After you create an unauthenticated access user, you can enable hybrid logon for the user. Enabling hybrid logon provides unauthenticated access users domain access to network resources such as fileshare or network printers without the need to enter credentials. Hybrid logon is supported on Windows Server 2019 and earlier with Terminal Services (RDSH) installed.

Note: The hybrid logon feature uses the same domain user for all logged on users for a given unauthenticated access user configured for hybrid logon.
Note: If you use the user profile tab to set the home directory as a network path from the RDS host machine, by default the administrative user interface on Windows removes all existing permissions on the home directory folder and adds permissions for the administrator and local user with full control. Use the administrator account to remove the local user from the permissions list and then add the domain user with the permissions that you need to set for the user.

Prerequisites

  • Verify that you selected the Hybrid Logon custom option when you installed Horizon Agent on the RDS host. For more information on Horizon Agent custom setup options for an RDS host, see the Setting Up Published Desktops and Applications in Horizon Console document.
  • Verify that you created an unauthenticated access user. See, Create Users for Unauthenticated Access.
  • Verify that Kerberos DES encryption is not enabled for the user account in the domain. Kerberos DES encryption is not supported for the hybrid logon feature.

Procedure

  1. In Horizon Console, select Users and Groups.
  2. On the Unauthenticated Access tab, click Add.
  3. In the Add Unauthenticated User wizard, select one or more search criteria and click Find to find an unauthenticated access user based on your search criteria.
    The user must have a valid UPN.
  4. Select an unauthenticated access user and click Next.
    Repeat this step to add multiple users.
  5. (Optional) Enter the user alias.
    The default user alias is the user name that was configured for the AD account. End users can use the user alias to log in to the Connection Server instance from Horizon Client.
  6. (Optional) Review the user details and add comments.
  7. Select Enable Hybrid Logon.
    The Enable True SSO option is selected by default. You must have True SSO enabled for the VMware Horizon environment. Then, unauthenticated access users enabled for hybrid logon use True SSO to log in to the Connection Server instance from Horizon Client.
    Note: If the Connection Server pod is not configured for True SSO, then the user can start an entitled application with unauthenticated access. However, the user does not have network access because True SSO is not enabled on the pod.
  8. (Optional) To enable the user to log in to the Connection Server instance from Horizon Client, select Enable Password Logon and enter the user's password.

    Use this setting if you do not have True SSO configured for the VMware Horizon environment.

    In a CPA environment, the hybrid logon user feature only works on the Connection Server pod on which the hybrid logon user was configured with the Enable Password Logon setting and entitled to published applications.

    For example, in a CPA environment with Pod A and Pod B, with the hybrid logon user configured with the Enable Password Logon setting is entitled to an application on Pod A. The user can view and start the application from a client that connects to either Pod A or Pod B. However, if another application is entitled to the same user on Pod B, then the user cannot view and start the application from a client that connects to Pod B. For the hybrid logon feature to work on Pod B, you must create another hybrid logon user configured with the Enable Password Logon setting and entitle applications to that user. For more information on how to set up a CPA environment, see the Administering Cloud Pod Architecture in Horizon document.
    Note: In a remote pod, an unauthenticated access user with a hybrid logon password cannot be used as a default unauthenticated access user. If you have existing unauthenticated access users with hybrid logon passwords that are cross pod users, such as in upgrades, these users might see inconsistent global application entitlements in Horizon Client when connecting to different pods. For example, cross pod users might not see global application entitlements, even if the pod where the user was created has local pools, and these might be visible when connecting to some other pod. If this inconsistency occurs, remove these cross pod users.
  9. Click Finish.

What to do next

Entitle the user to published applications. See, Entitle Unauthenticated Access Users to Published Applications.