With Horizon Client for Windows, when users select Log in as current user in the Options menu, the credentials that they provided when logging in to the client system are used to authenticate to the Horizon Connection Server instance and to the remote desktop using Kerberos. No further user authentication is required.

To support this feature, user credentials are stored on both the Connection Server instance and on the client system.

  • On the Connection Server instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails. The session object resides in volatile memory and is not stored in Horizon LDAP or in a disk file.
  • On the Connection Server instance, enable the Accept logon as current user setting to allow the Connection Server instance to accept the user identity and credential information that is passed when users select Log in as current user in the Options menu in Horizon Client.
    Important: You must understand the security risks before enabling this setting. See, "Security-Related Server Settings for User Authentication" in the Horizon Security document.
  • On the client system, user credentials are encrypted and stored in a table in the Authentication Package, which is a component of Horizon Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory.
    When you select Accept logon as current user, you can enable the following user settings:
    • Allow Legacy Clients: Support for older clients. Horizon Client versions 2006 and 5.4 and earlier versions are considered older clients.
    • Allow NTLM Fallback: Uses NTLM authentication instead of Kerberos when there is no access to the domain controller. The NTLM group policy settings must be enabled in Horizon Client configuration.
    • Disable Channel Bindings: An additional security layer to secure NTLM authentication. By default, channel bindings are enabled on the client.
      Note: If channel binding is enabled, confirm that NTLMv2 is turned on using the LMCompatibilityLevel switch and that the security level 3 or higher in the user environment. For more information, see the Microsoft documentation here.
    • True SSO Integration: Enable this setting on Connection Server to allow SSO to the desktop using True SSO. For example, in a nested mode, True SSO is used to log on to a nested client and then a secondatry desktop logon was performed. For information on nested mode, see the VMware Horizon Client for Windows Installation and Setup Guide.
      • Disabled: The user has to enter login information if the client did not receive logon credentials.
      • Optional: Client credentials will be used, if available, else True SSO will be used. This is the recommended setting if both True SSO and Log in as current user are enabled.
      • Enabled: True SSO will be used to log on to the desktop.

Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user setting in the Options menu and to specify its default value. Administrators can also use group policy to specify which Connection Server instances accept the user identity and credential information that is passed when users select Log in as current user in Horizon Client.

The Recursive Unlock feature is enabled after a user logs in to Connection Server with the Log in as current user feature. The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. Administrators can control the Recursive Unlock feature with the Unlock remote sessions when the client machine is unlocked global policy setting in Horizon Client. For more information about global policy settings for Horizon Client, see the Horizon Client documentation at the VMware Horizon Clients documentation Web page.
Note: The Recursive Unlock feature may be slow when you use Log in as current user with NTLM authentication if Horizon Client is unable to access the domain controllers. To mitigate this issue, enable the group policy setting Always use NTLM for servers in the VMware Horizon Client Configuration > Security Settings > NTLM Settings folder in the Group Policy Management Editor.

The Log in as current user feature has the following limitations and requirements:

  • When smart card authentication is set to Required on a Connection Server instance, authentication fails for users who select Log in as current user when they connect to the Connection Server instance. These users must reauthenticate with their smart card and PIN when they log in to Connection Server.
  • The time on the system where the client logs in and the time on the Connection Server host must be synchronized.
  • If the default Access this computer from the network user-right assignments are modified on the client system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.