Administrators can set up the configuration for unauthenticated users to access their published applications from a Horizon Client without requiring AD credentials. Consider setting up unauthenticated access if your users require access to a seamless application that has its own security and user management.

When a user starts a published application that is configured for unauthenticated access, the RDS host creates a local user session on demand and allocates the session to the user.
Note: Unauthenticated access is not supported for applications published in a desktop pool.

This feature requires the Horizon 7 version 7.1 environment set up and Horizon Client version 4.4.

Workflow for Configuring Unauthenticated Users

  1. Create users for unauthenticated access. See Create Users for Unauthenticated Access.
  2. Enable unauthenticated access to users and set a default unauthenticated user. See Enable Unauthenticated Access for Users in Horizon Console.
  3. Entitle unauthenticated users to published applications. See Entitle Unauthenticated Access Users to Published Applications.
  4. Enable unauthenticated access from the Horizon Client. See, Unauthenticated Access From Horizon Client.

Rules and Guidelines for Configuring Unauthenticated Users

  • Two-factor authentication, such as RSA and RADIUS, and smart card authentication are not supported for unauthenticated access.
  • Smart card authentication and unauthenticated access are mutually exclusive. When smart card authentication is set to Required in Connection Server, unauthenticated access is disabled even if it was previously enabled.
  • VMware Identity Manager and VMware App Volumes are not supported for unauthenticated access.
  • Both PCoIP and VMware Blast display protocols are supported for this feature.
  • The unauthenticated access feature does not verify license information for RDS hosts. The administrator must configure and use device licenses.
  • The unauthenticated access feature does not retain any user-specific data. The user can verify the data storage requirements for the application.
  • You cannot reconnect to unauthenticated application sessions. When a user disconnects from the client, the RDS host logs off the local user session automatically.
  • Unauthenticated access is only supported for published applications.
  • Unauthenticated access is not supported for applications published from a desktop pool.
  • Unauthenticated access is not supported with a security server or an Unified Access Gateway appliance.
  • User preferences are not preserved for unauthenticated users.
  • Virtual desktops are not supported for unauthenticated users.
  • Horizon Console displays a red status for the Connection Server, if the Connection Server is configured with a CA signed certificate and enabled for unauthenticated access but a default unauthenticated user is not configured.
  • The unauthenticated access feature does not work if the AllowSingleSignon group policy setting for Horizon Agent installed on an RDS host is disabled. Administrators can also control whether to disable or enable unauthenticated access with the UnAuthenticatedAccessEnabled Horizon Agent group policy setting. The Horizon Agent group policy settings are included in the vdm_agent.admx template file. You must reboot the RDS host for this policy to take effect.
  • Unauthenticated access is not supported in a one-way trust environment when authenticating a user from a trusted domain. For example, there are two domains, Domain A and Domain B, where Domain B has a one-way outgoing trust to Domain A. When you enable unauthenticated access on the Connection Server in Domain B and add an unauthenticated access user from a user list in Domain A and then entitle the unauthenticated user to a published desktop or application pool, the user cannot log in as an unauthenticated access user from Horizon Client.