Security settings include options regarding security certificate, login credentials, and the single sign-on feature.

The following table describes the security settings in the Horizon Client Configuration ADMX template file. This table shows whether the settings include both Computer Configuration and User Configuration settings, or only Computer Configuration settings. For the security settings that include both types, the User Configuration setting overrides the equivalent Computer Configuration setting. These settings are in the VMware Horizon Client Configuration > Security Settings folder in the Group Policy Management Editor.

Table 1. Horizon Client Configuration Template: Security Settings

Setting

Computer

User

Description

Allow command line credentials

X

Determines whether user credentials can be provided with Horizon Client command line options. If this setting is disabled, the smartCardPIN and password options are not available when users run Horizon Client from the command line.

This setting is enabled by default.

The equivalent Windows Registry value is AllowCmdLineCredentials.

Servers Trusted For Delegation

X

Specifies the Connection Server instances that accept the user identity and credential information that is passed when a user selects Log in as current user in the Options menu on the Horizon Client menu bar. If you do not specify any Connection Server instances, all Connection Server instances accept this information.

To add a Connection Server instance, use one of the following formats:

  • domain\system$

  • system$@domain.com

  • The Service Principal Name (SPN) of the Connection Server service.

The equivalent Windows Registry value is BrokersTrustedForDelegation.

Certificate verification mode

X

Configures the level of certificate checking that is performed by Horizon Client. You can select one of these modes:

  • No Security. Horizon does not perform certificate checking.

  • Warn But Allow. A self-signed certificate is provided by Horizon. In this case, it is acceptable if the certificate name does not match the Connection Server name provided by the user in Horizon Client.

    If any other certificate error condition occurs, Horizon displays an error dialog and prevents the user from connecting to Connection Server.

    Warn But Allow is the default value.

  • Full Security. If any type of certificate error occurs, the user cannot connect to Connection Server. Horizon displays certificate errors to the user.

When this group policy setting is configured, users can view the selected certificate verification mode in Horizon Client but cannot configure the setting. The SSL configuration dialog box informs users that the administrator has locked the setting.

When this setting is not configured or disabled, Horizon Client users can select a certificate verification mode.

To allow a server to perform checking of certificates provided by Horizon Client, the client must make HTTPS connections to the Connection Server or security server host. Certificate checking is not supported if you off-load SSL to an intermediate device that makes HTTP connections to the Connection Server or security server host.

If you do not want to configure this setting as a group policy, you can also enable certificate verification by adding the CertCheckMode value name to one of the following registry keys on the client computer:

  • For 32-bit Windows: HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Client\Security

  • For 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client\Security

Use the following values in the registry key:

  • 0 implements No Security.

  • 1 implements Warn But Allow.

  • 2 implements Full Security.

If you configure both the group policy setting and the CertCheckMode setting in the Windows Registry key, the group policy setting takes precedence over the registry key value.

Note:

In a future release, configuring this setting using the Windows registry might not be supported. A GPO setting must be used.

Default value of the 'Log in as current user' checkbox

X

X

Specifies the default value of Log in as current user in the Options menu on the Horizon Client menu bar.

This setting overrides the default value specified during Horizon Client installation.

If a user runs Horizon Client from the command line and specifies the logInAsCurrentUser option, that value overrides this setting.

When Log in as current user is selected in the Options menu, the identity and credential information that the user provided when logging in to the client system is passed to the Connection Server instance and ultimately to the remote desktop or application. When Log in as current user is deselected, users must provide identity and credential information multiple times before they can access a remote desktop or application.

This setting is disabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser.

Display option to Log in as current user

X

X

Determines whether Log in as current user is visible in the Options menu on the Horizon Client menu bar.

When Log in as current user is visible, users can select or deselect it and override its default value. When Log in as current user is hidden, users cannot override its default value from the Horizon Client Options menu.

You can specify the default value for Log in as current user by using the policy setting Default value of the 'Log in as current user' checkbox.

This setting is enabled by default.

The equivalent Windows Registry value is LogInAsCurrentUser_Display.

Enable jump list integration

X

Determines whether a jump list appears in the Horizon Client icon on the taskbar of Windows 7 and later systems. The jump list lets users connect to recent Connection Server instances and remote desktops.

If Horizon Client is shared, you might not want users to see the names of recent desktops. You can disable the jump list by disabling this setting.

This setting is enabled by default.

The equivalent Windows Registry value is EnableJumplist.

Enable SSL encrypted framework channel

X

X

Determines whether SSL is enabled for View 5.0 and earlier desktops. Before View 5.0, the data sent over port TCP 32111 to the desktop was not encrypted.

  • Enable: Enables SSL, but allows fallback to the previous unencrypted connection if the remote desktop does not have SSL support. For example, View 5.0 and earlier desktops do not have SSL support. Enable is the default setting.

  • Disable: Disables SSL. This setting is not recommended but might be useful for debugging or if the channel is not being tunneled and could potentially then be optimized by a WAN accelerator product.

  • Enforce: Enables SSL, and refuses to connect to desktops with no SSL support .

The equivalent Windows Registry value is EnableTicketSSLAuth.

Configures SSL protocols and cryptographic algorithms

X

X

Configures the cipher list to restrict the use of certain cryptographic algorithms and protocols before establishing an encrypted SSL connection. The cipher list consists of one or more cipher strings separated by colons.

Note:

The cipher string is case-sensitive.

The default value is TLSv1:TLSv1.1:TLSv1.2:!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES.

That means that TLS v1, TLS v1.1 and TLS v1.2 are enabled. (SSL v2.0 and v3.0 are removed.)

Cipher suites use 128- or 256-bit AES, remove anonymous DH algorithms, and then sort the current cipher list in order of encryption algorithm key length.

Reference link for the configuration: http://www.openssl.org/docs/apps/ciphers.html

The equivalent Windows Registry value is SSLCipherList.

Enable Single Sign-On for smart card authentication

X

Determines whether single sign-on is enabled for smart card authentication. When single sign-on is enabled, Horizon Client stores the encrypted smart card PIN in temporary memory before submitting it to Connection Server. When single sign-on is disabled, Horizon Client does not display a custom PIN dialog.

The equivalent Windows Registry value is EnableSmartCardSSO.

Ignore certificate revocation problems

X

X

Determines whether errors associated with a revoked server certificate are ignored.

These errors occur when the certificate that the server sends has been revoked or the client cannot verify the certificate's revocation status.

This setting is disabled by default.

Unlock remote sessions when the client machine is unlocked

X

X

Determines whether the Recursive Unlock feature is enabled. The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. This feature applies only after a user logs in to the server with the Log in as current user feature.

This setting is enabled by default.