Security-related settings are provided in the Security section and the Scripting Definitions section of the ADM template file for Horizon Client (vdm_client.adm). Except where noted, the settings include only a Computer Configuration setting. If a User Configuration setting is available and you define a value for it, it overrides the equivalent Computer Configuration setting.

The following table describes the settings in the Security section of the ADM template file.

Table 1. Horizon Client Configuration Template: Security Settings

Setting

Description

Allow command line credentials

(Computer Configuration setting)

Determines whether user credentials can be provided with Horizon Client command line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default.

The equivalent Windows Registry value is AllowCmdLineCredentials.

Servers Trusted For Delegation

(Computer Configuration setting)

Specifies the View Connection Server instances that accept the user identity and credential information that is passed when a user selects the Log in as current user check box. If you do not specify any View Connection Server instances, all View Connection Server instances accept this information.

To add a View Connection Server instance, use one of the following formats:

  • domain\system$

  • system$@domain.com

  • The Service Principal Name (SPN) of the View Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

Certificate verification mode

(Computer Configuration setting)

Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes:

  • No Security. View does not perform certificate checking.

  • Warn But Allow. A warning appears if View presents a self-signed certificate, but the user can continue to connect to View Connection Server. The certificate name does not need to match the View Connection Server name provided by the user in Horizon Client. If any other certificate error condition occurs, View displays an error dialog box and prevents the user from connecting to View Connection Server. Warn But Allow is the default value.

  • Full Security. If any type of certificate error occurs, the user cannot connect to View Connection Server. View displays certificate errors to the user.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client, but they cannot configure the setting. The SSL configuration dialog box informs users that the administrator has locked the setting.

When this setting is not configured or disabled, Horizon Client users can select a certificate verification mode.

If you do not want to configure the certificate verification setting as a group policy, you can also enable certificate verification by modifying Windows registry settings.

Default value of the 'Log in as current user' checkbox

(Computer and User Configuration setting)

Specifies the default value of the Log in as current user check box on theHorizon Client connection dialog box.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When the Log in as current user check box is selected, the identity and credential information that the user provided when logging in to the client system is passed to the View Connection Server instance and ultimately to the remote desktop. When the check box is deselected, users must provide identity and credential information multiple times before they can access a remote desktop.

This setting is disabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser.

Display option to Log in as current user

(Computer and User Configuration setting)

Determines whether the Log in as current user check box is visible on the Horizon Client connection dialog box.

When the check box is visible, users can select or deselect it and override its default value. When the check box is hidden, users cannot override its default value from the Horizon Client connection dialog box.

You can specify the default value for the Log in as current user check box by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser_Display.

Enable jump list integration

(Computer Configuration setting)

Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list lets users connect to recent View Connection Server instances and remote desktops.

If Horizon Client is shared, you might not want users to see the names of recent desktops. You can disable the jump list by disabling this setting.

This setting is enabled by default.

The equivalent Windows Registry value is EnableJumplist.

Enable SSL encrypted framework channel

(Computer and User Configuration setting)

Determines whether SSL is enabled for View 5.0 and earlier desktops. Before View 5.0, the data sent over port TCP 32111 to the desktop was not encrypted.

  • Enable: Enables SSL, but allows fallback to the previous unencrypted connection if the remote desktop does not have SSL support. For example, View 5.0 and earlier desktops do not have SSL support. Enable is the default setting.

  • Disable: Disables SSL. This setting is not recommended but might be useful for debugging or if the channel is not being tunneled and could potentially then be optimized by a WAN accelerator product.

  • Enforce: Enables SSL, and refuses to connect to desktops with no SSL support.

The equivalent Windows Registry value is EnableTicketSSLAuth.

Configures SSL protocols and cryptographic algorithms

(Computer and User Configuration setting)

Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons.

Note:

All cipher strings are case-sensitive.

  • The default value for Horizon Client 4.2 is !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES.

  • The default value for Horizon Client 4.0.1 and 4.1 is TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH.

  • The default value for Horizon Client 4.0 is TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH.

  • The default value for Horizon Client 3.5 is TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH.

  • The default value for Horizon Client 3.3 and 3.4 is TLSv1:TLSv1.1:AES:!aNULL:@STRENGTH.

  • The value for Horizon Client 3.2 and earlier is SSLv3:TLSv1:TLSv1.1:AES:!aNULL:@STRENGTH.

That means that in Horizon Client 4.0.1 and 4.1, TLSv1.0, TLSv1.1, and TLSv1.2 are enabled. (SSL v2.0 and v3.0 are removed.) You can disable TLSv1.0 if TLSv1.0 compatibility with the server is not required. In Horizon Client 4.0, TLS v1.1 and TLS v1.2 are enabled. (TLS v1.0 is disabled. SSL v2.0 and v3.0 are removed.) In Horizon Client 3.5, TLS v1.0, TLS v1.1, and TLS v1.2 are enabled. (SSL v2.0 and v3.0 are disabled.) In Horizon Client 3.3 and 3.4, TLS v1.0 and TLS v1.1 are enabled. (SSL v2.0 and v3.0, and TLS v1.2 are disabled.) In Horizon Client 3.2 and earlier, SSL v3.0 is also enabled. (SSL v2.0 and TLS v1.2 are disabled.)

Cipher suites use 128- or 256-bit AES, remove anonymous DH algorithms, and then sort the current cipher list in order of encryption algorithm key length.

Reference link for the configuration: http://www.openssl.org/docs/apps/ciphers.html

The equivalent Windows Registry value is SSLCipherList.

If you do not want to configure this setting as a group policy, you can also enable it by adding the SSLCipherList value name to one of the following registry keys on the client computer:

  • For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware VDM\Client\Security

  • For 64-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware,Inc.\VMware VDM\Client\Security

Enable Single Sign-On for smart card authentication

(Computer Configuration setting)

Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to View Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog.

The equivalent Windows Registry value is EnableSmartCardSSO.

Ignore bad SSL certificate date received from the server

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with invalid server certificate dates are ignored. These errors occur when a server sends a certificate with a date that has passed.

The equivalent Windows Registry value is IgnoreCertDateInvalid.

Ignore certificate revocation problems

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with a revoked server certificate are ignored. These errors occur when the server sends a certificate that has been revoked and when the client cannot verify a certificate's revocation status.

This setting is disabled by default.

The equivalent Windows Registry value is IgnoreRevocation.

Ignore incorrect SSL certificate common name (host name field)

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with incorrect server certificate common names are ignored. These errors occur when the common name on the certificate does not match the hostname of the server that sends it.

The equivalent Windows Registry value is IgnoreCertCnInvalid.

Ignore incorrect usage problems

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with incorrect usage of a server certificate are ignored. These errors occur when the server sends a certificate that is intended for a purpose other than verifying the identity of the sender and encrypting server communications.

The equivalent Windows Registry value is IgnoreWrongUsage.

Ignore unknown certificate authority problems

(Computer Configuration setting)

(View 4.6 and earlier releases only) Determines whether errors that are associated with an unknown Certificate Authority (CA) on the server certificate are ignored. These errors occur when the server sends a certificate that is signed by an untrusted third-party CA.

The equivalent Windows Registry value is IgnoreUnknownCa.

The following table describes the settings in the Scripting Definitions section of the ADM template file.

Table 2. Security-Related Settings in the Scripting Definitions Section

Setting

Description

Connect all USB devices to the desktop on launch

Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched.

This setting is disabled by default.

The equivalent Windows Registry value is connectUSBOnStartup.

Connect all USB devices to the desktop when they are plugged in

Determines whether USB devices are connected to the desktop when they are plugged in to the client system.

This setting is disabled by default.

The equivalent Windows Registry value is connectUSBOnInsert.

Logon Password

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

This setting is undefined by default.

The equivalent Windows Registry value is Password.

For more information about these settings and their security implications, see the Using VMware Horizon Client for Windows document.