Security-related settings are provided in Horizon LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a Connection Server instance. The change propagates automatically to all other Connection Server instances in a group.

Table 1. Security-Related Settings in Horizon LDAP
Name-value pair Description
cs-allowunencryptedstartsession The attribute is pae-NameValuePair.

This attribute controls whether a secure channel is required between a Connection Server instance and a desktop when a remote user session is being started.

When Horizon Agent is installed on a desktop computer, this attribute has no effect and a secure channel is always required.

In all cases, user credentials and authorization tickets are protected by a static key. A secure channel provides further assurance of confidentiality by using dynamic keys.

If set to 0, a remote user session will not start if a secure channel cannot be established. This setting is suitable if all the desktops are in trusted domains or all desktops have Horizon Agent installed.

If set to 1, a remote user session can be started even if a secure channel cannot be established. This setting is suitable if some desktops have older Horizon Agents installed and are not in trusted domains.

The default setting is 1.

keysize The attribute is pae-MSGSecOptions.

When the message security mode is set to Enhanced, TLS is used to secure JMS connections rather than using per-message encryption. In enhanced message security mode, validation applies to only one message type. For enhanced message mode, VMware recommends increasing the key size to 2048 bits. If you are not using enhanced message security mode, VMware recommends not changing the default from 512 bits because increasing the key size affects performance and scalability. If you want all keys to be 2048 bits, the DSA key size must be changed immediately after the first Connection Server instance is installed and before additional servers and desktops are created.

Auto-renew self-signed certificates

You can auto-renew self-signed certificates with the pae-managedCertificateAdvanceRollOver attribute.

Specify a value to replace the self-signed certificate with a future or pending certificate within the specified number of days prior to the current certificate expiration.

By default this value is not set. The valid range is 1-90.