You can use the vdmadmin command with the -Q option to set defaults and create accounts for clients in kiosk mode, to enable authentication for these clients, and to display information about their configuration.

Syntax

vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-ou DN] [-expirepassword | -noexpirepassword] [-group group_name | -nogroup] [-description "description_text"]
vdmadmin -Q -disable [-b authentication_arguments] -s connection_server
vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword]
vdmadmin -Q -clientauth -getdefaults [-b authentication_arguments] [-xml]
vdmadmin -Q -clientauth -list [-b authentication_arguments] [-xml]
vdmadmin -Q -clientauth -remove [-b authentication_arguments] -domain domain_name-clientid client_id
vdmadmin -Q -clientauth -removeall [-b authentication_arguments] [-force]
vdmadmin -Q -clientauth -setdefaults [-b authentication_arguments] [-ou DN] [ -expirepassword | -noexpirepassword ] [-group group_name | -nogroup]
vdmadmin -Q -clientauth -update [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-description "description_text"]

Usage Notes

You must run the vdmadmin command on one of the View Connection Server instances in the group that contains the View Connection Server instance that clients use to connect to their remote desktops.

When you configure defaults for password expiry and Active Directory group membership, these settings are shared by all View Connection Server instances in a group.

When you add a client in kiosk mode, View creates a user account for the client in Active Directory. If you specify a name for a client, this name must start with the characters "custom-" or with one of the alternate strings that you can define in ADAM, and it cannot be more than 20 characters long. You should use each specified name with no more than one client device.

You can define alternate prefixes to "custom-" in the pae-ClientAuthPrefix multi-valued attribute under cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int in ADAM on a View Connection Server instance. Avoid using these prefixes with ordinary user accounts.

If you do not specify a name for a client, View generates a name from the MAC address that you specify for the client device. For example, if the MAC address is 00:10:db:ee:76:80, the corresponding account name is cm-00_10_db_ee_76_80. You can only use these accounts with View Connection Server instances that you enable to authenticate clients.

Some thin clients allow only account names that start with the characters "custom-" or "cm-" to be used with kiosk mode.

An automatically generated password is 16 characters long, contains at least one uppercase letter, one lowercase letter, one symbol, and one number, and can contain repeated characters. If you require a stronger password, you must use the -password option to specify the password.

If you use the -group option to specify a group or you have previously set a default group, View adds the client's account to this group. You can specify the -nogroup option to prevent the account being added to any group.

If you enable a View Connection Server instance to authenticate clients in kiosk mode, you can optionally specify that clients must provide a password. If you disable authentication, clients cannot connect to their remote desktops.

Although you enable or disable authentication for an individual View Connection Server instance, all View Connection Server instances in a group share all other settings for client authentication. You need only add a client once for all View Connection Server instances in a group to be capable of accepting requests from the client.

If you specify the -requirepassword option when enabling authentication, the View Connection Server instance cannot authenticate clients that have automatically generated passwords. If you change the configuration of a View Connection Server instance to specify this option, such clients cannot authenticate themselves, and they fail with the error message Unknown username or bad password.

Options

1 shows the options that you can specify to configure clients in kiosk mode.

Table 1. Options for Configuring Clients in Kiosk Mode

Option

Description

-add

Adds an account for a client in kiosk mode.

-clientauth

Specifies an operation that configures authentication for a client in kiosk mode.

-clientid client_id

Specifies the name or the MAC address of the client.

-description "description_text"

Creates a description of the account for the client device in Active Directory.

-disable

Disables authentication of clients in kiosk mode on a specified View Connection Server instance.

-domain domain_name

Specifies the domain for the account for the client device.

-enable

Enables authentication of clients in kiosk mode on a specified View Connection Server instance.

-expirepassword

Specifies that the expiry time for the password on client accounts is the same as for the View Connection Server group. If no expiry time is defined for the group, passwords do not expire.

-force

Disables the confirmation prompt when removing the account for a client in kiosk mode.

-genpassword

Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword.

-getdefaults

Gets the default values that are used for adding client accounts.

-group group_name

Specifies the name of the default group to which client accounts are added. The name of the group must be specified as the pre-Windows 2000 group name from Active Directory.

-list

Displays information about clients in kiosk mode and about the View Connection Server instances on which you have enabled authentication of clients in kiosk mode.

-noexpirepassword

Specifies that the password on an account does not expire.

-nogroup

When adding an account for a client, specifies that the client's account is not added to the default group.

When setting the default values for clients, clears the setting for the default group.

-ou DN

Specifies the distinguished name of the organizational unit to which client accounts are added.

For example: OU=kiosk-ou,DC=myorg,DC=com

Note:

You cannot use the -setdefaults option to change the configuration of an organizational unit.

-password "password"

Specifies an explicit password for the client's account.

-remove

Removes the account for a client in kiosk mode.

-removeall

Removes the accounts of all clients in kiosk mode.

-requirepassword

Specifies that clients in kiosk mode must provide passwords. View will not accept generated passwords for new connections.

-s connection_server

Specifies the NetBIOS name of the View Connection Server instance on which to enable or disable the authentication of clients in kiosk mode.

-setdefaults

Sets the default values that are used for adding client accounts.

-update

Updates an account for a client in kiosk mode.

Examples

Set the default values for the organizational unit, password expiry, and group membership of clients.

vdmadmin -Q -clientauth -setdefaults -ou "OU=kiosk-ou,DC=myorg,DC=com" -noexpirepassword -group kc-grp

Get the current default values for clients in plain text format.

vdmadmin -Q -clientauth -getdefaults

Get the current default values for clients in XML format.

vdmadmin -Q -clientauth -getdefaults -xml

Add an account for a client specified by its MAC address to the MYORG domain, and use the default settings for the group kc-grp.

vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp

Add an account for a client specified by its MAC address to the MYORG domain, and use an automatically generated password.

vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -genpassword -ou "OU=kiosk-ou,DC=myorg,DC=com" -group kc-grp

Add an account for a named client, and specify a password to be used with the client.

vdmadmin -Q -clientauth -add -domain MYORG -clientid custom-Terminal21 -password "guest" -ou "OU=kiosk-ou,DC=myorg,DC=com" -description "Terminal 21"

Update an account for a client, specifying a new password and descriptive text.

vdmadmin -Q -clientauth -update -domain MYORG -clientid custom-Terminal21 -password "Secret1!" -description "Foyer Entry Workstation"

Remove the account for a kiosk client specified by its MAC address from the MYORG domain.

vdmadmin -Q -clientauth -remove -domain MYORG -clientid 00:10:db:ee:54:12

Remove the accounts of all clients without prompting to confirm the removal.

vdmadmin -Q -clientauth -removeall -force

Enable authentication of clients for the View Connection Server instance csvr-2. Clients with automatically generated passwords can authenticate themselves without providing a password.

vdmadmin -Q -enable -s csvr-2

Enable authentication of clients for the View Connection Server instance csvr-3, and require that the clients specify their passwords to Horizon Client. Clients with automatically generated passwords cannot authenticate themselves.

vdmadmin -Q -enable -s csvr-3 -requirepassword

Disable authentication of clients for the View Connection Server instance csvr-1.

vdmadmin -Q -disable -s csvr-1

Display information about clients in text format. Client cm-00_0c_29_0d_a3_e6 has an automatically generated password, and does not require an end user or an application script to specify this password to Horizon Client. Client cm-00_22_19_12_6d_cf has an explicitly specified password, and requires the end user to provide this. The View Connection Server instance CONSVR2 accepts authentication requests from clients with automatically generated passwords. CONSVR1 does not accept authentication requests from clients in kiosk mode.

C:\ vdmadmin -Q -clientauth -list
Client Authentication User List
===============================
GUID              : 94be6344-0c9b-4a92-8d54-1brc1c2dc282
ClientID          : cm-00_0c_29_0d_a3_e6
Domain            : myorg.com
Password Generated: true

GUID              : 471d9d35-68b2-40ee-b693-56a7d92b2e25
ClientID          : cm-00_22_19_12_6d_cf
Domain            : myorg.com
Password Generated: false

Client Authentication Connection Servers
========================================
Common Name                   : CONSVR1
Client Authentication Enabled : false
Password Required             : false

Common Name                   : CONSVR2
Client Authentication Enabled : true
Password Required             : false