7.0
Table Of Contents
- View Administration
- Contents
- View Administration
- Using View Administrator
- Configuring View Connection Server
- Configuring vCenter Server and View Composer
- Create a User Account for View Composer AD Operations
- Add vCenter Server Instances to View
- Configure View Composer Settings
- Configure View Composer Domains
- Allow vSphere to Reclaim Disk Space in Linked-Clone Virtual Machines
- Configure View Storage Accelerator for vCenter Server
- Concurrent Operations Limits for vCenter Server and View Composer
- Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms
- Accept the Thumbprint of a Default SSL Certificate
- Remove a vCenter Server Instance from View
- Remove View Composer from View
- Conflicting vCenter Server Unique IDs
- Backing Up View Connection Server
- Configuring Settings for Client Sessions
- Set Options for Client Sessions and Connections
- Change the Data Recovery Password
- Global Settings for Client Sessions
- Global Security Settings for Client Sessions and Connections
- Message Security Mode for View Components
- Configure the Secure Tunnel and PCoIP Secure Gateway
- Configure the Blast Secure Gateway
- Off-load SSL Connections to Intermediate Servers
- Configure the Gateway Location for a View Connection Server or Security Server Host
- Disable or Enable View Connection Server
- Edit the External URLs
- Join or Withdraw from the Customer Experience Program
- View LDAP Directory
- Configuring vCenter Server and View Composer
- Setting Up Smart Card Authentication
- Logging In with a Smart Card
- Configure Smart Card Authentication on View Connection Server
- Configure Smart Card Authentication on Third-Party Solutions
- Prepare Active Directory for Smart Card Authentication
- Verify Your Smart Card Authentication Configuration
- Using Smart Card Certificate Revocation Checking
- Setting Up Other Types of User Authentication
- Using Two-Factor Authentication
- Using SAML Authentication
- Using SAML Authentication for VMware Identity Manager Integration
- Configure a SAML Authenticator in View Administrator
- Change the Expiration Period for Service Provider Metadata on View Connection Server
- Generate SAML Metadata So That View Connection Server Can Be Used as a Service Provider
- Response Time Considerations for Multiple Dynamic SAML Authenticators
- Configure Biometric Authentication
- Authenticating Users Without Requiring Credentials
- Using the Log In as Current User Feature Available with Windows-Based Horizon Client
- Allow Mobile Client Users to Save Credentials
- Setting Up True SSO
- Determining an Architecture for True SSO
- Set Up an Enterprise Certificate Authority
- Create Certificate Templates Used with True SSO
- Install and Set Up an Enrollment Server
- Export the Enrollment Service Client Certificate
- Import the Enrollment Service Client Certificate on the Enrollment Server
- Configure SAML Authentication to Work with True SSO
- Configure View Connection Server for True SSO
- Command-line Reference for Configuring True SSO
- Advanced Configuration Settings for True SSO
- Using the System Health Dashboard to Troubleshoot Issues Related to True SSO
- Configuring Role-Based Delegated Administration
- Understanding Roles and Privileges
- Using Access Groups to Delegate Administration of Pools and Farms
- Understanding Permissions
- Manage Administrators
- Manage and Review Permissions
- Manage and Review Access Groups
- Manage Custom Roles
- Predefined Roles and Privileges
- Required Privileges for Common Tasks
- Best Practices for Administrator Users and Groups
- Configuring Policies in View Administrator and Active Directory
- Maintaining View Components
- Backing Up and Restoring View Configuration Data
- Monitor View Components
- Monitor Machine Status
- Understanding View Services
- Change the Product License Key
- Monitoring Product License Usage
- Update General User Information from Active Directory
- Migrate View Composer to Another Machine
- Update the Certificates on a View Connection Server Instance, Security Server, or View Composer
- Information Collected by the Customer Experience Improvement Program
- How VMware Ensures Your Privacy
- Preview Data Collected by the Customer Experience Improvement Program
- Additional Information About the Customer Experience Improvement Program
- Global View Data Collected by VMware
- View Connection Server Data Collected by VMware
- Security Server Data Collected by VMware
- Desktop Pool Data Collected by VMware
- Machine Data Collected by VMware
- vCenter Server Data Collected by VMware
- ThinApp Data Collected by VMware
- Cloud Pod Architecture Information Collected by VMware
- Horizon Client Data Collected by VMware
- Data Collected by VMware
- Managing View Composer Linked-Clone Desktop Virtual Machines
- Reduce Linked-Clone Size with Machine Refresh
- Update Linked-Clone Desktops
- Rebalance Linked-Clone Virtual Machines
- Manage View Composer Persistent Disks
- View Composer Persistent Disks
- Detach a View Composer Persistent Disk
- Attach a View Composer Persistent Disk to Another Linked Clone
- Edit a View Composer Persistent Disk's Pool or User
- Recreate a Linked Clone With a Detached Persistent Disk
- Restore a Linked Clone by Importing a Persistent Disk from vSphere
- Delete a Detached View Composer Persistent Disk
- Managing Desktop Pools, Machines, and Sessions
- Change the Image of an Instant-Clone Desktop Pool
- Managing Desktop Pools
- Edit a Desktop Pool
- Modifying Settings in an Existing Desktop Pool
- Fixed Settings in an Existing Desktop Pool
- Change the Size of an Automated Pool Provisioned by a Naming Pattern
- Add Machines to an Automated Pool Provisioned by a List of Names
- Disable or Enable a Desktop Pool
- Disable or Enable Provisioning in an Automated Desktop Pool
- Configure Adobe Flash Quality and Throttling
- Adobe Flash Quality and Throttling
- Delete a Desktop Pool
- Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines
- Managing Virtual Machine-Based Desktops
- Managing Unmanaged Machines
- Manage Remote Desktop and Application Sessions
- Export View Information to External Files
- Managing Application Pools, Farms, and RDS Hosts
- Managing Application Pools
- Managing Farms
- Managing RDS Hosts
- Configuring Load Balancing for RDS Hosts
- Load Values and Mapped Load Preferences
- Load Balancing Feature Constraints
- Writing a Load Balancing Script for an RDS Host
- Enable the VMware Horizon View Script Host Service on an RDS Host
- Configure a Load Balancing Script on an RDS Host
- Verify a Load Balancing Script
- Load Balancing Session Placement Examples
- Configure an Anti-Affinity Rule for an Application Pool
- Managing ThinApp Applications in View Administrator
- View Requirements for ThinApp Applications
- Capturing and Storing Application Packages
- Assigning ThinApp Applications to Machines and Desktop Pools
- Best Practices for Assigning ThinApp Applications
- Assign a ThinApp Application to Multiple Machines
- Assign Multiple ThinApp Applications to a Machine
- Assign a ThinApp Application to Multiple Desktop Pools
- Assign Multiple ThinApp Applications to a Desktop Pool
- Assign a ThinApp Template to a Machine or Desktop Pool
- Review ThinApp Application Assignments
- Display MSI Package Information
- Maintaining ThinApp Applications in View Administrator
- Remove a ThinApp Application Assignment from Multiple Machines
- Remove Multiple ThinApp Application Assignments from a Machine
- Remove a ThinApp Application Assignment from Multiple Desktop Pools
- Remove Multiple ThinApp Application Assignments from a Desktop Pool
- Remove a ThinApp Application from View Administrator
- Modify or Delete a ThinApp Template
- Remove an Application Repository
- Monitoring and Troubleshooting ThinApp Applications in View Administrator
- ThinApp Configuration Example
- Setting Up Clients in Kiosk Mode
- Configure Clients in Kiosk Mode
- Prepare Active Directory and View for Clients in Kiosk Mode
- Set Default Values for Clients in Kiosk Mode
- Display the MAC Addresses of Client Devices
- Add Accounts for Clients in Kiosk Mode
- Enable Authentication of Clients in Kiosk Mode
- Verify the Configuration of Clients in Kiosk Mode
- Connect to Remote Desktops from Clients in Kiosk Mode
- Configure Clients in Kiosk Mode
- Troubleshooting View
- Monitoring System Health
- Monitor Events in View
- Collecting Diagnostic Information for View
- Create a Data Collection Tool Bundle for Horizon Agent
- Save Diagnostic Information for Horizon Client
- Collect Diagnostic Information for View Composer Using the Support Script
- Collect Diagnostic Information for View Connection Server
- Collect Diagnostic Information for Horizon Agent , Horizon Client, or View Connection Server from the Console
- Update Support Requests
- Troubleshooting an Unsuccessful Security Server Pairing with View Connection Server
- Troubleshooting View Server Certificate Revocation Checking
- Troubleshooting Smart Card Certificate Revocation Checking
- Further Troubleshooting Information
- Using the vdmadmin Command
- vdmadmin Command Usage
- Configuring Logging in Horizon Agent Using the -A Option
- Overriding IP Addresses Using the -A Option
- Setting the Name of a View Connection Server Group Using the ‑C Option
- Updating Foreign Security Principals Using the ‑F Option
- Listing and Displaying Health Monitors Using the ‑H Option
- Listing and Displaying Reports of View Operation Using the ‑I Option
- Generating View Event Log Messages in Syslog Format Using the ‑I Option
- Assigning Dedicated Machines Using the ‑L Option
- Displaying Information About Machines Using the -M Option
- Reclaiming Disk Space on Virtual Machines Using the ‑M Option
- Configuring Domain Filters Using the ‑N Option
- Configuring Domain Filters
- Displaying the Machines and Policies of Unentitled Users Using the ‑O and ‑P Options
- Configuring Clients in Kiosk Mode Using the ‑Q Option
- Displaying the First User of a Machine Using the -R Option
- Removing the Entry for a View Connection Server Instance or Security Server Using the ‑S Option
- Providing Secondary Credentials for Administrators Using the ‑T Option
- Displaying Information About Users Using the ‑U Option
- Unlocking or Locking Virtual Machines Using the ‑V Option
- Detecting and Resolving LDAP Entry Collisions Using the -X Option
- Index
Using SAML Authentication
The Security Assertion Markup Language (SAML) is an XML-based standard that is used to describe and
exchange authentication and authorization information between different security domains. SAML passes
information about users between identity providers and service providers in XML documents called SAML
assertions.
You can use SAML authentication to integrate View with VMware Workspace Portal,
VMware Identity Manager, or a third-party load balancer or gateway. When SSO is enabled, users who log
in to VMware Identity Manager or a third-party device can launch remote desktops and applications
without having to go through a second login procedure. You can also use SAML authentication to
implement smart card authentication on VMware Access Point, or on third-party devices.
To delegate responsibility for authentication to Workspace Portal, VMware Identity Manager, or a third-
party device, you must create a SAML authenticator in View. A SAML authenticator contains the trust and
metadata exchange between View and Workspace Portal, VMware Identity Manager, or the third-party
device. You associate a SAML authenticator with a View Connection Server instance.
Using SAML Authentication for VMware Identity Manager Integration
Integration between View and VMware Identity Manager (formerly called Workspace Portal) uses the
SAML 2.0 standard to establish mutual trust, which is essential for single sign-on (SSO) functionality. When
SSO is enabled, users who log in to VMware Identity Manager or Workspace Portal with Active Directory
credentials can launch remote desktops and applications without having to go through a second login
procedure.
When VMware Identity Manager and View are integrated, VMware Identity Manager generates a unique
SAML artifact whenever a user logs in to VMware Identity Manager and clicks a desktop or application
icon. VMware Identity Manager uses this SAML artifact to create a Universal Resource Identifier (URI). The
URI contains information about the View Connection Server instance where the desktop or application pool
resides, which desktop or application to launch, and the SAML artifact.
VMware Identity Manager sends the SAML artifact to the Horizon client, which in turn sends the artifact to
the View Connection Server instance. The View Connection Server instance uses the SAML artifact to
retrieve the SAML assertion from VMware Identity Manager.
After a View Connection Server instance receives a SAML assertion, it validates the assertion, decrypts the
user's password, and uses the decrypted password to launch the desktop or application.
Setting up VMware Identity Manager and View integration involves configuring VMware Identity Manager
with View information and configuring View to delegate responsibility for authentication to
VMware Identity Manager.
To delegate responsibility for authentication to VMware Identity Manager, you must create a SAML
authenticator in View. A SAML authenticator contains the trust and metadata exchange between View and
VMware Identity Manager. You associate a SAML authenticator with a View Connection Server instance.
NOTE If you intend to provide access to your desktops and applications through
VMware Identity Manager, verify that you create the desktop and application pools as a user who has the
Administrators role on the root access group in View Administrator. If you give the user the Administrators
role on an access group other than the root access group, VMware Identity Manager will not recognize the
SAML authenticator you configure in View, and you cannot configure the pool in
VMware Identity Manager.
Chapter 4 Setting Up Other Types of User Authentication
VMware, Inc. 59