You can use the vdmadmin command with the -T option to provide Active Directory secondary credentials to administrator users.
Syntax
vdmadmin -T [-b authentication_arguments] -domainauth {-add | -update | -remove | -removeall | -list} -owner domain\user -user domain\user [-password password]
Usage Notes
If your users and groups are in a domain with a one-way trust relationship with the Connection Server domain, you must provide secondary credentials for the administrator users in Horizon Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.
Secondary credentials are required only for Horizon Administrator sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.
With the vdmadmin command, you configure secondary credentials on a per-user basis. You cannot configure globally specified secondary credentials.
For a forest trust, you typically configure secondary credentials only for the forest root domain. Connection Server can then enumerate the child domains in the forest trust.
Active Directory account lock, disable, and logon hours checks can be performed only when a user in a one-way trusted domain first logs on.
PowerShell administration and smart card authentication of users is not supported in one-way trusted domains. SAML authentication of users in one-way trusted domains is not supported.
Secondary credential accounts require the following permissions. A standard user account should have these permissions by default.
- List Contents
- Read All Properties
- Read Permissions
- Read tokenGroupsGlobalAndUniversal (implied by Read All Properties)
Limitations
- PowerShell administration and smart card authentication of users in one-way trusted domains is not supported.
- SAML authentication of users in one-way trusted domains is not supported.
Options
Option | Description |
---|---|
-add | Adds a secondary credential for the owner account. A Windows logon is performed to verify that the specified credentials are valid. A foreign security principal (FSP) is created for the user in View LDAP. |
-update | Updates a secondary credential for the owner account. A Windows logon is performed to verify that the updated credentials are valid. |
-list | Displays the security credentials for the owner account. Passwords are not displayed. |
-remove | Removes a security credential from the owner account. |
-removeall | Removes all security credentials from the owner account. |
Examples
Add a secondary credential for the specified owner account. A Windows logon is performed to verify that the specified credentials are valid.
vdmadmin -T -domainauth -add -owner domain\user -user domain\user -password password
Update a secondary credential for the specified owner account. A Windows logon is performed to verify that the updated credentials are valid.
vdmadmin -T -domainauth -update -owner domain\user -user domain\user -password password
Remove a secondary credential for the specified owner account.
vdmadmin -T -domainauth -remove -owner domain\user -user domain\user
Remove all secondary credentials for the specified owner account.
vdmadmin -T -domainauth -removeall -owner domain\user
Display all secondary credentials for the specified owner account. Passwords are not displayed.
vdmadmin -T -domainauth -list -owner domain\user