document.
View Administration Use the following vdmadmin command to enable the timing profiler on a Connection Server instance that uses a management port: vdmadmin -I -timingProfiler -enable -server {ip/server} Note Horizon Help Desk Tool does not support Linux desktops. Log In to Horizon Help Desk Tool You can log in to Horizon Help Desk Tool from Horizon Administrator. You can also bookmark the URL for the Horizon Help Desk Tool Web page instead of starting Horizon Help Desk Tool from Horizon Administrator.
Chapter 11 Troubleshooting Horizon 7 You can use the Filter text box to filter desktop or application sessions. Note The Sessions tab does not display session information for sessions that use the Microsoft RDP display protocol or sessions that access VMs from vSphere Client or ESXi. The Sessions tab includes the following information: VMware, Inc.
View Administration Table 11‑1. Sessions tab Option Description State Displays information about the state of the desktop or application session. n Appears green, if the session is connected. n L, if the session is a local session or a session running in the local pod. n Computer Name 194 G, if the session is running in a different pod in the pod federation. Name of the desktop or application session. Click the name to open the session information in a card.
Chapter 11 Troubleshooting Horizon 7 Table 11‑1. Sessions tab (Continued) Option Description Profile load. Total time for Windows user profile processing. Use the following guidelines when you use the information in logon segments for troubleshooting: n If the session is a new virtual desktop session, all the logon segments appear. The GPO Load logon segment time is 0 if no global policy is configured.
View Administration Table 11‑3. Application Entitlements Option Description State Displays information about the state of the application session. n Appears green, if the session is connected. Applications Displays the names of published applications in the application pool. Farm Name of the farm that contains the RDS host that the session connects to. Note In the case of a global application entitlement, this column shows the number of farms in the global application entitlement.
Chapter 11 Troubleshooting Horizon 7 2 Choose a troubleshooting option. Option Action Send Message Sends a message to the user on the published desktop or virtual desktop. You can choose the severity of the message to include Warning, Info, or Error. Click Send Message and enter the type of severity and the message details, and then click Submit. Remote Assistance You can generate remote assistance tickets for connected desktop or application sessions.
View Administration Problem RDS Hosts Provides a link to the RDS Hosts tab on the Machines screen, which displays information about RDS hosts that Horizon 7 has flagged as having problems. Events Provides links to the Events screen filtered for error events and for warning events. System Health Provides links to the Dashboard screen, which displays summaries of the status of Horizon 7 components, vSphere components, domains, desktops, and datastore usage.
Chapter 11 Troubleshooting Horizon 7 You might need to take some action if you see messages that are associated with Audit Failure, Error, or Warning events. You do not need to take any action for Audit Success or Information events. Collecting Diagnostic Information for Horizon 7 You can collect diagnostic information to help VMware Technical Support diagnose and resolve issues with Horizon 7. You can collect diagnostic information for various components of Horizon 7.
View Administration 2 Open a command prompt and run the command to generate the DCT bundle. Option Action On View Connection Server, using vdmadmin To specify the names of the output bundle file, desktop pool, and machine, use the -outfile, -d, and -m options with the vdmadmin command. vdmadmin -A [-b authentication_arguments] -getDCT -outfile local_file -d desktop -m machine On the remote desktop Change directories to c:\Program Files\VMware\VMware View\Agent\DCT and run the following command: suppo
Chapter 11 Troubleshooting Horizon 7 Collect Diagnostic Information for View Composer Using the Support Script You can use the View Composer support script to collect configuration data and generate log files for View Composer. This information helps VMware customer support diagnose any issues that arise with View Composer. Prerequisites Log in to the computer on which View Composer is installed.
View Administration 3 When you have collected enough information about the behavior of Connection Server, select Start > All Programs > VMware > Generate View Connection Server Log Bundle. The support tool writes the log files to a folder called vdm-sdct on the desktop of the Connection Server instance. 4 File a support request on the Support page of the VMware Web site and attach the output files.
Chapter 11 Troubleshooting Horizon 7 Option Description 7 Selects debug logging for virtual channels (Horizon Agent and Horizon Client only). 8 Selects trace logging for virtual channels (Horizon Agent and Horizon Client only). The script writes the zipped log files to the folder vdm-sdct on the desktop. 3 You can find the View Composer guest agent logs in the C:\Program Files\Common Files\VMware\View Composer Guest Agent svi-ga-support directory.
View Administration 2 On the Security Servers tab, select a security server, select Prepare for Upgrade or Reinstallation from the More Commands drop-down menu, and click OK. 3 On the Connection Servers tab, select the Connection Server instance that you want to pair with the security server, select Specify Security Server Pairing Password from the More Commands dropdown menu, type a password, and click OK. 4 Install the security server again.
Chapter 11 Troubleshooting Horizon 7 8 On the View Administrator dashboard, verify that the security server or View Connection Server icon is green. Troubleshooting Smart Card Certificate Revocation Checking The View Connection Server instance or security server that has the smart card connected cannot perform certificate revocation checking on the server's SSL certificate unless you have configured smart card certificate revocation checking.
View Administration 206 VMware, Inc.
Using the vdmadmin Command 12 You can use the vdmadmin command line interface to perform a variety of administration tasks on a View Connection Server instance. You can use vdmadmin to perform administration tasks that are not possible from within the View Administrator user interface or to perform administration tasks that need to run automatically from scripts. For a comparison of the operations that are possible in View Administrator, View cmdlets, and vdmadmin, see the View Integration document.
View Administration n Assigning Dedicated Machines Using the -L Option on page 218 You can use the vdmadmin command with the -L option to assign machines from a dedicated pool to users. n Displaying Information About Machines Using the -M Option on page 219 You can use the vdmadmin command with the -M option to display information about the configuration of virtual machines or physical computers.
Chapter 12 Using the vdmadmin Command vdmadmin Command Usage The syntax of the vdmadmin command controls its operation. Use the following form of the vdmadmin command from a Windows command prompt. vdmadmin command_option [additional_option argument] ... The additional options that you can use depend on the command option. By default, the path to the vdmadmin command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin.
View Administration Table 12‑1. Options for Selecting Output Format Option Description -csv Formats the output as comma-separated values. -n Display the output using ASCII (UTF-8) characters. This is the default character set for comma-separated values and plain text output. -w Display the output using Unicode (UTF-16) characters. This is the default character set for XML output. -xml Formats the output as XML.
Chapter 12 Using the vdmadmin Command Table 12‑2. Vdmadmin Command Options (Continued) Option Description -U Displays information about a user including their remote desktop entitlements and ThinApp assignments, and Administrator roles. See “Displaying Information About Users Using the -U Option,” on page 235. -V Unlocks or locks virtual machines. See “Unlocking or Locking Virtual Machines Using the -V Option,” on page 235.
View Administration Table 12‑3. Options for Configuring Logging in Horizon Agent (Continued) Option Description -outfile local_file Specifies the name of the local file in which to save a DCT bundle or a copy of a log file. -setloglevel level Sets the logging level of Horizon Agent. debug Logs error, warning, and debugging events. normal Logs error and warning events. trace Logs error, warning, informational, and debugging events.
Chapter 12 Using the vdmadmin Command Usage Notes Horizon Agent reports the discovered IP address of the machine on which it is running to the View Connection Server instance. In secure configurations where the View Connection Server instance cannot trust the value that Horizon Agent reports, you can override the value provided by Horizon Agent and specify the IP address that the managed machine should be using.
View Administration If you do not specify a name for the group, the command returns the GUID of the group to which the local View Connection Server instance belongs. You can use the GUID to verify whether a View Connection Server instance is a member of the same View Connection Server group as another View Connection Server instance. For a description of how to use SCOM with View, see the View Integration document. Options The -c option specifies the name of the View Connection Server group.
Chapter 12 Using the vdmadmin Command Listing and Displaying Health Monitors Using the ‑H Option You can use the vdmadmin command -H to list the existing health monitors, to monitor instances for View components, and to display the details of a specific health monitor or monitor instance.
View Administration Display the health of a specified vCenter monitor instance. vdmadmin -H -monitorid VCMonitor -instanceid 4aec2c99-4879-96b2-de408064d035 -xml Listing and Displaying Reports of View Operation Using the ‑I Option You can use the vdmadmin command with the -I option to list the available reports of View operation and to display the results of running one of these reports.
Chapter 12 Using the vdmadmin Command Generating View Event Log Messages in Syslog Format Using the ‑I Option You can use the vdmadmin command with the -I option to record View event messages in Syslog format in event log files. Many third-party analytics products require flat-file Syslog data as input for their analytics operations.
View Administration Examples Disable generating View events in Syslog format. vdmadmin -I -eventSyslog -disable Direct Syslog output of View events to the local system only. vdmadmin -I -eventSyslog -enable -localOnly Direct Syslog output of View events to a specified path. vdmadmin -I -eventSyslog -enable -path path Direct Syslog output of View events to a specified path that requires access by an authorized domain user. vdmadmin -I -eventSyslog -enable -path \\logserver\share\ViewEvents -user mydomain
Chapter 12 Using the vdmadmin Command Table 12‑9. Options for Assigning Dedicated Desktops Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine that hosts the remote desktop. -r Removes an assignment to a specified user, or all assignments to a specified machine. -u domain\user Specifies the login name and domain of the user. Examples Assign the machine machine2 in the desktop pool dtpool1 to the user Jo in the CORP domain.
View Administration n URL of the vCenter Server (if applicable). Options Table 12-10 shows the options that you can use to specify the machine whose details you want to display. Table 12‑10. Options for Displaying Information About Machines Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine. -u domain\user Specifies the login name and domain of the user.
Chapter 12 Using the vdmadmin Command n Verify that a blackout period is not in effect. See "Set Storage Accelerator and Space Reclamation Blackout Times for View Composer Linked Clones" in the Setting Up Virtual Desktops in Horizon 7 document. Options Table 12‑11. Options for Reclaiming Disk Space on Virtual Machines Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine.
View Administration Table 12‑12. Options for Configuring Domain Filters Option Description -add Adds a domain to a list. -domain domain Specifies the domain to be filtered. You must specify domains by their NetBIOS names and not by their DNS names. -domains Specifies a domain filter operation. -exclude Specifies an operation on a exclusion list. -include Specifies an operation on an inclusion list.
Chapter 12 Using the vdmadmin Command Broker Settings: CONSVR-2 Include: Exclude: Search : View limits the domain search on each View Connection Server host in the group to exclude the domains FARDOM and DEPTX. The characters (*) next to the exclusion list for CONSVR-1 indicates that View excludes the YOURDOM domain from the results of the domain search on CONSVR-1. Display the domain filters in XML using ASCII characters.
View Administration Table 12‑13. Types of Domain List Domain List Type Description Search exclusion list Specifies the domains that View can traverse during an automated search. The search ignores domains that are included in the search exclusion list, and does not attempt to locate domains that the excluded domain trusts. You cannot exclude the primary domain from the search. Exclusion list Specifies the domains that View excludes from the results of a domain search.
Chapter 12 Using the vdmadmin Command Display the currently active domains after including the YOURDOM and DEPTX domains. C:\ vdmadmin -N -domains -list -active Domain Information (CONSVR) =========================== Primary Domain: MYDOM Domain: MYDOM DNS:mydom.mycorp.com Domain: YOURDOM DNS:yourdom.mycorp.com Domain: DEPTX DNS:deptx.mycorp.com View applies the include list to the results of a domain search.
View Administration Domain: Domain: Domain: Domain: YOURDOM DNS:yourdom.mycorp.com DEPTX DNS:deptx.mycorp.com DEPTY DNS:depty.mycorp.com DEPTZ DNS:deptz.mycorp.com Extend the search exclusion list to exclude the DEPTX domain and all its trusted domains from the domain search for all View Connection Server instances in a group. Also, exclude the YOURDOM domain from being available on CONSVR-1.
Chapter 12 Using the vdmadmin Command Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options You can use the vdmadmin command with the -O and -P options to display the virtual machines and policies that are assigned to users who are no longer entitled to use the system.
View Administration Display virtual machines that are assigned to unentitled users, grouped by user, in XML format using ASCII characters. vdmadmin -O -lu -xml -n Apply your own stylesheet C:\tmp\unentitled-users.xsl and redirect the output to the file uu-output.html. vdmadmin -O -lu -xml -xsltpath "C:\tmp\unentitled-users.xsl" > uu-output.html Display the user policies that are associated with unentitled users’ virtual machinse, grouped by desktop, in XML format using Unicode characters.
Chapter 12 Using the vdmadmin Command You can define alternate prefixes to "custom-" in the pae-ClientAuthPrefix multi-valued attribute under cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int in ADAM on a View Connection Server instance. Avoid using these prefixes with ordinary user accounts. If you do not specify a name for a client, View generates a name from the MAC address that you specify for the client device.
View Administration Table 12‑16. Options for Configuring Clients in Kiosk Mode (Continued) Option Description -force Disables the confirmation prompt when removing the account for a client in kiosk mode. -genpassword Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword. -getdefaults Gets the default values that are used for adding client accounts.
Chapter 12 Using the vdmadmin Command Add an account for a client specified by its MAC address to the MYORG domain, and use the default settings for the group kc-grp. vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp Add an account for a client specified by its MAC address to the MYORG domain, and use an automatically generated password.
View Administration ======================================== Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false Displaying the First User of a Machine Using the -R Option You can use the vdmadmin command with the -R option to find out the initial assignment of a managed virtual machine.
Chapter 12 Using the vdmadmin Command You can also use the vdmadmin command with the -S option to remove a security server from your View environment. You do not have to use this option if you intend to upgrade or reinstall a security server without removing it permanently. To make the removal permanent, perform these tasks: 1 Uninstall the View Connection Server instance or security server from the Windows Server computer by running the View Connection Server installer.
View Administration Active Directory account lock, disable, and logon hours checks can be performed only when a user in a oneway trusted domain first logs on. PowerShell administration and smart card authentication of users is not supported in one-way trusted domains. SAML authentication of users in one-way trusted domains is not supported. Secondary credential accounts require the following permissions. A standard user account should have these permissions by default.
Chapter 12 Using the vdmadmin Command Displaying Information About Users Using the ‑U Option You can use the vdmadmin command with the -U option to display detailed information about users. Syntax vdmadmin -U [-b authentication_arguments] -u domain\user [-w | -n] [-xml] Usage Notes The command displays information about a user obtained from Active Directory and View. n Details from Active Directory about the user's account. n Membership of Active Directory groups.
View Administration Options Table 12-18 shows the options that you can specify to unlock or lock virtual machines. Table 12‑18. Options for Unlocking or Locking Virtual Machines Option Description -d desktop Specifies the desktop pool. -e Unlocks a virtual machine. -m machine Specifies the name of the virtual machine. -p Locks a virtual machine. -vcdn vCenter_dn Specifies the distinguished name of the vCenter Server. -vmpath inventory_path Specifies the inventory path of the virtual machine.
Chapter 12 Using the vdmadmin Command Examples Detect LDAP entry collisions in a View Connection Server group. vdmadmin -X -collisions Detect and resolve LDAP entry collisions. vdmadmin -X -collisions -resolve VMware, Inc.
View Administration 238 VMware, Inc.
Index A access groups changing, for a desktop pool or a farm 106 creating 100, 101, 106 managing 105 organizing desktops and pools 100 removing 106 reviewing desktop pools, application pools, or farms 107 reviewing vCenter virtual machines 107 root 100 Active Directory preparing for clients in kiosk mode 182 preparing for smart card authentication 50 updating Foreign Security Principals of users 214 updating general user information 139 administration configuring 99 delegating 100 administrator groups crea
View Administration certificate revocation checking enabling 53 troubleshooting for security server 204 certificates accept the thumbprint 22 updating on View Connection Server 145 certutil command 51 client accounts, adding for kiosk mode 185 client session policies configuring global 118 configuring pool-level 118 configuring user-level 118 defined 117 general 119 inheritance 117 client sessions global settings 25, 26 session timeouts 26 setting timeouts 25 client systems configuring in kiosk mode 181 di
Index events generating output in syslog format 217 monitoring 198 types and descriptions 198 exclusion lists 223 expiration period for SAML metadata 64 external URL, editing 38 F filter lists, adding and removing domains 221 Flexible Authentication 181 Foreign Security Principals, updating 214 Framework Component service 137 FSPs, updating 214 Full (Read only) privilege 112 G gatewayLocation 37 global policies, configuring 118 Global Configuration and Policy Administrators role 109 Global Configuration
View Administration M P MAC addresses, displaying for client systems 184 Mac systems, using with View Administrator 12 machine management displaying machines for unentitled users 227 displaying the first user of a machine 232 monitoring machine status 135 machine status, locating machines 135 machines, locking and unlocking 235 Manage Composer Desktop Pool Image privilege 112 Manage Farms and Desktop and Application Pools privilege 112 Manage Global Configuration and Policies privilege 111 Manage Global
Index root access group 100 RSA Agent host node secret, resetting 60 RSA key container migrating to View Composer 144 using NET Framework 144 RSA SecurID authentication configuring 57 enabling 58 logging in 58 troubleshooting 60 S SAML 62, 65, 66 SAML 2.0 Authentication 61 SAML 2.
View Administration creating 166 removing 176 ThinApp Setup Capture wizard 164 thumbprint, accept for a default certificate 22 troubleshooting desktops, Horizon Help Desk Tool 196 troubleshooting sessions, Horizon Help Desk Tool 196 troubleshooting users, Horizon Help Desk Tool 192 True SSO advanced configuration settings through Windows Registry 91 agent configuration settings 91 configuring 86, 88 connection server configuration settings 93 enrollment server configuration settings 92 identify an AD user
Index scheduling backups 128 services 136, 137 setting names of groups 213 View LDAP configuration data 40 View Connection Server configuration, server certificate 145 View LDAP, configuration data 40 View services, stopping and starting 136 virtual machines displaying information about 219 reclaiming disk space 220 VMware Identity Manager 69 VMware ThinApp integrating with View 163 using the Setup Capture wizard 164 VMwareVDMDS service 137 W Web Component service 137 X XML output, vdmadmin command 209
View Administration 246 VMware, Inc.
