6.0
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for View Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In to a Remote Desktop
- Using Multiple Monitors
- Managing Desktop and Application Pools from a Central Location
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
Smart Card Authentication
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and
large enterprises use smart cards to authenticate users who access their computer networks. A smart card is
also referred to as a Common Access Card (CAC).
Smart card authentication is supported by the Windows-based client devices and some other types of
clients. It is also supported by View Administrator 5.3 and later. For information about whether a particular
type of client supports smart cards, see the Horizon Client documentation at
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Administrators can enable individual View Connection Server instances for smart card authentication.
Enabling a View Connection Server instance to use smart card authentication typically involves adding your
root certificate to a truststore file and then modifying View Connection Server settings.
All client connections, including client connections that use smart card authentication, are SSL enabled.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install
certificates on smart cards, you must set up a computer to act as an enrollment station.
Using the Log In as Current User Feature Available with Windows-Based
Horizon Client
With Horizon Client for Windows, when users select the Log in as current user check box, the credentials
that they provided when logging in to the client system are used to authenticate to the View Connection
Server instance and to the remote desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the View Connection Server instance and on the
client system.
n
On the View Connection Server instance, user credentials are encrypted and stored in the user session
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when the
user logs out, the session times out, or authentication fails. The session object resides in volatile memory
and is not stored in View LDAP or in a disk file.
n
On the client system, user credentials are encrypted and stored in a table in the Authentication Package,
which is a component of Horizon Client. The credentials are added to the table when the user logs in
and are removed from the table when the user logs out. The table resides in volatile memory.
Administrators can use Horizon Client group policy settings to control the availability of the Log in as
current user check box and to specify its default value. Administrators can also use group policy to specify
which View Connection Server instances accept the user identity and credential information that is passed
when users select the Log in as current user check box in Horizon Client.
The Log in as current user feature has the following limitations and requirements:
n
When smart card authentication is set to Required on a View Connection Server instance,
authentication fails for users who select the Log in as current user check box when they connect to the
View Connection Server instance. These users must reauthenticate with their smart card and PIN when
they log in to View Connection Server.
n
The time on the system where the client logs in and the time on the View Connection Server host must
be synchronized.
n
If the default Access this computer from the network user-right assignments are modified on the client
system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
Chapter 5 Planning for Security Features
VMware, Inc. 75