View Administration Modified on 4 JAN 2018 VMware Horizon 7 7.
View Administration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2014–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents View Administration 6 1 Using Horizon Administrator 7 Horizon Administrator and Horizon Connection Server Log In to Horizon Administrator 7 8 Tips for Using the Horizon Administrator Interface 9 Troubleshooting the Text Display in Horizon Administrator 11 2 Configuring View Connection Server 12 Configuring vCenter Server and View Composer Backing Up View Connection Server 26 Configuring Settings for Client Sessions 26 Disable or Enable View Connection Server Edit the External URLs 12
View Administration Using Access Groups to Delegate Administration of Pools and Farms Understanding Permissions Manage Administrators 117 118 Manage and Review Permissions 119 Manage and Review Access Groups Manage Custom Roles 115 121 124 Predefined Roles and Privileges 125 Required Privileges for Common Tasks 130 Best Practices for Administrator Users and Groups 133 7 Configuring Policies in Horizon Administrator and Active Directory 134 Setting Policies in Horizon Administrator 134 Usin
View Administration Update Support Requests 221 Troubleshooting an Unsuccessful Security Server Pairing with Horizon Connection Server Troubleshooting View Server Certificate Revocation Checking 222 Troubleshooting Smart Card Certificate Revocation Checking 223 Further Troubleshooting Information 221 224 12 Using the vdmadmin Command 225 vdmadmin Command Usage 227 Configuring Logging in Horizon Agent Using the -A Option Overriding IP Addresses Using the -A Option 229 232 Setting the Name of a
View Administration ® View Administration describes how to configure and administer VMware Horizon 7, including how to configure Horizon Connection Server, create administrators, set up user authentication, configure ® policies, and manage VMware ThinApp applications in Horizon Administrator. This document also describes how to maintain and troubleshoot Horizon 7 components. Intended Audience This information is intended for anyone who wants to configure and administer VMware Horizon 7.
Using Horizon Administrator 1 Horizon Administrator is the Web interface through which you configure Horizon Connection Server and manage your remote desktops and applications. For a comparison of the operations that you can perform with View Administrator, View cmdlets, and vdmadmin, see the View Integration document. Note In Horizon 7, View Administrator is named Horizon Administrator. References in this document might use View Administrator.
View Administration n In a pod environment, verify that all administrators use the host name and IP address of the same Connection Server to log in to Horizon Administrator. Do not use the host name and IP address of the load balancer to access a Horizon Administrator web page. Note If you use Unified Access Gateway appliances rather than security servers, you must use the Unified Access Gateway REST API to manage the Unified Access Gateway appliances.
View Administration 2 Log in as a user with credentials to access the Administrators account. You specify the Administrators account when you install a standalone Connection Server instance or the first Connection Server instance in a replicated group. The Administrators account can be the local Administrators group (BUILTIN\Administrators) on the Connection Server computer or a domain user or group account.
View Administration Table 1‑1. Horizon Administrator Navigation and Display Features (Continued) Horizon Administrator Feature Description Multicolumn sorting You can sort Horizon objects in a variety of ways by using multicolumn sorting. Click a heading in the top row of a Horizon Administrator table to sort the Horizon objects in alphabetical order based on that heading. For example, in the Resources > Machines page, you can click Desktop Pool to sort desktops by the pools that contain them.
View Administration Table 1‑1. Horizon Administrator Navigation and Display Features (Continued) Horizon Administrator Feature Description Expanding dialog boxes to view details You can expand Horizon Administrator dialog boxes to view details such as desktop names and user names in table columns. To expand a dialog box, place your mouse over the dots in the lower right corner of the dialog box and drag the corner.
Configuring View Connection Server 2 After you install and perform initial configuration of View Connection Server, you can add vCenter Server instances and View Composer services to your View deployment, set up roles to delegate administrator responsibilities, and schedule backups of your configuration data.
View Administration Procedure 1 In Active Directory, create a user account in the same domain as your Connection Server host or in a trusted domain. 2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
View Administration Prerequisites n Install the Connection Server product license key. n Prepare a vCenter Server user with permission to perform the operations in vCenter Server that are necessary to support Horizon 7. To use View Composer, you must give the user additional privileges. For details about configuring a vCenter Server user for Horizon 7, see the View Installation document. n Verify that a TLS/SSL server certificate is installed on the vCenter Server host.
View Administration 3 In the vCenter Server Settings Server address text box, type the fully qualified domain name (FQDN) of the vCenter Server instance. The FQDN includes the host name and domain name. For example, in the FQDN myserverhost.companydomain.com, myserverhost is the host name and companydomain.com is the domain.
View Administration After the initial View deployment, you can migrate the VMware Horizon View Composer service to a new host to support a growing or changing View deployment. You can edit the initial View Composer settings in View Administrator, but you must perform additional steps to ensure that the migration succeeds. See Migrate View Composer to Another Machine.
View Administration 4 Click Next to display the View Composer Domains page. What to do next Configure View Composer domains. n If the View Composer instance is configured with a signed SSL certificate, and View Connection Server trusts the root certificate, the Add vCenter Server wizard displays the View Composer Domains page. n If the View Composer instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate.
View Administration What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for Horizon 7. Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines In vSphere 5.1 and later, you can enable the disk space reclamation feature for Horizon 7. Starting in vSphere 5.
View Administration Prerequisites n Verify that your vCenter Server and ESXi hosts, including all ESXi hosts in a cluster, are version 5.1 with ESXi 5.1 download patch ESXi510-201212001 or later. Procedure 1 2 In Horizon Administrator, complete the Add vCenter Server wizard pages that precede the Storage Settings page. a Select View Configuration > Servers. b On the vCenter Servers tab, click Add. c Complete the vCenter Server Information, View Composer Settings, and View Composer Domains pages.
View Administration View Storage Accelerator is enabled for desktop pools by default. The feature can be disabled or enabled when you create or edit a pool. The best approach is to enable this feature when you first create a desktop pool. If you enable the feature by editing an existing pool, you must ensure that a new replica and its digest disks are created before linked clones are provisioned.
View Administration 3 Specify a default host cache size. The default cache size applies to all ESXi hosts that are managed by this vCenter Server instance. The default value is 1,024MB. The cache size must be between 100MB and 2,048MB. 4 To specify a different cache size for an individual ESXi host, select an ESXi host and click Edit cache size. a In the Host cache dialog box, check Override default host cache size. b Type a Host cache size value between 100MB and 2,048MB and click OK.
View Administration Table 2‑1. Concurrent Operations Limits for vCenter Server and View Composer (Continued) Setting Description Max concurrent View Composer maintenance operations Determines the maximum number of concurrent View Composer refresh, recompose, and rebalance operations that can take place on linked clones managed by this View Composer instance. The default value is 12. Remote desktops that have active sessions must be logged off before a maintenance operation can begin.
View Administration Logons, and therefore desktop power on operations, typically occur in a normally distributed manner over a certain time window. You can approximate the peak power-on rate by assuming that it occurs in the middle of the time window, during which about 40% of the power-on operations occur in 1/6th of the time window. For example, if users log on between 8:00 AM and 9:00 AM, the time window is one hour, and 40% of the logons occur in the 10 minutes between 8:25 AM and 8:35 AM.
View Administration Similarly, in Horizon Administrator you can configure a SAML authenticator for use by a Connection Server instance. If the SAML server certificate is not trusted by Connection Server, you must determine whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the SAML authenticator in Horizon 7. After a SAML authenticator is configured, you can reconfigure it in the Edit View Connection Server dialog box.
View Administration 2 On the vCenter Servers tab, select the vCenter Server instance. 3 Click Remove. A dialog warns you that View will no longer have access to the virtual machines that are managed by this vCenter Server instance. 4 Click OK. View can no longer access the virtual machines created in the vCenter Server instance. Remove View Composer from View You can remove the connection between View and the VMware Horizon View Composer service that is associated with a vCenter Server instance.
View Administration What to do next If you intend to install View Composer on another host and reconfigure View to connect to the new VMware Horizon View Composer service, you must perform certain additional steps. See Migrate View Composer Without Linked-Clone Virtual Machines. Conflicting vCenter Server Unique IDs If you have multiple vCenter Server instances configured in your environment, an attempt to add a new instance might fail because of conflicting unique IDs.
View Administration You can also configure View Connection Server instances to use direct, nontunneled connections between Horizon clients and remote desktops. See Configure the Secure Tunnel and PCoIP Secure Gateway for information about configuring direct connections. Prerequisites Familiarize yourself with the global settings. See Global Settings for Client Sessions and Global Security Settings for Client Sessions and Connections.
View Administration What to do next When you use the vdmimport utility to restore a backup View configuration, provide the new password. Global Settings for Client Sessions General global settings determine session timeout lengths, SSO enablement and timeout limits, status updates in View Administrator, whether prelogin and warning messages are displayed, whether View Administrator treats Windows Server as a supported operating system for remote desktops, and other settings.
View Administration Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description For clients that support applications. Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, View disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are not disconnected.
View Administration Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Enable Windows Server desktops Determines whether you can select available Windows Server 2008 R2 and Windows Server 2012 R2 machines for use as desktops. When this setting is enabled, View Administrator displays all available Windows Server machines, including machines on which View server components are installed.
View Administration Table 2‑2. General Global Settings for Client Sessions (Continued) Setting Description Hide server information in client user interface Enable this security setting to hide server URL information in Horizon Client 4.4 or later. Hide domain list in client user interface Enable this security setting to hide the Domain drop-down menu in Horizon Client 4.4 or later.
View Administration Table 2‑3. Global Security Settings for Client Sessions and Connections Setting Description Reauthenticate secure tunnel connections after network interruption Determines if user credentials must be reauthenticated after a network interruption when Horizon clients use secure tunnel connections to remote desktops. When you select this setting, if a secure tunnel connection is interrupted, Horizon Client requires the user to reauthenticate before reconnecting.
View Administration Note If you upgrade to View 5.1 or later from an earlier View release, the global setting Require SSL for client connections is displayed in View Administrator, but only if the setting was disabled in your View configuration before you upgraded. Because SSL is required for all Horizon Client connections and View Administrator connections to View, this setting is not displayed in fresh installations of View 5.
View Administration When you first install View on a system, the message security mode is set to Enhanced. If you upgrade View from a previous release, the message security mode remains unchanged from its existing setting. Important If you plan to change an upgraded View environment from Enabled to Enhanced, you must first upgrade all View Connection Server instances, security servers, and View desktops to Horizon 6 version 6.1 or a later release.
View Administration By default, the path to the vdmutil command executable file is C:\Program Files\VMware\VMware View\Server\tools\bin. To avoid entering the path on the command line, add the path to your PATH environment variable. Authentication You must run the command as a user who has the Administrators role. You can use View Administrator to assign the Administrators role to a user. See Chapter 6 Configuring Role-Based Delegated Administration.
View Administration Table 2‑6. vdmutil Command Options (Continued) Option Description --getMsgSecMode Gets the message security mode for the local pod. --help Lists the vdmutil command options. You can also use --help on a particular command, such as --setMsgSecMode --help. --listMsgBusSecStatus Lists the message bus security status for all connection servers in the local pod. --listPendingMsgSecStatus List machines preventing a transition to or from Enhanced mode.
View Administration n If you pair a security server to a View Connection Server instance on which you already enabled the PCoIP Secure Gateway, verify that the security server is View 4.6 or later. Procedure 1 In View Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select a View Connection Server instance and click Edit. 3 Configure use of the secure tunnel. Option Description Enable the secure tunnel Select Use Secure Tunnel connection to machine.
View Administration n Horizon Clients that use a poor network condition to connect to Connection Server (BSG disabled), security server (BSG disabled), or version 2.9 or later of Unified Access Gateway appliance (without UDP Tunnel Server Enabled), or version 2.8 of Unified Access Gateway appliance, the client automatically senses the network condition and falls back to the typical network condition. For more information, see the Horizon Client documentation at https://www.vmware.
View Administration Off-load SSL Connections to Intermediate Servers Horizon Client must use HTTPS to connect to View. If your Horizon clients connect to load balancers or other intermediate servers that pass on the connections to View Connection Server instances or security servers, you can off-load SSL to the intermediate servers.
View Administration If you do not deploy security servers, or if you have a mixed network environment with some security servers and some external-facing View Connection Server instances, External URLs are required for any View Connection Server instances that connect to the intermediate server. Note You cannot off-load SSL connections from a PCoIP Secure Gateway (PSG) or Blast Secure Gateway.
View Administration 4 Save the locked.properties file. 5 Restart the View Connection Server service or security server service to make your changes take effect. Example: locked.properties file This file allows non-SSL HTTP connections to a View server. The IP address of the View server's clientfacing network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP connections. The value http must be lower case. serverProtocol=http serverHostNonSSL=10.20.30.
View Administration Disable or Enable View Connection Server You can disable a View Connection Server instance to prevent users from logging in to their remote desktops and applications. After you disable an instance, you can enable it again. When you disable a View Connection Server instance, users who are currently logged in to remote desktops and applications are not affected. Your View deployment determines how users are affected by disabling an instance.
View Administration Procedure 1 2 In View Administrator, select View Configuration > Servers. Option Action View Connection Server instance Select the View Connection Server instance on the Connection Servers tab and click Edit. Security server Select the security server on the Security Servers tab and click Edit. Type the secure tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable host name and port number. For example: https://view.example.
View Administration If you participate in the program, VMware collects anonymous data about your deployment in order to improve VMware's response to user requirements. No data that identifies your organization is collected. To review the list of fields from which data is collected, including the fields that are made anonymous, see GUID-4FDD21B3-5F28-419F-AA16-4C7578996A54#GUID-4FDD21B3-5F28-419FAA16-4C7578996A54. Procedure 1 In View Administrator, select View Configuration > Product Licensing and Usage.
View Administration LDAP Replication When you install a replicated instance of View Connection Server, View copies the View LDAP configuration data from the existing View Connection Server instance. Identical View LDAP configuration data is maintained on all View Connection Server instances in the replicated group. When a change is made on one instance, the updated information is copied to the other instances. If a replicated instance fails, the other instances in the group continue to operate.
Setting Up Smart Card Authentication 3 For added security, you can configure a View Connection Server instance or security server so that users and administrators can authenticate by using smart cards. A smart card is a small plastic card that contains a computer chip. The chip, which is like a miniature computer, includes secure storage for data, including private keys and public key certificates. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC).
View Administration When a user or administrator initiates a connection to a View Connection Server instance or security server that is configured for smart card authentication, the View Connection Server instance or security server sends a list of trusted certificate authorities (CAs) to the client system. The client system checks the list of trusted CAs against the available user certificates, selects a suitable certificate, and then prompts the user or administrator to enter a smart card PIN.
View Administration 3 Add the CA Certificate to a Server Truststore File You must add root certificates, intermediate certificates, or both to a server truststore file for all users and administrators that you trust. View Connection Server instances and security servers use this information to authenticate smart card users and administrators.
View Administration Procedure 1 If the user certificate is on a smart card, insert the smart card into the reader to add the user certificate to your personal store. If the user certificate does not appear in your personal store, use the reader software to export the user certificate to a file. This file is used in Step 4 of this procedure. 2 In Internet Explorer, select Tools > Internet Options. 3 On the Content tab, click Certificates.
View Administration Procedure 1 On your View Connection Server or security server host, use the keytool utility to import the root certificate, intermediate certificate, or both into the server truststore file. For example: keytool -import -alias alias -file root_certificate -keystore truststorefile.key In this command, alias is a unique case-sensitive name for a new entry in the truststore file, root_certificate is the root or intermediate certificate that you obtained or exported, and truststorefile.
View Administration 2 Add the trustKeyfile, trustStoretype, and useCertAuth properties to the locked.properties file. 3 a Set trustKeyfile to the name of your truststore file. b Set trustStoretype to jks. c Set useCertAuth to true to enable certificate authentication. Restart the View Connection Server service or security server service to make your changes take effect. Example: locked.
View Administration 3 To configure smart card authentication for remote desktop and application users, perform these steps. a On the Authentication tab, select a configuration option from the Smart card authentication for users drop-down menu in the View Authentication section. Option Action Not allowed Smart card authentication is disabled on the View Connection Server instance.
View Administration Option Action Note Smart card authentication replaces Windows password authentication only. If SecurID is enabled, users are required to authenticate by using both SecurID and smart card authentication. b Configure the smart card removal policy. You cannot configure the smart card removal policy when smart card authentication is set to Not Allowed. Option Action Disconnect users from View Connection Server when they remove their smart cards.
View Administration 5 Click OK. 6 Restart the View Connection Server service. You must restart the View Connection Server service for changes to smart card settings to take effect, with one exception. You can change smart card authentication settings between Optional and Required without having to restart the View Connection Server service. Currently logged in user and administrators are not affected by changes to smart card settings.
View Administration Prepare Active Directory for Smart Card Authentication You might need to perform certain tasks in Active Directory when you implement smart card authentication. n Add UPNs for Smart Card Users Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
View Administration Procedure 1 On your Active Directory server, start the ADSI Edit utility. 2 In the left pane, expand the domain the user is located in and double-click CN=Users. 3 In the right pane, right-click the user and then click Properties. 4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate. 5 Click OK to save the attribute setting.
View Administration 2 Expand the Computer Configuration section and open Windows Settings\Security Settings\Public Key. 3 Right-click Trusted Root Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the root certificate in their trusted root store.
View Administration 5 Close the Group Policy window. All of the systems in the domain now have a copy of the intermediate certificate in their intermediate certification authority store. Verify Your Smart Card Authentication Configuration After you set up smart card authentication for the first time, or when smart card authentication is not working correctly, you should verify your smart card authentication configuration.
View Administration n If the domain a smart card user resides in is different from the domain your root certificate was issued from, verify that the user’s UPN is set to the SAN contained in the root certificate of the trusted CA. a Find the SAN contained in the root certificate of the trusted CA by viewing the certificate properties. b On your Active Directory server, select Start > Administrative Tools > Active Directory Users and Computers.
View Administration n Configure CRL Checking When you configure CRL checking, View reads a CRL to determine the revocation status of a smart card user certificate. n Configure OCSP Certificate Revocation Checking When you configure OCSP certificate revocation checking, View sends a verification request to an OCSP Responder to determine the revocation status of a smart card user certificate. n Smart Card Certificate Revocation Checking Properties You set values in the locked.
View Administration Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties 2 3 Add the enableRevocationChecking and crlLocation properties to the locked.properties file. a Set enableRevocationChecking to true to enable smart card certificate revocation checking. b Set crlLocation to the location of the CRL.
View Administration c Set ocspURL to the URL of the OCSP Responder. d Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate. 3 Restart the View Connection Server service or security server service to make your changes take effect. Example: locked.
View Administration Table 3‑1. Properties for Smart Card Certificate Revocation Checking (Continued) Property enableOCSP Description Set this property to true to enable OCSP certificate revocation checking. The default value is false. ocspURL Specifies the URL of an OCSP Responder. ocspResponderCert Specifies the file that contains the OCSP Responder's signing certificate. View uses this certificate to verify that the OCSP Responder's responses are genuine.
Setting Up Other Types of User Authentication 4 View uses your existing Active Directory infrastructure for user and administrator authentication and management. You can also integrate View with other forms of authentication besides smart cards, such as biometric authentication or two-factor authentication solutions, such as RSA SecurID and RADIUS, to authenticate remote desktop and application users.
View Administration Horizon 7 is certified through the RSA SecurID Ready program and supports the full range of SecurID capabilities, including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load balancing. n Logging in Using Two-Factor Authentication When a user connects to a View Connection Server instance that has RSA SecurID authentication or RADIUS authentication enabled, a special login dialog box appears in Horizon Client.
View Administration Prerequisites Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server. n For RSA SecurID authentication, export the sdconf.rec file for the View Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation. n For RADIUS authentication, follow the vendor's configuration documentation.
View Administration 6 For RADIUS authentication, complete the rest of the fields: a Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
View Administration Problem A Horizon Client connection with RSA SecurID displays Access Denied and the RSA Authentication Manager Log Monitor displays the error Node Verification Failed. Cause The RSA Agent host node secret needs to be reset. Solution 1 In View Administrator, select View Configuration > Servers. 2 On the Connection Servers tab, select the View Connection Server and click Edit. 3 On the Authentication tab, select Clear node secret. 4 Click OK to clear the node secret.
View Administration Using SAML Authentication The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and exchange authentication and authorization information between different security domains. SAML passes information about users between identity providers and service providers in XML documents called SAML assertions. You can use SAML authentication to integrate Horizon 7 with VMware Workspace ONE, VMware Identity Manager, or a third-party load balancer or gateway.
View Administration To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML authenticator in Horizon 7. A SAML authenticator contains the trust and metadata exchange between Horizon 7 and VMware Identity Manager. You associate a SAML authenticator with a Connection Server instance.
View Administration n (Optional) If you are using Workspace ONE or VMware Identity Manager, make a note of the URL of the connector Web interface. n If you are creating an authenticator for Unified Access Gateway or a third-party appliance that requires you to generate SAML metadata and create a static authenticator, perform the procedure on the device to generate the SAML metadata, and then copy the metadata. Procedure 1 In Horizon Administrator, select Configuration > Servers.
View Administration 6 Option Description SAML metadata (For static authenticators) Metadata text that you generated and copied from the Unified Access Gateway or a third-party device. Enabled for Connection Server Select this check box to enable the authenticator. You can enable multiple authenticators. Only enabled authenticators are displayed in the list. Click OK to save the SAML authenticator configuration.
View Administration Change the Expiration Period for Service Provider Metadata on Connection Server If you do not change the expiration period, Connection Server will stop accepting SAML assertions from the SAML authenticator, such as Unified Access Gateway or a third-party identity provider, after 24 hours, and the metadata exchange must be repeated. Use this procedure to specify the number of days that can elapse before Connection Server stops accepting SAML assertions from the identity provider.
View Administration Prerequisites Verify that you have created a SAML authenticator for the identity provider: Unified Access Gateway or a third-party load balancer or gateway. In the System Health section on the Horizon Administrator dashboard, you can select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details. Procedure 1 Open a new browser tab and enter the URL for getting the Connection Server SAML metadata. https://connection-server.
View Administration Prerequisites n Configure the access policies for applications in Workspace ONE. For more information about setting access policies, see the VMware Identity Manager Administration Guide. n Entitle users to published desktops and applications in Horizon Administrator. Procedure 1 In Horizon Administrator, select Configuration > Servers. 2 On the Connection Servers tab, select a server instance that is associated with a SAML authenticator and click Edit.
View Administration 4 On the object CN=Common, OU=Global, OU=Properties, edit the pae-ClientConfig attribute and add the value BioMetricsTimeout=. The following BioMetricsTimeout values are valid: BioMetricsTimeout Value Description 0 Biometric authentication is not supported. This is the default. -1 Biometric authentication is supported without any time limit. Any positive integer Biometric authentication is supported and can be used for the specified number of minutes.
Authenticating Users Without Requiring Credentials 5 After users log in to a client device or to VMware Identity Manager, they can connect to a published application or desktop without being prompted for Active Directory credentials. Administrators can choose to set up the configuration based on user requirements. n Provide users unauthenticated access to published applications.
View Administration This feature requires Horizon Client version 4.4 or later. For the HTML Access client, this feature requires version 4.5 or later. Workflow for Configuring Unauthenticated Users 1 Create users for unauthenticated access. See, Create Users for Unauthenticated Access. 2 Enable unauthenticated access to users and set a default unauthenticated user. See, Enable Unauthenticated Access for Users. 3 Entitle unauthenticated users to published applications.
View Administration n The unauthenticated access feature does not work if the AllowSingleSignon group policy setting for Horizon Agent installed on an RDS host is disabled. Administrators can also control whether to disable or enable unauthenticated access with the UnAuthenticatedAccessEnabled Horizon Agent group policy setting. The Horizon Agent group policy settings are included in the vdm_agent.admx template file. You must reboot the RDS host for this policy to take effect.
View Administration Enable Unauthenticated Access for Users After you create users for unauthenticated access, you must enable unauthenticated access in the Connection Server to enable users to connect and access published applications. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 Click the Connection Servers tab. 3 Select the Connection Server instance and click Edit. 4 Click the Authentication tab. 5 Change Unauthenticated Access to Enabled.
View Administration 3 Click Add, select one or more search criteria, click Find, and select the Unauthenticated Users check box to find unauthenticated access users based on your search criteria. 4 Select the users to entitle to the applications in the pool and click OK. 5 Click OK to save your changes. An unauthenticated access icon appears next to the unauthenticated access user after the entitlement process completes. What to do next Use an unauthenticated access user to log in to Horizon Client.
View Administration Unauthenticated Access From Horizon Client Log in to Horizon Client with unauthenticated access and start the published application. To ensure greater security, the unauthenticated access user has a user alias that you can use to log in to Horizon Client. When you select a user alias, you do not need to provide the AD credentials or UPN for the user. After you log in to Horizon Client, you can click your published applications to start the applications.
View Administration n On the client system, user credentials are encrypted and stored in a table in the Authentication Package, which is a component of Horizon Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory. Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user check box and to specify its default value.
View Administration To enable this feature, you must set a value in View LDAP to indicate how long to save credential information in the client. For Horizon Client for Mac, this feature is supported only in version 4.1 or later. Note On Windows-based Horizon clients, the feature for logging in as the current user avoids requiring users to supply credentials multiple times.
View Administration This feature has the following limitations: n This feature does not work for virtual desktops that are provided by using the View Agent Direct Connection plug-in. n This feature is supported only in IPv4 environments.
View Administration Very Simple True SSO Architecture AD Certificate Authority VMware Identity Manager Appliance Enrollment Server SAML Trust Connection Server Client The following figure illustrates True SSO in a single domain architecture.
View Administration True SSO Single Forest Multiple Domain Architecture (non HA) Forest Domain #2 Domain #1 (Root Domain) CA AD AD CA Enrollment Server VMware Identity Manager Appliance Connection Server Client The following figure illustrates True SSO in a multiple-forest architecture.
View Administration Set Up an Enterprise Certificate Authority If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA. If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure. You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing.
View Administration 5 On the Select Features page, accept the defaults. 6 On the Select Role Services page, select Certification Authority. 7 Follow the prompts and finish the installation. 8 When installation is complete, on the Installation Progress page, click the Configure Active Directory Certificate Services on destination server link to open the AD CS Configuration wizard.
View Administration Create Certificate Templates Used with True SSO You must create a certificate template that can be used for issuing short-lived certificates, and you must specify which computers in the domain can request this type of certificate. You can create more than one certificate template. You can configure only one template per domain but you can share the template across multiple domains.
View Administration c Make the following changes on the following tabs: Tab Action Compatibility tab n For Certificate Authority, select Windows Server 2008 R2. n For Certificate Recipient, select Windows 7/Windows Server 2008 R2. n Change the template display name to True SSO. n Change the validity period to a period that is as long as a typical working day; that is, as long as the user is likely to remain logged into the system.
View Administration 2 To configure Enrollment Agent Computer, on the machine that you are using for the certificate authority, log in to the operating system as an administrator and go to Administrative Tools > Certification Authority. a Expand the tree in the left pane, right-click Certificate Templates and select Manage.
View Administration Prerequisites n Create a Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 virtual machine with at least 4GB of memory, or use the virtual machine that hosts the enterprise CA. Do not use a machine that is a domain controller. n Verify that no other View component, including View Connection Server, View Composer, security server, Horizon Client, or View Agent or Horizon Agent is installed on the virtual machine.
View Administration 3 Install the enrollment server: a Download the View Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads. Under Desktop & End-User Computing, select the VMware Horizon 7 download, which includes View Connection Server. The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number.
View Administration The Enrollment Service Client certificate is automatically created when a Horizon 7 or later connection server is installed and the VMware Horizon View Connection Server service starts. The certificate is distributed through View LDAP to other Horizon 7 connection servers that get added to the cluster later. The certificate is then stored in a custom container (VMware Horizon View Certificates\Certificates) in the Windows Certificate Store on the computer.
View Administration Prerequisites n Verify that you have a Horizon 7 or later enrollment server. See Install and Set Up an Enrollment Server. n Verify that you have the correct certificate to import. You can use either your own certificate or the automatically generated, self-signed Enrollment Service Client certificate from one connection server in the cluster, as described in Export the Enrollment Service Client Certificate.
View Administration What to do next Configure the SAML authenticator used for delegating authentication to VMware Identity Manager. See Configure SAML Authentication to Work with True SSO. Configure SAML Authentication to Work with True SSO With the True SSO feature introduced in Horizon 7, users can log in to VMware Identity Manager 2.
View Administration 3 On the Authentication tab, from the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) drop-down menu, select Allowed or Required. You can configure each View Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements. 4 Click Manage SAML Authenticators and click Add. 5 Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.
View Administration Configure View Connection Server for True SSO You can use the vdmutil command-line interface to configure and enable or disable True SSO. This procedure is required to be performed on only one connection server in the cluster. Important This procedure uses only the commands necessary for enabling True SSO. For a list of all the configuration options available for managing True SSO configurations, and a description of each option, see Command-line Reference for Configuring True SSO.
View Administration 2 Enter the command to list the information for that enrollment server. vdmUtil --authAs admin-role-user --authDomain domain-name --authPassword admin-user-password -truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn The output shows the forest name, whether the certificate for the enrollment server is valid, the name and details of the certificate template you can use, and the common name of the certificate authority.
View Administration For --truessoMode, use ENABLED if you want True SSO to be used only if no password was supplied when the user logged in to VMware Identity Manager. In this case if a password was used and cached, the system will use the password. Set --truessoMode to ALWAYS if you want True SSO to be used even if a password was supplied when the user logged in to VMware Identity Manager. What to do next In View Administrator, verify the health status of the True SSO configuration.
View Administration Table 5‑1. vdmutil Command Authentication Options Option Description --authAs Name of a View administrator user. Do not use domain\username or user principal name (UPN) format. --authDomain Fully qualified domain name or Netbios name of the domain for the View administrator user specified in the --authAs option. --authPassword Password for the View administrator user specified in the --authAs option.
View Administration Table 5‑2. vdmutil truesso Command Options for Managing Enrollment Servers (Continued) Command and Options Description --environment --list --enrollmentServer List s the FQDNs of the domains and forests that are trusted by the domains and forests to which the enrollment server belongs, and the state of the enrollment certificate, which can be VALID or INVALID. VALID means the enrollment server has an Enrollment Agent certificate installed.
View Administration Table 5‑3. vdmutil truesso Command Options for Managing Connectors Options Description --create --connector --domain domain-fqdn --template template-name Creates a connector for the specified domain and configures the connector to use the following settings: --primaryEnrollmentServer enroll-server1-fqdn n template-name is the name of the certificate template to use.
View Administration For readability, the options shown in the following table do not represent the complete command you would enter. Only the options specific to the particular task are included.
View Administration Horizon Agent Configuration Settings You can use GPO template on the agent OS to turn off True SSO at the pool level or to change defaults for certificate settings such as key size and count and settings for reconnect attempts. Note The following table shows the settings to use for configuring the agent on individual virtual machines, but you can alternatively use the Horizon Agent Configuration template files. The ADMX template file is named (vdm_agent.admx).
View Administration Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server Registry Key Min & Max ConnectToDomains N/A Type Description REG_MULTI _SZ List of domains the enrollment server attempts to connect to automatically. For this multi-string registry type, the DNS fully qualified domain name (FQDN) of each domain is listed on its own line. The default is to trust all domains.
View Administration Table 5‑6. Registry Keys for Configuring True SSO on the Enrollment Server (Continued) Registry Key SubmitLatencyWarningTime Min & Max 500 5000 Type Description DWORD Submit latency warning time when the interface is marked "Degraded" (in milliseconds). The default is 1500. The enrollment server uses this setting to determine whether a CA should be considered to be in a degraded state.
View Administration Table 5‑7. Advanced True SSO Settings for Connection Servers Registry Key Description cs-view-certsso-enable-esloadbalance=[true|false] Specifies whether to enable load balancing CSR requests between two enrollment servers. The default is false. For example, add cs-view-certsso-enable-es-loadbalance=true to enable load balancing so that when certificate requests arrive, the connection server will use alternate enrollment servers,.
View Administration n "canonicalName" n "sAMAccountName" n "member" n "memberOf" n "distinguishedName" n "telephoneNumber" n "primaryGroupID" Using the System Health Dashboard to Troubleshoot Issues Related to True SSO You can use the system health dashboard in View Administrator to quickly see problems that might affect the operation of the True SSO feature.
View Administration Table 5‑8. Broker to Enrollment Server Connection Status Status Text Description Failed to fetch True SSO health information. The dashboard is unable to retrieve the health information from the broker. The enrollment server cannot be contacted by the True SSO configuration service. In a POD, one of the brokers is elected to send the configuration information to all enrollment servers used by the POD.
View Administration Table 5‑10. Enrollment Certificate Status Status Text Description A valid enrollment certificate for this domain's forest is not installed on the enrollment server, or it may have expired No enrollment certificate for this domain has been installed, or the certificate is invalid or has expired. The enrollment certificate must be issued by an enterprise CA that is trusted by the forest this domain is a member of.
View Administration Table 5‑13. Certificate Server Connection Status Status Text Description The enrollment server is not connected to the certificate server . The enrollment server is not connected to the certificate server. This state might be a transitional state if the enrollment server just started, or if the CA was recently added to a True SSO connector. If the state remains for longer than one minute, it means that the enrollment server failed to connect to the CA.
Configuring Role-Based Delegated Administration 6 One key management task in a View environment is to determine who can use View Administrator and what tasks those users are authorized to perform. With role-based delegated administration, you can selectively assign administrative rights by assigning administrator roles to specific Active Directory users and groups.
View Administration Administrator roles typically combine all of the individual privileges required to perform a higher-level administration task. View Administrator includes predefined roles that contain the privileges required to perform common administration tasks. You can assign these predefined roles to your administrator users and groups, or you can create your own roles by combining selected privileges. You cannot modify the predefined roles.
View Administration You can use View Administrator to create access groups and to move existing desktop pools to access groups. When you create an automated desktop pool, a manual pool, or a farm, you can accept the default root access group or select a different access group.
View Administration Table 6‑2. Different Administrators for the Same Access Group Administrator Role Access Group view-domain.com\Admin1 Inventory Administrators /CorporateDesktops view-domain.com\Admin2 Inventory Administrators (Read only) /CorporateDesktops In this example, the administrator called Admin1 has the Inventory Administrators role on the access group called CorporateDesktops and the administrator called Admin2 has the Inventory Administrators (Read only) role on the same access group
View Administration Table 6‑5. Permissions on the Role Tab for Inventory Administrators Administrator Access Group view-domain.com\Admin1 /MarketingDesktops Manage Administrators Users who have the Administrators role can use View Administrator to add and remove administrator users and groups. The Administrators role is the most powerful role in View Administrator. Initially, members of the View Administrators account are given the Administrators role.
View Administration 2 On the Administrators and Groups tab, click Add User or Group. 3 Click Add, select one or more search criteria, and click Find to filter Active Directory users or groups based on your search criteria. 4 Select the Active Directory user or group that you want to be an administrator user or group, click OK and click Next. You can press the Ctrl and Shift keys to select multiple users and groups. 5 Select a role to assign to the administrator user or group.
View Administration n Delete a Permission You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group. n Review Permissions You can review the permissions that include a specific administrator or group, a specific role, or a specific access group. Add a Permission You can add a permission that includes a specific administrator user or group, a specific role, or a specific access group.
View Administration Delete a Permission You can delete a permission that includes a specific administrator user or group, a specific role, or a specific access group. If you remove the last permission for an administrator user or group, that administrator user or group is also removed. Because at least one administrator must have the Administrators role on the root access group, you cannot remove a permission that would cause that administrator to be removed. You cannot delete an inherited permission.
View Administration n Add an Access Group You can delegate the administration of specific machines, desktop pools, or farms to different administrators by creating access groups. By default, desktop pools, application pools, and farms reside in the root access group. n Move a Desktop Pool or a Farm to a Different Access Group After you create an access group, you can move automated desktop pools, manual pools, or farms to the new access group.
View Administration Move a Desktop Pool or a Farm to a Different Access Group After you create an access group, you can move automated desktop pools, manual pools, or farms to the new access group. Procedure 1 In View Administrator, select Catalog > Desktop Pools or Resources > Farms. 2 Select a pool or a farm. 3 Select Change Access Group from the Access Group drop-down menu in the top window pane. 4 Select the access group and click OK.
View Administration 2 Select an access group from the Access Group drop-down menu in the main window pane. The objects in the access group that you selected are displayed. Review the vCenter Virtual Machines in an Access Group You can see the vCenter virtual machines in a particular access group in View Administrator. A vCenter virtual machine inherits the access group from its pool. Procedure 1 In View Administrator, select Resources > Machines. 2 Select the vCenter VMs tab.
View Administration 3 Type a name and description for the new role, select one or more privileges, and click OK. The new role appears in the left pane. Modify the Privileges in a Custom Role You can modify the privileges in a custom role. You cannot modify the predefined administrator roles. Prerequisites Familiarize yourself with the administrator privileges that you can use to create custom roles. See Predefined Roles and Privileges.
View Administration n Global Privileges Global privileges control system-wide operations, such as viewing and changing global settings. Roles that contain only global privileges cannot be applied to access groups. n Object-Specific Privileges Object-specific privileges control operations on specific types of inventory objects. Roles that contain object-specific privileges can be applied to access groups. n Internal Privileges Some of the predefined administrator roles contain internal privileges.
View Administration Table 6‑6. Predefined Roles in Horizon Administrator (Continued) Applies to an Access Group Role User Capabilities Agent Registration Administrators Register unmanaged machines such as physical systems, standalone virtual machines, and RDS hosts. No Global Configuration and Policy Administrators View and modify global policies and configuration settings except for administrator roles and permissions, and ThinApp applications and settings.
View Administration Table 6‑6. Predefined Roles in Horizon Administrator (Continued) Applies to an Access Group Role User Capabilities Local Administrators Perform all local administrator operations, except for creating additional administrator users and groups. In a Cloud Pod Architecture environment, administrators that have this role cannot perform operations on the Global Data Layer or manage sessions on remote pods.
View Administration Table 6‑7. Global Privileges (Continued) Privilege User Capabilities Predefined Roles Manage Roles and Permissions Create, modify, and delete administrator roles and permissions. Administrators Register Agent Install Horizon Agent on unmanaged machines, such as physical systems, standalone virtual machines, and RDS hosts.
View Administration Table 6‑9. Internal Privileges Privilege Description Predefined Roles Full (Read only) Grants read-only access to all settings. Administrators (Read only) Manage Inventory (Read only) Grants read-only access to inventory objects. Inventory Administrators (Read only) Manage Global Configuration and Policies (Read only) Grants read-only access to configuration settings and global policies except for administrators and roles.
View Administration Table 6‑11. Machine Management Tasks and Privileges (Continued) Task Required Privileges Restart a virtual desktop Manage Reboot Operation Assign or remove user ownership Manage Machine Enter or exit maintenance mode Manage Machine Disconnect or log off sessions Manage Sessions Privileges for Managing Persistent Disks An administrator must have certain privileges to manage persistent disks in Horizon Administrator.
View Administration Table 6‑13. User and Administrator Management Tasks and Privileges (Continued) Task Required Privileges Add, modify, or delete an administrator permission Manage Roles and Permissions Add, modify, or delete an administrator role Manage Roles and Permissions Privileges for Horizon Help Desk Tool Tasks Horizon Help Desk Tool administrators must have certain privileges to perform troubleshooting tasks in Horizon Administrator.
View Administration Table 6‑15 shows the privileges that are required to perform general administration tasks and run command line utilities. Table 6‑15. Privileges for General Administration Tasks and Commands Task Required Privileges Add or delete an access group Must have the Administrators role on the root access group. Manage ThinApp applications and settings in View Administrator Must have the Administrators role on the root access group.
Configuring Policies in Horizon Administrator and Active Directory 7 You can use Horizon Administrator to set policies for client sessions. You can configure Active Directory group policy settings to control the behavior of View Connection Server, the PCoIP display protocol, and Horizon 7 logging and performance alarms. You can also configure Active Directory group policy settings to control the behavior of Horizon Agent, Horizon Client for Windows, Horizon Persona Management, and certain features.
View Administration n Configure Policies for Desktop Pools You can configure desktop-level policies to affect specific desktop pools. Desktop-level policy settings take precedence over their equivalent global policy settings. n Configure Policies for Users You can configure user-level policies to affect specific users. User-level policy settings always take precedence over their equivalent global and desktop pool-level policy settings.
View Administration Configure Policies for Users You can configure user-level policies to affect specific users. User-level policy settings always take precedence over their equivalent global and desktop pool-level policy settings. Prerequisites Familiarize yourself with the policy descriptions. See Horizon 7 Policies. Procedure 1 In Horizon Administrator, select Catalog > Desktop Pools. 2 Double-click the ID of the desktop pool and click the Policies tab.
View Administration Table 7‑1. Horizon Policies Policy Description Multimedia redirection (MMR) Determines whether MMR is enabled for client systems. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on remote desktops directly through a TCP socket to the client system. The data is then decoded directly on the client system, where it is played. The default value is Deny.
View Administration Horizon 7 ADMX Template Files The Horizon 7 ADMX template files provide group policy settings that allow you to control and optimize Horizon 7 components. Table 7‑2. Horizon ADMX Template Files Template Name Template File Description VMware View Agent Configuration vdm_agent.admx Contains policy settings related to the authentication and environmental components of Horizon Agent. See the Configuring Remote Desktop Features in Horizon 7 document.
View Administration Table 7‑2. Horizon ADMX Template Files (Continued) Template Name Template File Description Persona Management ViewPM.admx Contains policy settings related to Horizon Persona Management. See the Setting Up Virtual Desktops in Horizon 7 document. Remote Desktop Services vmware_rdsh_server.admx Contains policy settings related to Remote Desktop Services. See the Configuring Remote Desktop Features in Horizon 7 document. View RTAV Configuration vdm_agent_rtav.
View Administration Table 7‑3. Horizon Server Configuration Template Settings Setting Properties Enumerate Forest Trust Child Domains Determines if every domain trusted by the domain in which the server resides is enumerated. In order to establish a complete chain of trust, the domains trusted by each trusted domain are also enumerated and the process continues recursively until all trusted domains are discovered.
View Administration Table 7‑4. View Common Configuration Template: Log Configuration Settings Setting Properties Number of days to keep production logs Specifies the number of days for which log files are retained on the system. If no value is set, the default applies and log files are kept for seven days. Maximum number of debug logs Specifies the maximum number of debug log files to retain on the system.
View Administration Table 7‑5. View Common Configuration Template: Performance Alarm Settings (Continued) Setting Properties Overall memory usage percentage to issue log info Specifies the threshold at which the overall committed system memory use is logged. Committed system memory is memory that has been allocated by processes and to which the operating system has committed physical memory or a page slot in the pagefile.
View Administration General Settings Table 7‑7 describes the general settings in the Horizon Common Configuration ADMX template files. All of the settings are in the Computer Configuration > Policies > Administrative Templates > VMware View Common Configuration folder in the Group Policy Management Editor. Table 7‑7.
Maintaining View Components 8 To keep your View components available and running, you can perform a variety of maintenance tasks.
View Administration When you use View Administrator to perform backups, View backs up the View LDAP configuration data and View Composer database. Both sets of backup files are stored in the same location. The View LDAP data is exported in encrypted LDAP data interchange format (LDIF). For a description of View LDAP, see View LDAP Directory. You can perform backups in several ways. n Schedule automatic backups by using the View configuration backup feature.
View Administration 2 On the Connection Servers tab, select the View Connection Server instance to be backed up and click Edit. 3 On the Backup tab, specify the View configuration backup settings to configure the backup frequency, maximum number of backups, and the folder location of the backup files. 4 (Optional) Change the data recovery password. 5 a Click Change data recovery password. b Type and retype the new password. c (Optional) Type a password reminder. d Click OK. Click OK.
View Administration You can run the vdmexport command on any View Connection Server instance. If you have multiple View Connection Server instances in a replicated group, you only need to export the data from one instance. All replicated instances contain the same configuration data. Note The vdmexport.exe command backs up the View LDAP data only. This command does not back up View Composer database information. Prerequisites n Locate the vdmexport.
View Administration For details about importing the LDIF file, see Restoring View Connection Server and View Composer Configuration Data. Restoring View Connection Server and View Composer Configuration Data You can manually restore the View Connection Server LDAP configuration files and View Composer database files that were backed up by View. You manually run separate utilities to restore View Connection Server and View Composer configuration data.
View Administration Prerequisites n Locate the vdmimport command executable file installed with View Connection Server in the default path. C:\Program Files\VMware\VMware View\Server\tools\bin n Log in to a View Connection Server instance as a user with the Administrators role. n Verify that you know the data recovery password. If a password reminder was configured, you can display the reminder by running the vdmimport command without the password option.
View Administration 12 Start the View Composer instances. 13 Reinstall the replica server instances. 14 Start the security server instances. If there is a risk that the security servers have inconsistent configuration, they should also be uninstalled rather than stopped and then reinstalled at the end of the process. The vdmimport command updates the View LDAP repository in View Connection Server with the configuration data from the LDIF file.
View Administration n BackupFilePath - The path to the View Composer backup file. The DsnName and BackupFilePath parameters are required and cannot be empty strings. The Username and Password parameters are optional. Procedure 1 Copy the View Composer backup files from the View Connection Server computer to a location that is accessible from the computer where the VMware Horizon View Composer service is installed.
View Administration Table 8‑2. Restoredata Result Codes (Continued) Code Description 4 An unexpected problem occurred and the command failed to complete. 14 Another application is using the VMware Horizon View Composer service. Shut down the service before executing the command. 15 A problem occurred during the restore process. Details are provided in the onscreen log output. Export Data in View Composer Database You can export data from your View Composer database to file.
View Administration 3 Run the SviConfig exportdata command. sviconfig -operation=exportdata -DsnName=target_database_source_name_(DSN) -Username=database_administrator_username -Password=database_administrator_password -OutputFilePath=path_to_View_Composer_output_file For example: sviconfig -operation=exportdata -dsnname=LinkedClone -username=Admin -password=Pass -outputfilepath="C:\Program Files\VMware\VMware View Composer\Export-20090304000010-foobar_test_org.
View Administration Procedure 1 In View Administrator, click Dashboard. 2 In the System Health pane, expand View components, vSphere components, or Other components. 3 n A green up arrow indicates that a component has no problems. n A red down arrow indicates that a component is unavailable or not functioning. n A yellow double arrow indicates that a component is in a warning state. n A question mark indicates that the status of a component is unknown. Click a component name.
View Administration What to do next You can click a machine name to see details about the machine or click the View Administrator back arrow to return to the Dashboard page. Understanding View Services The operation of View Connection Server instances and security servers depends on several services that run on the system. These systems are started and stopped automatically, but you might sometimes find it necessary to adjust the operation of these services manually.
View Administration Table 8‑4. View Connection Server Host Services Service Name Startup Type Description VMware Horizon View Blast Secure Gateway Automatic Provides secure HTML Access and Blast Extreme services. This service must be running if clients connect to View Connection Server through the Blast Secure Gateway. VMware Horizon View Connection Server Automatic Provides connection broker services. This service must always be running.
View Administration Table 8‑5. Security Server Services (Continued) Service Name Startup Type Description VMware Horizon View PCoIP Secure Gateway Manual Provides PCoIP Secure Gateway services. This service must be running if clients connect to this security server through the PCoIP Secure Gateway. VMware Horizon View Security Gateway Component Manual Provides common gateway services. This service must always be running.
View Administration Monitoring Product License Usage In Horizon 7 Administrator, you can monitor the active users who are concurrently connected to Horizon. The Product Licensing and Usage page displays the current and highest historical usage numbers. You can use these numbers to keep track of your product license usage. You can also reset the historical usage data and start over with the current data. Horizon provides two licensing usage models, one for named users and one for concurrent users.
View Administration Reset Product License Usage Data In View Administrator, you can reset the historical product usage data and start over with the current data. An administrator with the Manage Global Configuration and Policies privilege can select the Reset Highest Count and Reset Named Users Count settings. To restrict access to these settings, give this privilege to designated administrators only. Prerequisites Familiarize yourself with product license usage. See Monitoring Product License Usage.
View Administration 2 Choose whether to update information for all users or an individual user. Option Action For all users Click Update General User Information. Updating all users and groups can take a long time. For an individual user a Click the user name to update. b Click Update General User Information. Migrate View Composer to Another Machine In some situations, you might need to migrate a VMware Horizon View Composer service to a new Windows Server virtual or physical machine.
View Administration Guidelines for Migrating View Composer The steps you take to migrate the VMware Horizon View Composer service depend on whether you intend to preserve existing linked-clone virtual machines. To preserve the linked-clone virtual machines in your deployment, the VMware Horizon View Composer service that you install on the new virtual or physical machine must continue to use the existing View Composer database.
View Administration When you install the VMware Horizon View Composer service on the new machine, you must configure the service to connect to the View Composer database. Prerequisites n Familiarize yourself with the View Composer migration requirements. See Guidelines for Migrating View Composer. n Familiarize yourself with the steps for migrating the RSA key container to the new VMware Horizon View Composer service. See Prepare a Microsoft .
View Administration 7 In View Administrator, configure the new View Composer settings. a In View Administrator, select View Configuration > Servers. b On the vCenter Servers tab, select the vCenter Server instance that is associated with this View Composer service and click Edit. c In the View Composer Server Settings pane, click Edit and provide the new View Composer settings.
View Administration c In the View Composer Server Settings pane, click Edit. d Select Do not use View Composer and click OK. 2 Uninstall the VMware Horizon View Composer service from the current machine. 3 Install the VMware Horizon View Composer service on the new machine. During the installation, configure View Composer to connect to the DSN of the original or new View Composer database. 4 Configure an SSL server certificate for View Composer on the new machine.
View Administration 2 Install the .NET Framework on the destination machine on which you want to want to install the new VMware Horizon View Composer service. What to do next Migrate the RSA key container to the destination machine. See Migrate the RSA Key Container to the New View Composer Service.
View Administration What to do next Install the new VMware Horizon View Composer service on the destination machine. Provide the DSN and ODBC data source information that allows View Composer to connect to the same database information that was used by the original VMware Horizon View Composer service. For installation instructions, see "Installing View Composer" in the View Installation document. Complete the steps to migrate View Composer to a new machine and use the same database.
View Administration 3 4 For View Connection Server or security server, add the certificate Friendly name, vdm, to the new certificate that is replacing the previous certificate. a Right-click the new certificate and click Properties b On the General tab, in the Friendly name field, type vdm. c Click Apply and click OK. For a server certificate that is issued to View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.
View Administration 3 Select Join VMware Customer Experience Improvement Program to join CEIP. If you do not select this option, you cannot join CEIP. 4 Click OK. VMware, Inc.
Managing ThinApp Applications in View Administrator 9 You can use View Administrator to distribute and manage applications packaged with VMware ThinApp. Managing ThinApp applications in View Administrator involves capturing and storing application packages, adding ThinApp applications to View Administrator, and assigning ThinApp applications to machines and desktop pools. You must have a license to use the ThinApp management feature in View Administrator.
View Administration n You must configure the file and sharing permissions on the network share that hosts the MSI packages to give Read access to the built-in Active Directory group Domain Computers. If you plan to distribute ThinApp applications to domain controllers, you must also give Read access to the built-in Active Directory group Domain Controllers.
View Administration 5 Create a ThinApp Template You can create a template in View Administrator to specify a group of ThinApp applications. You can use templates to group applications together by function, vendor, or any other logical grouping that makes sense in your organization. Package Your Applications You use the ThinApp Setup Capture wizard to capture and package your applications. Prerequisites n Download the ThinApp software from http://www.vmware.
View Administration 2 Configure the file and sharing permissions on the shared folder to give Read access to the built-in Active Directory group Domain Computers. 3 If you plan to assign ThinApp applications to domain controllers, give Read access to the built-in Active Directory group Domain Controllers. 4 If you plan to use streaming ThinApp application packages, set the NTFS permission of the network share that hosts the ThinApp packages to Read&Execute for users.
View Administration Procedure 1 In View Administrator, select Catalog > ThinApps. 2 On the Summary tab, click Scan New ThinApps. 3 Select an application repository and a folder to scan and click Next. If the application repository contains subfolders, you can expand the root folder and select a subfolder. 4 Select the ThinApp applications that you want to add to View Administrator. You can press Ctrl+click or Shift+click to select multiple ThinApp applications.
View Administration 2 Type a name for the template and click Add. All of the available ThinApp applications appear in the table. 3 To find a particular ThinApp application, type the name of the application in the Find text box and click Find. 4 Select the ThinApp applications that you want to include in the template and click Add. You can press Ctrl+click or Shift+click to select multiple applications. 5 Click OK to save the template.
View Administration n Assign Multiple ThinApp Applications to a Desktop Pool You can assign one more ThinApp applications to a particular desktop pool. n Assign a ThinApp Template to a Machine or Desktop Pool You can streamline the distribution of multiple ThinApp applications by assigning a ThinApp template to a machine or desktop pool. n Review ThinApp Application Assignments You can review all of the machines and desktop pools that a particular ThinApp application is currently assigned to.
View Administration Procedure 1 In View Administrator, select Catalog > ThinApps and select the ThinApp application. 2 Select Assign Machines from the Add Assignment drop-down menu. The machines that the ThinApp application is not already assigned to appear in the table. 3 Option Action Find a specific machine Type the name of the machine in the Find text box and click Find.
View Administration 4 Select a ThinApp application to assign to the machine and click Add. Repeat this step to add multiple applications. 5 Select an installation type and click OK. Option Action Streaming Installs a shortcut to the application on the machine. The shortcut points to the application on the network share that hosts the repository. Users must have access to the network share to run the application. Full Installs the full application on the machine's local file system.
View Administration 4 Select an installation type and click OK. Option Action Streaming Installs a shortcut to the application on the machine. The shortcut points to the application on the network share that hosts the repository. Users must have access to the network share to run the application. Full Installs the full application on the machine's local file system. Some ThinApp applications do not support both installation types.
View Administration View Administrator begins installing the ThinApp applications the first time a user logs in to a desktop in the pool. After the installation is finished, the applications are available to all of the users of the desktop pool. Assign a ThinApp Template to a Machine or Desktop Pool You can streamline the distribution of multiple ThinApp applications by assigning a ThinApp template to a machine or desktop pool.
View Administration When you assign a ThinApp template to a machine, View Administrator begins installing the applications in the template a few minutes later. When you assign a ThinApp template to a desktop pool, View Administrator begins installing the applications in the template the first time a user logs in to a remote desktop in the desktop pool. After the installation is finished, the applications are available to all of the users of the machine or desktop pool.
View Administration Table 9‑1. ThinApp Application Installation Status Status Description Assigned The ThinApp application is assigned to the machine. Install Error An error occurred when View Administrator attempted to install the ThinApp application. Uninstall Error An error occurred when View Administrator attempted to uninstall the ThinApp application. Installed The ThinApp application is installed. Pending Install View Administrator is attempting to install the ThinApp application.
View Administration n Remove Multiple ThinApp Application Assignments from a Desktop Pool You can remove one or more ThinApp application assignments from a particular desktop pool. n Remove a ThinApp Application from View Administrator When you remove a ThinApp application from View Administrator, you can no longer assign the application to machinse and desktop pools. n Modify or Delete a ThinApp Template You can add and remove applications from a ThinApp template.
View Administration Procedure 1 In View Administrator, select Resources > Machines and double-click the name of the machine in the Machine column. 2 On the Summary tab, select the ThinApp application and click Remove Assignment in the ThinApps pane. Repeat this step to remove another application assignment. View Administrator uninstalls the ThinApp application a few minutes later.
View Administration 2 On the Inventory tab, click ThinApps, select the ThinApp application, and click Remove Assignment. Repeat this step to remove multiple applications. View Administrator uninstalls the ThinApp applications the first time a user logs in to a remote desktop in the pool. Remove a ThinApp Application from View Administrator When you remove a ThinApp application from View Administrator, you can no longer assign the application to machinse and desktop pools.
View Administration Remove an Application Repository You can remove an application repository from View Administrator. You might need to remove an application repository if you no longer need the MSI packages that it contains, or if you need to move the MSI packages to a different network share. You cannot edit the share path of an application repository in View Administrator. Procedure 1 In View Administrator, select View Configuration > ThinApp Configuration and select the application repository.
View Administration Solution n If the network share path is incorrect, type the correct network share path. Network share paths that contain IP addresses are not supported. n If the network share is not in an accessible domain, copy your application packages to a network share in a domain that is accessible from the View Connection Server host. n Verify that the file and sharing permissions on the shared folder give Read access to the built-in Active Directory group Domain Computers.
View Administration Cause Either the ThinApp template contains an application that is already assigned to the machine or desktop pool, or the ThinApp template was previously assigned to the machine or desktop pool with a different installation type. Solution If the template contains a ThinApp application that is already assigned to the machine or desktop pool, create a new template that does not contain the application or edit the existing template and remove the application.
View Administration ThinApp Application Is Not Uninstalled View Administrator cannot uninstall a ThinApp application. Problem The ThinApp application installation status shows Uninstall Error. Cause Common causes for this error include the following: n The ThinApp application was busy when View Administrator tried to uninstall it. n Network connectivity was lost between the View Connection Server host and the machine.
View Administration Cause Common causes of this problem include the following: n The MSI file is corrupted. n The MSI file was not created with ThinApp. n The MSI file was created or repackaged with an unsupported version of ThinApp. You must use ThinApp version 4.6 or later. Solution See the ThinApp User's Guide for information on troubleshooting problems with MSI packages.
View Administration 7 Decide whether to assign the ThinApp applications to machines or desktop pools. If you use a common naming convention for your machines, you can use machine assignments to quickly distribute applications to all of the machines that use that naming convention. If you organize your desktop pools by department or user type, you can use desktop pool assignments to quickly distribute applications to specific departments or users.
Setting Up Clients in Kiosk Mode 10 You can set up unattended clients that can obtain access to their desktops from View. A client in kiosk mode is a thin client or a lock-down PC that runs Horizon Client to connect to a View Connection Server instance and launch a remote session. End users do not typically need to log in to access the client device, although the remote desktop might require them to provide authentication information for some applications.
View Administration Prerequisites Verify that you have the privileges required to perform the configuration tasks. n Domain Admins or Account Operators credentials in Active Directory to make changes to the accounts of users and groups in a domain. n Administrators, Inventory Administrators, or an equivalent role to use View Administrator to entitle users or groups to remote desktops. n Administrators or an equivalent role to run the vdmadmin command.
View Administration As a best practice, create a separate organizational unit and group to help minimize your work in administering clients in kiosk mode. You can add individual accounts for clients that do not belong to any group, but this creates a large administrative overhead if you configure more than a small number of clients. Procedure 1 In Active Directory, create a separate organizational unit and group to use with clients in kiosk mode. You must specify a pre-Windows 2000 name for the group.
View Administration What to do next Set default values for the clients. Set Default Values for Clients in Kiosk Mode You can use the vdmadmin command to set the default values for the organizational unit, password expiry, and group membership in Active Directory for clients in kiosk mode. You must run the vdmadmin command on one of the View Connection Server instances in the group that contains the View Connection Server instance that clients will use to connect to their remote desktops.
View Administration Display the MAC Addresses of Client Devices If you want to create an account for a client that is based on its MAC address, you can use Horizon Client to discover the MAC address of the client device. Prerequisites Log in on the console of the client. Procedure u To display the MAC address, type the appropriate command for your platform. Option Action Windows Enter C:\Program Files (x86)\VMware\VMware Horizon View Client\vmwareview.
View Administration When you add a client in kiosk mode, View creates a user account for the client in Active Directory. If you specify a name for a client, this name must start with a recognized prefix string, such as "custom-", or with an alternate prefix string that you have defined in ADAM, and it cannot be more than 20 characters long. If you do not specify a name for a client, View generates a name from the MAC address that you specify for the client device.
View Administration Example: Adding Accounts for Clients Add an account for a client specified by its MAC address to the MYORG domain, using the default settings for the group kc-grp. vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp Add an account for a client specified by its MAC address to the MYORG domain, using an automatically generated password.
View Administration Procedure 1 Enable authentication of clients on a View Connection Server instance. vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword] Option Description -requirepassword Specifies that you require clients to provide passwords. Important If you specify this option, the View Connection Server instance cannot authenticate clients that have automatically generated passwords.
View Administration You must run the vdmadmin command on one of the View Connection Server instances in the group that contains the View Connection Server instance that clients will use to connect to their remote desktops. Procedure u Display information about clients in kiosk mode and client authentication.
View Administration You would usually use a command script to run Horizon Client on a deployed client device. Note On a Windows or Mac client, by default USB devices on the client are not forwarded automatically if they are in use by another application or service when the remote desktop session starts. On all clients, human interface devices (HIDs) and smart card readers are not forwarded by default. VMware, Inc.
View Administration Procedure u To connect to a remote session, type the appropriate command for your platform. Option Description Windows Enter C:\Program Files (x86)\VMware\VMware Horizon View Client\vmwareview.exe -unattended [-serverURL connection_server] [-userName user_name] [-password password] -password password -serverURL connection_serve r -userName user_name Linux Specifies the password for the client's account. If you defined a password for the account, you must specify this password.
View Administration Example: Running Horizon Client on Clients in Kiosk Mode Run Horizon Client on a Windows client whose account name is based on its MAC address, and which has an automatically generated password. C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe -unattended -serverURL consvr2.myorg.com Run Horizon Client on a Linux client using an assigned name and password. vmware-view -unattended -s 145.124.24.100 --once -u custom-Terminal21 -p "Secret1!" VMware, Inc.
Troubleshooting Horizon 7 11 You can use a variety of procedures for diagnosing and fixing problems that you might encounter when using Horizon 7. You can use Horizon Help Desk Tool for troubleshooting, use other troubleshooting procedures to investigate and correct problems, or obtain assistance from VMware Technical Support. For information about troubleshooting desktops and desktop pools, see the Setting Up Virtual Desktops in Horizon 7 document.
View Administration n The Help Desk Administrator role or the Help Desk Administrator (Read Only) role to log in to Horizon Help Desk Tool. For more information on these roles see, Configure Role-Based Access for Horizon Help Desk Tool n Enable the timing profiler on each Connection Server instance to view logon segments.
View Administration Configure Role-Based Access for Horizon Help Desk Tool You can assign predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users. You can also create custom roles and add privileges based on the predefined administrator roles.
View Administration 2 To search for a user, enter a partial or complete user name and select the domain name of the user, and click Go. Horizon Help Desk Tool displays a list of users with the user details. 3 Click the user to display the session details of the user that you want to troubleshoot problems for. The user, session, and performance information appears in a user card. What to do next To troubleshoot problems, click the related tabs in the user card.
View Administration Table 11‑1. Sessions tab Option Description State Displays information about the state of the desktop or application session. Computer Name n Appears green, if the session is connected. n L, if the session is a local session or a session running in the local pod. n G, if the session is running in a different pod in the pod federation. Name of the desktop or application session. Click the name to open the session information in a card.
View Administration Table 11‑2. Desktop Entitlements (Continued) Option Description Type Displays information about the type of desktop entitlement. vCenter n Local, for a local entitlement. n Global, for a global entitlement. Displays the name of the virtual machine in vCenter Server. Note Does not display any information if the session is running in a different pod in the pod federation. Default Protocol Default display protocol for the desktop or application session.
View Administration Table 11‑4. Activities Option Description Time Select a time range. Default is the last 12 hours. n Last 12 Hours n Last 24 Hours n Last 7 Days n Last 30 Days n All Admins Name of the administrator user. Message Displays messages for a user or administrator that are specific to the activities that the user or administrator performed. Resource Name Displays information about the desktop pool or virtual machine name on which the activity was performed.
View Administration Table 11‑5. VM Details (Continued) Option Description Unifted Access Gateway Name Name of the Unified Access Gateway appliance. This information might take 30 seconds to 60 seconds to display after connecting to the session. Unified Access Gateway IP IP address of the Unified Access Gateway appliance. This information might take 30 seconds to 60 seconds to display after connecting to the session. Pool Name of the desktop or application pool.
View Administration Table 11‑7. CPU, Memory, and Latency Details Option Description Session CPU CPU usage of the current session. Host CPU CPU usage of the virtual machine to which the session is assigned. Session Memory Memory usage of the current session. Host Memory Memory usage of the virtual machine to which the session is assigned. Session Latency Displays a chart for the latency for the PCoIP or Blast display protocol.
View Administration n If the virtual desktop session is a reconnected session from a disconnected session, the Logon Duration, Interactive, and Brokering logon segments appear. n If the session is a published desktop session, the Logon Duration, GPO Load, or the Profile load logon segments appear. The GPO Load and Profile load logon segment should appear for new sessions. If these logon segments do not appear for new sessions, you must restart the RDS host.
View Administration Applications For each application, you can view the current status and other details. Table 11‑10. Application Details Option Description Application Name of the application. Description Description of the application. Status Status of the application. Displays whether the application is running or not. Host CPU CPU usage of the virtual machine to which the session is assigned. Host Memory Memory usage of the virtual machine to which the session is assigned.
View Administration 2 Choose a troubleshooting option. Option Action Send Message Sends a message to the user on the published desktop or virtual desktop. You can choose the severity of the message to include Warning, Info, or Error. Click Send Message and enter the type of severity and the message details, and then click Submit. Remote Assistance You can generate remote assistance tickets for connected desktop or application sessions.
View Administration The system health dashboard in the top left of the Horizon Administrator display provides a number of links that you can use to view reports about the operation of Horizon 7: Sessions Provides a link to the Sessions screen, which displays information about the status of remote desktop and application sessions.
View Administration Procedure 1 In Horizon Administrator, select Monitoring > Events. 2 (Optional) In the Events window, you can select the time range of the events, apply filtering to the events, and sort the listed events by one or more of the columns. Horizon 7 Event Messages Horizon 7 reports events whenever the state of the system changes or it encounters a problem. You can use the information in the event messages to take the appropriate action.
View Administration n Collect Diagnostic Information for Horizon Connection Server You can use the support tool to set logging levels and generate log files for Horizon Connection Server. n Collect Diagnostic Information for Horizon Agent, Horizon Client, or Horizon Connection Server from the Console If you have direct access to the console, you can use the support scripts to generate log files for Connection Server, Horizon Client, or remote desktops that are running Horizon Agent.
View Administration Example: Using vdmadmin to Create a Bundle File for Horizon Agent Create the DCT bundle for the machine machine1 in the desktop pool dtpool2 and write it to the zip file C:\myfile.zip. vdmadmin -A -d dtpool2 -m machine1 -getDCT -outfile C:\myfile.zip What to do next If you have an existing support request, you can update it by attaching the DCT bundle file.
View Administration Prerequisites Log in to the computer on which View Composer is installed. Because you must use the Windows Script Host utility (cscript) to run the support script, familiarize yourself with using cscript. See http://technet.microsoft.com/library/bb490887.aspx. Procedure 1 Open a command prompt window and change to the C:\Program Files\VMware\VMware View Composer directory.
View Administration 3 When you have collected enough information about the behavior of Connection Server, select Start > All Programs > VMware > Generate View Connection Server Log Bundle. The support tool writes the log files to a folder called vdm-sdct on the desktop of the Connection Server instance. 4 File a support request on the Support page of the VMware Web site and attach the output files.
View Administration Option Description 3 Selects full logging. 4 Selects informational logging for PCoIP (Horizon Agent and Horizon Client only). 5 Selects debug logging for PCoIP (Horizon Agent and Horizon Client only). 6 Selects informational logging for virtual channels (Horizon Agent and Horizon Client only). 7 Selects debug logging for virtual channels (Horizon Agent and Horizon Client only). 8 Selects trace logging for virtual channels (Horizon Agent and Horizon Client only).
View Administration n Horizon Client cannot connect to Horizon 7. The following error message appears: The View Connection Server authentication failed. No gateway is available to provide a secure connection to a desktop. Contact your network administrator. n The security server is displayed in the Horizon Administrator dashboard as Down.
View Administration A View Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. By default, the VMware Horizon View Connection Server service is started with the LocalSystem account. When it runs under LocalSystem, a View Connection Server instance cannot use the proxy settings configured in Internet Explorer to access the CRL DP URL or OCSP responder to determine the revocation status of the certificate.
View Administration Cause View supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA (Certificate Authority) that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate. The CA must be accessible from the View Connection Server or security server host.
Using the vdmadmin Command 12 You can use the vdmadmin command line interface to perform a variety of administration tasks on a View Connection Server instance. You can use vdmadmin to perform administration tasks that are not possible from within the View Administrator user interface or to perform administration tasks that need to run automatically from scripts. For a comparison of the operations that are possible in View Administrator, View cmdlets, and vdmadmin, see the View Integration document.
View Administration n Generating View Event Log Messages in Syslog Format Using the ‑I Option You can use the vdmadmin command with the -I option to record View event messages in Syslog format in event log files. Many third-party analytics products require flat-file Syslog data as input for their analytics operations. n Assigning Dedicated Machines Using the ‑L Option You can use the vdmadmin command with the -L option to assign machines from a dedicated pool to users.
View Administration n Displaying Information About Users Using the ‑U Option You can use the vdmadmin command with the -U option to display detailed information about users. n Unlocking or Locking Virtual Machines Using the ‑V Option You can use the vdmadmin command with the -V option to unlock or lock virtual machines in the datacenter.
View Administration If you are logged in as a user with insufficient privileges, you can use the -b option to run the command as a user who has been assigned the Administrators role, if you know that user's password. You can specify the -b option to run the vdmadmin command as the specified user in the specified domain. The following usage forms of the -b option are equivalent. -b username domain [password | *] -b username@domain [password | *] -b domain\username [password | *] If you specify an asteris
View Administration Table 12‑2. Vdmadmin Command Options Option Description -A Administers the information that Horizon Agent records in its log files. See Configuring Logging in Horizon Agent Using the -A Option. Overrides the IP address reported by Horizon Agent. See Overriding IP Addresses Using the -A Option -C Sets the name for a View Connection Server group. See Setting the Name of a View Connection Server Group Using the ‑C Option.
View Administration Syntax vdmadmin -A [-b authentication_arguments] -getDCT-outfile local_file -d desktop -m machine vdmadmin -A [-b authentication_arguments] -getlogfile logfile -outfile local_file -d desktop -m machine vdmadmin -A [-b authentication_arguments] -getloglevel [-xml] -d desktop [-m machine] vdmadmin -A [-b authentication_arguments] -getstatus [-xml] -d desktop [-m machine] vdmadmin -A [-b authentication_arguments] -getversion [-xml] -d desktop [-m machine] vdmadmin -A [-b authenticatio
View Administration Table 12‑3. Options for Configuring Logging in Horizon Agent (Continued) Option Description -outfile local_file Specifies the name of the local file in which to save a DCT bundle or a copy of a log file. -setloglevel level Sets the logging level of Horizon Agent. debug Logs error, warning, and debugging events. normal Logs error and warning events. trace Logs error, warning, informational, and debugging events.
View Administration Overriding IP Addresses Using the -A Option You can use the vdmadmin command with the -A option to override the IP address reported by Horizon Agent.
View Administration Display the IP addresses that are defined for the machine machine2 in the desktop pool dtpool2. vdmadmin -A -override -list -d dtpool2 -m machine2 Remove the IP addresses that is defined for the machine machine2 in the desktop pool dtpool2. vdmadmin -A -override -r -d dtpool2 -m machine2 Remove the IP addresses that are defined for the desktops in the desktop pool dtpool3.
View Administration Return the GUID of the group. vdmadmin -C Updating Foreign Security Principals Using the ‑F Option You can use the vdmadmin command with the -F option to update the foreign security principals (FSPs) of Windows users in Active Directory who are authorized to use a desktop. Syntax vdmadmin -F [-b authentication_arguments] [-u domain\user] Usage Notes If you trust domains outside of your local domains, you allow access by security principals in the external domains to the local domains
View Administration Syntax vdmadmin -H [-b authentication_arguments] -list -xml [-w | -n] vdmadmin -H [-b authentication_arguments] -list -monitorid monitor_id -xml [-w | -n] vdmadmin -H [-b authentication_arguments] -monitorid monitor_id -instanceid instance_id -xml [-w | -n] Usage Notes Table 12‑5 shows the health monitors that View uses to monitor the health of its components. Table 12‑5. Health Monitors Monitor Description CBMonitor Monitors the health of View Connection Server instances.
View Administration Examples List all existing health monitors in XML using Unicode characters. vdmadmin -H -list -xml List all instances of the vCenter monitor (VCMonitor) in XML using ASCII characters. vdmadmin -H -list -monitorid VCMonitor -xml -n Display the health of a specified vCenter monitor instance.
View Administration Table 12‑7. Options for Listing and Displaying Reports and Views (Continued) Option Description -report report Specifies a report. -startdate yyyy-MM-dd-HH:mm:ss Specifies a lower limit for the date of information to be displayed. -view view Specifies a view. Examples List the available reports and views in XML using Unicode characters. vdmadmin -I -list -xml -w Display a list of user events that occurred since August 1, 2010 as comma-separated values using ASCII characters.
View Administration You can also use the vdmadmin command with the -I option to list the available reports and views and to display the contents of a specified report. See Listing and Displaying Reports of View Operation Using the ‑I Option. Options You can disable or enable the eventSyslog option. You can direct the Syslog output to the local system only or to another location. Direct UDP connection to a Syslog server is supported with View 5.2 or later.
View Administration Assigning Dedicated Machines Using the ‑L Option You can use the vdmadmin command with the -L option to assign machines from a dedicated pool to users. Syntax vdmadmin -L [-b authentication_arguments] -d desktop -m machine -u domain\user vdmadmin -L [-b authentication_arguments] -d desktop [-m machine | -u domain\user] -r Usage Notes View assigns machines to users when they first connect to a dedicated desktop pool.
View Administration Table 12‑9. Options for Assigning Dedicated Desktops Option Description -d desktop Specifies the name of the desktop pool. -m machine Specifies the name of the virtual machine that hosts the remote desktop. -r Removes an assignment to a specified user, or all assignments to a specified machine. -u domain\user Specifies the login name and domain of the user. Examples Assign the machine machine2 in the desktop pool dtpool1 to the user Jo in the CORP domain.
View Administration The machine state can be one of the following values: UNDEFINED, PRE_PROVISIONED, CLONING, CLONINGERROR, CUSTOMIZING, READY, DELETING, MAINTENANCE, ERROR, LOGOUT. The command does not display all dynamic machine states, such as Connected or Disconnected, that are displayed in View Administrator. n SID of the assigned user. n Account name of the assigned user. n Domain name of the assigned user. n Inventory path of the virtual machine (if applicable).
View Administration Syntax vdmadmin -M [-b authentication_arguments] -d desktop -m machine -markForSpaceReclamation Usage Notes With this option, you can initiate disk space reclamation on a particular virtual machine for demonstration or troubleshooting purposes. Space reclamation does not take place if you run this command when a blackout period is in effect.
View Administration Configuring Domain Filters Using the ‑N Option You can use the vdmadmin command with the -N option to control the domains that View makes available to end users.
View Administration Table 12‑12. Options for Configuring Domain Filters (Continued) Option Description -list Displays the domains that are configured in the search exclusion list, exclusion list, and inclusion list on each View Connection Server instance and for the View Connection Server group. -list -active Displays the available domains for the View Connection Server instance on which you run the command. -remove Removes a domain from a list. -removeall Removes all domains from a list.
View Administration Broker Settings: CONSVR-2 Include: Exclude: Search : View limits the domain search on each View Connection Server host in the group to exclude the domains FARDOM and DEPTX. The characters (*) next to the exclusion list for CONSVR-1 indicates that View excludes the YOURDOM domain from the results of the domain search on CONSVR-1. Display the domain filters in XML using ASCII characters.
View Administration View determines which domains are accessible by traversing trust relationships, starting with the domain in which a View Connection Server instance or security server resides. For a small, well-connected set of domains, View can quickly determine a full list of domains, but the time that this operation takes increases as the number of domains increases or as the connectivity between the domains decreases.
View Administration A View Connection Server instance is joined to the primary MYDOM domain and has a trusted relationship with the YOURDOM domain. The YOURDOM domain has a trusted relationship with the DEPTX domain. Display the currently active domains for the View Connection Server instance. C:\ vdmadmin -N -domains -list -active Domain Information (CONSVR) =========================== Primary Domain: MYDOM Domain: Domain: Domain: Domain: Domain: Domain: MYDOM DNS:mydom.mycorp.com YOURDOM DNS:yourdom.
View Administration The FARDOM domain is in a remote geographical location, and network connectivity to that domain is over a slow, high-latency link. There is no requirement for users in the FARDOM domain to be able to access the View Connection Server group in the MYDOM domain. Display the currently active domains for a member of the View Connection Server group. C:\ vdmadmin -N -domains -list -active Domain Information (CONSVR-1) ============================= Primary Domain: MYDOM Domain: Domain: Domain
View Administration Display the new domain search configuration. C:\ vdmadmin -N -domains -list Domain Configuration ==================== Cluster Settings Include: Exclude: Search : FARDOM DEPTX Broker Settings: CONSVR-1 Include: (*)Exclude: YOURDOM Search : Broker Settings: CONSVR-2 Include: Exclude: Search : View limits the domain search on each View Connection Server host in the group to exclude the domains FARDOM and DEPTX.
View Administration Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options You can use the vdmadmin command with the -O and -P options to display the virtual machines and policies that are assigned to users who are no longer entitled to use the system.
View Administration Table 12‑15. XSL Stylesheets Stylesheet File Name Description unentitled-machines.xsl Transforms reports containing a list of unentitled virtual machines, grouped either by user or system, and which are currently assigned to a user. This is the default stylesheet. unentitled-policies.xsl Transforms reports containing a list of virtual machines with user-level policies that are applied to unentitled users.
View Administration Syntax vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-ou DN] [-expirepassword | -noexpirepassword] [-group group_name | -nogroup] [-description "description_text"] vdmadmin -Q -disable [-b authentication_arguments] -s connection_server vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword] vdmadmin -Q -clientauth -getdefaults [-b authentication_arguments] [-xm
View Administration If you do not specify a name for a client, View generates a name from the MAC address that you specify for the client device. For example, if the MAC address is 00:10:db:ee:76:80, the corresponding account name is cm-00_10_db_ee_76_80. You can only use these accounts with View Connection Server instances that you enable to authenticate clients. Some thin clients allow only account names that start with the characters "custom-" or "cm-" to be used with kiosk mode.
View Administration Table 12‑16. Options for Configuring Clients in Kiosk Mode (Continued) Option Description -expirepassword Specifies that the expiry time for the password on client accounts is the same as for the View Connection Server group. If no expiry time is defined for the group, passwords do not expire. -force Disables the confirmation prompt when removing the account for a client in kiosk mode. -genpassword Generates a password for the client's account.
View Administration Examples Set the default values for the organizational unit, password expiry, and group membership of clients. vdmadmin -Q -clientauth -setdefaults -ou "OU=kiosk-ou,DC=myorg,DC=com" -noexpirepassword -group kc-grp Get the current default values for clients in plain text format. vdmadmin -Q -clientauth -getdefaults Get the current default values for clients in XML format.
View Administration Enable authentication of clients for the View Connection Server instance csvr-3, and require that the clients specify their passwords to Horizon Client. Clients with automatically generated passwords cannot authenticate themselves. vdmadmin -Q -enable -s csvr-3 -requirepassword Disable authentication of clients for the View Connection Server instance csvr-1. vdmadmin -Q -disable -s csvr-1 Display information about clients in text format.
View Administration Displaying the First User of a Machine Using the -R Option You can use the vdmadmin command with the -R option to find out the initial assignment of a managed virtual machine. For example, in the event of the loss of LDAP data, you might need this information so that you can reassign virtual machines to users. Note The vdmadmin command with the -R option works only on virtual machines that are earlier than View Agent 5.1. On virtual machines that run View Agent 5.
View Administration Usage Notes To ensure high availability, View allows you to configure one or more replica View Connection Server instances in a View Connection Server group. If you disable a View Connection Server instance in a group, the entry for the server persists within the View configuration. You can also use the vdmadmin command with the -S option to remove a security server from your View environment.
View Administration Syntax vdmadmin -T [-b authentication_arguments] -domainauth {-add | -update | -remove | -removeall | -list} -owner domain\user -user domain\user [-password password] Usage Notes If your users and groups are in a domain with a one-way trust relationship with the View Connection Server domain, you must provide secondary credentials for the administrator users in View Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains.
View Administration Options Table 12‑17. Options for Providing Secondary Credentials Option Description -add Adds a secondary credential for the owner account. A Windows logon is performed to verify that the specified credentials are valid. A foreign security principal (FSP) is created for the user in View LDAP. -update Updates a secondary credential for the owner account. A Windows logon is performed to verify that the updated credentials are valid.
View Administration Syntax vdmadmin -U [-b authentication_arguments] -u domain\user [-w | -n] [-xml] Usage Notes The command displays information about a user obtained from Active Directory and View. n Details from Active Directory about the user's account. n Membership of Active Directory groups. n Machine entitlements including the machine ID, display name, description, folder, and whether a machine has been disabled. n ThinApp assignments.
View Administration Usage Notes You should only use the vdmadmin command to unlock or lock a virtual machine if you encounter a problem that has left a remote desktop in an incorrect state. Do not use the command to administer remote desktops that are operating normally. If a remote desktop is locked and the entry for its virtual machine no longer exists in ADAM, use the -vmpath and -vcdn options to specify the inventory path of the virtual machine and the vCenter Server.
View Administration Syntax vdmadmin -X [-b authentication_arguments] -collisions [-resolve] vdmadmin -X [-b authentication_arguments] -schemacollisions [-resolve] [-global] Usage Notes Duplicate LDAP entries on two or more Connection Server instances can cause problems with the integrity of LDAP data in Horizon 7. This condition can occur during an upgrade, while LDAP replication is inoperative.
View Administration Examples Detect LDAP entry collisions in a Connection Server group. vdmadmin -X -collisions Detect and resolve LDAP entry collisions in the local LDAP instance. vdmadmin -X -collisions -resolve Detect and resolve LDAP schema collisions in the global LDAP instance. vdmadmin -X -schemacollisions -resolve -global VMware, Inc.
