Specifications
Active Directory Authentication
Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated
against Active Directory for the joined domain. Users are also authenticated against any additional user
domains with which a trust agreement exists.
For example, if a View Connection Server instance is a member of Domain A and a trust agreement exists
between Domain A and Domain B, users from both Domain A and Domain B can connect to the View
Connection Server instance with View Client.
Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed domain
environment, users from the Kerberos realm can select the Kerberos realm name when connecting to the View
Connection Server instance with View Client.
View Connection Server determines which domains are accessible by traversing trust relationships, starting
with the domain in which the host resides. For a small, well-connected set of domains, View Connection Server
can quickly determine a full list of domains, but the time that it takes increases as the number of domains
increases or as the connectivity between the domains decreases. The list might also include domains that you
would prefer not to offer to users when they log in to their desktops.
Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the
domains that a View Connection Server instance searches and that it displays to users. See the VMware View
Administration document for more information.
Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also
handled through existing Active Directory operational procedures.
RSA SecurID Authentication
RSA SecurID provides enhanced security with two-factor authentication, which requires knowledge of the
user's PIN and token code. The token code is only available on the physical SecurID token.
Administrators can enable individual View Connection Server instances for RSA SecurID authentication by
installing the RSA SecurID software on the View Connection Server host and modifying View Connection
Server settings.
When users log in through a View Connection Server instance that is enabled for RSA SecurID authentication,
they are first required to authenticate with their RSA user name and passcode. If they are not authenticated at
this level, access is denied. If they are correctly authenticated with RSA SecurID, they continue as normal and
are then required to enter their Active Directory credentials.
If you have multiple View Connection Server instances, you can configure RSA SecurID authentication on
some instances and a different user authentication method on others. For example, you can configure RSA
SecurID authentication only for users who access View desktops remotely over the Internet.
VMware View is certified through the RSA SecurID Ready program and supports the full range of SecurID
capabilities, including New PIN Mode, Next Token Code Mode, RSA Authentication Manager, and load
balancing.
Smart Card Authentication
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and
large enterprises use smart cards to authenticate users who access their computer networks. A smart card is
also referred to as a Common Access Card (CAC).
Smart card authentication is supported by the Windows-based View Client and View Client with Local Mode
only. It is not supported by View Administrator.
Chapter 5 Planning for Security Features
VMware, Inc. 53