With Horizon Client for Windows, when users select Log in as current user in the Options menu, the credentials that they provided when logging in to the client system are used to authenticate to the Horizon Connection Server instance and to the remote desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the Connection Server instance and on the client system.
- On the Connection Server instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails. The session object resides in volatile memory and is not stored in Horizon LDAP or in a disk file.
- On the Connection Server instance, enable the Accept logon as current user setting to allow the Connection Server instance to accept the user identity and credential information that is passed when users select Log in as current user in the Options menu in Horizon Client.
Important: You must understand the security risks before enabling this setting. See, "Security-Related Server Settings for User Authentication" in the Horizon 7 Security document.
- On the client system, user credentials are encrypted and stored in a table in the Authentication Package, which is a component of Horizon Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory.
Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user setting in the Options menu and to specify its default value. Administrators can also use group policy to specify which Connection Server instances accept the user identity and credential information that is passed when users select Log in as current user in Horizon Client.
The Recursive Unlock feature is enabled after a user logs in to Connection Server with the Log in as current user feature. The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. Administrators can control the Recursive Unlock feature with the Unlock remote sessions when the client machine is unlocked global policy setting in Horizon Client. For more information about global policy settings for Horizon Client, see the Horizon Client documentation at the VMware Horizon Clients documentation Web page.
The Log in as current user feature has the following limitations and requirements:
- When smart card authentication is set to Required on a Connection Server instance, authentication fails for users who select Log in as current user when they connect to the Connection Server instance. These users must reauthenticate with their smart card and PIN when they log in to Connection Server.
- The time on the system where the client logs in and the time on the Connection Server host must be synchronized.
- If the default Access this computer from the network user-right assignments are modified on the client system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
- The client machine must be able to communicate with the corporate Active Directory server and not use cached credentials for authentication. For example, if users log in to their client machines from outside the corporate network, cached credentials are used for authentication. If the user then attempts to connect to a security server or a Connection Server instance without first establishing a VPN connection, the user is prompted for credentials, and the Log in as current user feature does not work.