Security-related settings are provided in the Security section and the Scripting Definitions section of the ADMX template files for Horizon Client. The ADMX template file is named vdm_client.admx. Except where noted, the settings include only a Computer Configuration setting. If a User Configuration setting is available and you define a value for it, it overrides the equivalent Computer Configuration setting.

The following tables describe the settings in the Security section of the ADMX template file.

Table 1. Horizon Client Configuration Template: Security Settings
Setting Computer User Description
Allow command line credentials X Determines whether user credentials can be provided with Horizon Client command-line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default.

The equivalent Windows Registry value is AllowCmdLineCredentials.

Configures the SSL Proxy certificate checking behavior of the Horizon Client X Determines whether to allow certificate checking for secondary connections through an SSL proxy server for Blast Secure Gateway and secure tunnel connections.

When this setting is not configured (the default), users can change the SSL proxy setting in Horizon Client manually.

By default, Horizon Client blocks SSL proxy connections for Blast Secure Gateway and secure tunnel connections.
Servers Trusted For Delegation X

Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects Log in as current user in the Options menu on the Horizon Client menu bar. If you do not specify any Connection Server instances, all Connection Server instances accept this information, unless the Allow logon as current user authentication setting is disabled for the Connection Server instance in Horizon Console.

To add a Connection Server instance, specify the Service Principal Name (SPN) of the Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

Certificate verification mode X Configures the level of certificate checking that Horizon Client performs. You can select one of these modes:
  • No Security. No certificate checking occurs.
  • Warn But Allow. If a certificate check fails because the server uses a self-signed certificate, users see a warning, which they can ignore. For self-signed certificates, the certificate name is not required to match the server name that users enter in Horizon Client.

    If any other certificate error condition occurs, Horizon Client shows an error and prevents users from connecting to the server.

    Warn But Allow is the default value.

  • Full Security. If any type of certificate error occurs, users cannot connect to the server. Horizon Client displays certificate errors to the user.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client, but cannot configure the setting. The certificate checking mode dialog box informs users that an administrator has locked the setting.

When this setting is disabled, Horizon Client users can select a certificate checking mode. This setting is disabled by default.

If you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer:

  • For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security
  • For 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client\Security

Use the following values in the registry key:

  • 0 implements No Security.
  • 1 implements Warn But Allow.
  • 2 implements Full Security.

If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value.

Note: In a future Horizon Client release, using the Windows registry to configure this setting might not be supported and the group policy setting must be used.
Default value of the 'Log in as current user' checkbox X X

Specifies the default value of Log in as current user in the Options menu on the Horizon Client menu bar.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When Log in as current user is selected in the Options menu, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop or published application. When Log in as current user is deselected, users must provide identity and credential information multiple times before they can access a remote desktop or published application.

This setting is disabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser.

Display option to Log in as current user X X

Determines whether Log in as current user is visible in the Options menu on the Horizon Client menu bar.

When Log in as current user is visible, users can select or deselect it and override its default value. When Log in as current user is hidden, users cannot override its default value from the Horizon Client Options menu.

You can specify the default value for Log in as current user by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser_Display.

Enable jump list integration

X Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list enables users to connect to recent servers, remote desktops, and published applications.

If Horizon Client is shared, you might not want users to see the names of recent desktops and published applications. You can disable the jump list by disabling this setting.

This setting is enabled by default.

The equivalent Windows Registry value is EnableJumplist.

Enable SSL encrypted framework channel X X Determines whether TLS is enabled for View 5.0 and earlier remote desktops. Before View 5.0, the data sent over port TCP 32111 to the remote desktop was not encrypted.
  • Enable: Enables TLS, but allows fallback to the previous unencrypted connection if the remote desktop does not have TLS support. For example, View 5.0 and earlier remote desktops do not have TLS support. Enable is the default setting.
  • Disable: Disables TLS. This setting might be useful for debugging, or if the channel is not being tunneled and might potentially be optimized by a WAN accelerator product.
  • Enforce: Enables TLS and refuses to connect to remote desktops that do not have TLS support .

The equivalent Windows Registry value is EnableTicketSSLAuth.

Configures SSL protocols and cryptographic algorithms X X Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted TLS connection. The cipher list consists of one or more cipher strings separated by colons. The cipher string is case-sensitive.

The default value is TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

This cipher string means that TLS v1.1 and TLS v1.2 are enabled and SSL v.2.0, SSL v3.0, and TLS v1.0 are disabled. SSL v2.0, SSL v3.0, and TLS v1.0 are no longer the approved protocols and are permanently disabled.

Cipher suites use ECDHE, ECDH, and RSA with 128-bit or 256-bit AES. GCM mode is preferred.

For more information, see http://www.openssl.org/docs/apps/ciphers.html.

The equivalent Windows Registry value is SSLCipherList.

Enable Single Sign-On for smart card authentication X Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog box.

The equivalent Windows Registry value is EnableSmartCardSSO.

Ignore certificate revocation problems X X Determines whether errors associated with a revoked server certificate are ignored.

These errors occur when the certificate that the server sends has been revoked or the client cannot verify the certificate's revocation status.

This setting is disabled by default.

Unlock remote sessions when the client machine is unlocked X X Determines whether the Recursive Unlock feature is enabled. The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. This feature applies only after a user logs in to the server with the Log in as current user feature.

This setting is enabled by default.

Table 2. Horizon Client Configuration Template: Security Settings, NTLM Authentication Settings
Setting Computer User Description
Allow NTLM Authentication X When this setting is enabled, NTLM authentication is allowed with the Log in as current user feature. When this setting is disabled, NTLM authentication is not used for any servers.

When this setting is enabled, you can select Yes or No from the Allow fallback from Kerberos to NTLM drop-down menu.

  • If you select Yes, NTLM authentication may be used any time that the client is unable to retrieve a Kerberos ticket for the server.
  • If you select No, NTLM authentication is allowed only for servers listed in the Always use NTLM servers group policy setting.

When this setting is not configured, NTLM authentication is allowed for the servers listed in the Always use NTLM servers group policy setting.

To use NTLM authentication, the server SSL certificate must be valid and Windows policies must not restrict the use of NTLM.

For information about configuring fallback from Kerberos to NTLM in a Connection Server instance, see "Using the Log In as Current User Feature Available with Windows-Based Horizon Client" in the VMware Horizon Console Administration document.
Always use NTLM for servers X When this setting is enabled, the Log in as current user feature always uses NTLM authentication for the listed servers. To create the server list, click Show and enter the server name in the Value column. The naming format for servers is the fully qualified domain name (FQDN).

The following table describes the settings in the Scripting Definitions section of the ADMX template file.

Table 3. Security-Related Settings in the Scripting Definitions Section
Setting Description
Connect all USB devices to the desktop on launch

Determines whether all of the available USB devices on the client system are connected to the desktop when the desktop is launched.

This setting is disabled by default.

The equivalent Windows Registry value is connectUSBOnStartup.

Connect all USB devices to the desktop when they are plugged in

Determines whether USB devices are connected to the desktop when they are plugged in to the client system.

This setting is disabled by default.

The equivalent Windows Registry value is connectUSBOnInsert.

Logon Password

Specifies the password that Horizon Client uses during login. The password is stored in plain text by Active Directory.

This setting is undefined by default.

The equivalent Windows Registry value is Password.

For more information about these settings and their security implications, see the Horizon Client for Windows documentation.