You can use the vdmadmin command with the -T option to provide Active Directory secondary credentials to administrator users.

Syntax

vdmadmin -T [-b authentication_arguments] -domainauth
 {-add | -update | -remove | -removeall | -list} -owner domain\user -user domain\user [-password password]

Usage Notes

If your users and groups are in a domain with a one-way trust relationship with the View Connection Server domain, you must provide secondary credentials for the administrator users in View Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.

Secondary credentials are required only for View Administrator sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.

With the vdmadmin command, you configure secondary credentials on a per-user basis. You cannot configure globally specified secondary credentials.

For a forest trust, you typically configure secondary credentials only for the forest root domain. View Connection Server can then enumerate the child domains in the forest trust.

Active Directory account lock, disable, and logon hours checks can be performed only when a user in a one-way trusted domain first logs on.

PowerShell administration and smart card authentication of users is not supported in one-way trusted domains. SAML authentication of users in one-way trusted domains is not supported.

Secondary credential accounts require the following permissions. A standard user account should have these permissions by default.

  • List Contents

  • Read All Properties

  • Read Permissions

  • Read tokenGroupsGlobalAndUniversal (implied by Read All Properties)

Options

Table 1. Options for Providing Secondary Credentials

Option

Description

-add

Adds a secondary credential for the owner account.

A Windows logon is performed to verify that the specified credentials are valid. A foreign security principal (FSP) is created for the user in View LDAP.

-update

Updates a secondary credential for the owner account.

A Windows logon is performed to verify that the updated credentials are valid.

-list

Displays the security credentials for the owner account. Passwords are not displayed.

-remove

Removes a security credential from the owner account.

-removeall

Removes all security credentials from the owner account.

Examples

Add a secondary credential for the specified owner account. A Windows logon is performed to verify that the specified credentials are valid.

vdmadmin -T -domainauth -add -owner domain\user -user domain\user -password password

Update a secondary credential for the specified owner account. A Windows logon is performed to verify that the updated credentials are valid.

vdmadmin -T -domainauth -update -owner domain\user -user domain\user -password password

Remove a secondary credential for the specified owner account.

vdmadmin -T -domainauth -remove -owner domain\user -user domain\user

Remove all secondary credentials for the specified owner account.

vdmadmin -T -domainauth -removeall -owner domain\user

Display all secondary credentials for the specified owner account. Passwords are not displayed.

vdmadmin -T -domainauth -list -owner domain\user