Jul
07

Horizon View Security Server + RSA + PIN = Too Much

cloud-network-security-290x230-iSTOCKNutanix & VMware EUC are doing series of events across North America over the next two weeks. My plan is have a steady stream of posts over the two weeks…..we’ll see 🙂

I had a customer ask me about removing the domain authentication for clients coming over the Internet. The reason for this because they where using RSA with a PIN and didn’t want three steps for their staff to get right before logging in. RSA + PIN provides something you have and something you know so we should be covered is the thinking.

VMware provides Log in as current user but the client machine must be able to communicate with the corporate Active Directory server and not use cached credentials for authentication. For example, if users log in to their client machines from outside the corporate network, cached credentials are used for authentication. If the user then attempts to connect to a security server or a View Connection Server instance without first establishing a VPN connection, the user is prompted for credentials, and the Log in as Current User feature does not work.

I thought maybe the domain authentication could be controlled from the RSA appliance but this was not helpful either. The RSA just takes you up to the Security Server and has you typing in your credentials. One way I thought maybe to get around this is allow users to save their credentials ONLY when connecting to a connection server paired with a security server.

You configure a timeout limit that indicates how long to save credential information by setting a value in View LDAP. The timeout limit is set in minutes. When you change View LDAP on a View Connection Server instance, the change is propagated to all replicated View Connection Server instances if set it from the Global OU. The trick is just set the intended server.

1) Start the ADSI Edit utility on your View Connection Server host.

dc1

2) On the object CN=Common, OU=Server, OU=Properties, set the pae-ClientCredentialCacheTimeout attribute

dc2

When this attribute is not set or is set to 0, the feature is disabled. To enable this feature, you can set the number of minutes to retain the credential information, or set a value of -1, meaning that there is no timeout.

Comments

  1. This trick might solve a security problem I have with my View client linux live cd.. My remote users are entiltled to 3 vm desktops. The user logs in through a security server to it’s primary vm without a problem. If the user needs to leave its desk, the vm password protect screen saver would kick in. Everything is normal behavior so far. The security issue is, since the user is entitled to 3 desktops some one could come in and back out to the library and choose a different vm without reauthenticating. This cache credential timeout may be the answer to my problem, is the setting -1 by default?

Speak Your Mind

*