You can use the vdmadmin command with the -Q option to set defaults and create accounts for clients in kiosk mode, to enable authentication for these clients, and to display information about their configuration.
Syntax
vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-ou DN] [-expirepassword | -noexpirepassword] [-group group_name | -nogroup] [-description "description_text"]
vdmadmin -Q -disable [-b authentication_arguments] -s connection_server
vdmadmin -Q -enable [-b authentication_arguments] -s connection_server [-requirepassword]
vdmadmin -Q -clientauth -getdefaults [-b authentication_arguments] [-xml]
vdmadmin -Q -clientauth -list [-b authentication_arguments] [-xml]
vdmadmin -Q -clientauth -remove [-b authentication_arguments] -domain domain_name-clientid client_id
vdmadmin -Q -clientauth -removeall [-b authentication_arguments] [-force]
vdmadmin -Q -clientauth -setdefaults [-b authentication_arguments] [-ou DN] [ -expirepassword | -noexpirepassword ] [-group group_name | -nogroup]
vdmadmin -Q -clientauth -update [-b authentication_arguments] -domain domain_name-clientid client_id [-password "password" | -genpassword] [-description "description_text"]
Usage Notes
You must run the vdmadmin command on one of the Connection Server instances in the group that contains the Connection Server instance that clients use to connect to their remote desktops.
When you configure defaults for password expiry and Active Directory group membership, these settings are shared by all Connection Server instances in a group.
When you add a client in kiosk mode, VMware Horizon creates a user account for the client in Active Directory. If you specify a name for a client, this name must start with the characters "custom-" or with one of the alternate strings that you can define in ADAM, and it cannot be more than 20 characters long. You should use each specified name with no more than one client device.
You can define alternate prefixes to "custom-" in the pae-ClientAuthPrefix multi-valued attribute under cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int in ADAM on a Connection Server instance. Avoid using these prefixes with ordinary user accounts.
If you do not specify a name for a client, VMware Horizon generates a name from the MAC address that you specify for the client device. For example, if the MAC address is 00:10:db:ee:76:80, the corresponding account name is cm-00_10_db_ee_76_80. You can only use these accounts with Connection Server instances that you enable to authenticate clients.
Some thin clients allow only account names that start with the characters "custom-" or "cm-" to be used with kiosk mode.
An automatically generated password is 16 characters long, contains at least one uppercase letter, one lowercase letter, one symbol, and one number, and can contain repeated characters. If you require a stronger password, you must use the -password option to specify the password.
If you use the -group option to specify a group or you have previously set a default group, VMware Horizon adds the client's account to this group. You can specify the -nogroup option to prevent the account being added to any group.
If you enable a Connection Server instance to authenticate clients in kiosk mode, you can optionally specify that clients must provide a password. If you disable authentication, clients cannot connect to their remote desktops.
Although you enable or disable authentication for an individual Connection Server instance, all Connection Server instances in a group share all other settings for client authentication. You need only add a client once for all Connection Server instances in a group to be capable of accepting requests from the client.
If you specify the -requirepassword option when enabling authentication, the Connection Server instance cannot authenticate clients that have automatically generated passwords. If you change the configuration of a Connection Server instance to specify this option, such clients cannot authenticate themselves, and they fail with the error message Unknown username or bad password.
Options
The following table shows the options that you can specify to configure clients in kiosk mode.
Option | Description |
---|---|
-add | Adds an account for a client in kiosk mode. |
-clientauth | Specifies an operation that configures authentication for a client in kiosk mode. |
-clientid client_id | Specifies the name or the MAC address of the client. |
-description "description_text" | Creates a description of the account for the client device in Active Directory. |
-disable | Disables authentication of clients in kiosk mode on a specified Connection Server instance. |
-domain domain_name | Specifies the domain for the account for the client device. |
-enable | Enables authentication of clients in kiosk mode on a specified Connection Server instance. |
-expirepassword | Specifies that the expiry time for the password on client accounts is the same as for the Connection Server group. If no expiry time is defined for the group, passwords do not expire. |
-force | Disables the confirmation prompt when removing the account for a client in kiosk mode. |
-genpassword | Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword. |
-getdefaults | Gets the default values that are used for adding client accounts. |
-group group_name | Specifies the name of the default group to which client accounts are added. The name of the group must be specified as the pre-Windows 2000 group name from Active Directory. |
-list | Displays information about clients in kiosk mode and about the Connection Server instances on which you have enabled authentication of clients in kiosk mode. |
-noexpirepassword | Specifies that the password on an account does not expire. |
-nogroup | When adding an account for a client, specifies that the client's account is not added to the default group. When setting the default values for clients, clears the setting for the default group. |
-ou DN | Specifies the distinguished name of the organizational unit to which client accounts are added. For example: OU=kiosk-ou,DC=myorg,DC=com
Note: You cannot use the
-setdefaults option to change the configuration of an organizational unit.
|
-password "password" | Specifies an explicit password for the client's account. |
-remove | Removes the account for a client in kiosk mode. |
-removeall | Removes the accounts of all clients in kiosk mode. |
-requirepassword | Specifies that clients in kiosk mode must provide passwords. VMware Horizon will not accept generated passwords for new connections. |
-s connection_server | Specifies the NetBIOS name of the Connection Server instance on which to enable or disable the authentication of clients in kiosk mode. |
-setdefaults | Sets the default values that are used for adding client accounts. |
-update | Updates an account for a client in kiosk mode. |
Examples
Set the default values for the organizational unit, password expiry, and group membership of clients.
vdmadmin -Q -clientauth -setdefaults -ou "OU=kiosk-ou,DC=myorg,DC=com" -noexpirepassword -group kc-grp
Get the current default values for clients in plain text format.
vdmadmin -Q -clientauth -getdefaults
Get the current default values for clients in XML format.
vdmadmin -Q -clientauth -getdefaults -xml
Add an account for a client specified by its MAC address to the MYORG domain, and use the default settings for the group kc-grp.
vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp
Add an account for a client specified by its MAC address to the MYORG domain, and use an automatically generated password.
vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -genpassword -ou "OU=kiosk-ou,DC=myorg,DC=com" -group kc-grp
Add an account for a named client, and specify a password to be used with the client.
vdmadmin -Q -clientauth -add -domain MYORG -clientid custom-Terminal21 -password "guest" -ou "OU=kiosk-ou,DC=myorg,DC=com" -description "Terminal 21"
Update an account for a client, specifying a new password and descriptive text.
vdmadmin -Q -clientauth -update -domain MYORG -clientid custom-Terminal21 -password "Secret1!" -description "Foyer Entry Workstation"
Remove the account for a kiosk client specified by its MAC address from the MYORG domain.
vdmadmin -Q -clientauth -remove -domain MYORG -clientid 00:10:db:ee:54:12
Remove the accounts of all clients without prompting to confirm the removal.
vdmadmin -Q -clientauth -removeall -force
Enable authentication of clients for the Connection Server instance csvr-2. Clients with automatically generated passwords can authenticate themselves without providing a password.
vdmadmin -Q -enable -s csvr-2
Enable authentication of clients for the Connection Server instance csvr-3, and require that the clients specify their passwords to Horizon Client. Clients with automatically generated passwords cannot authenticate themselves.
vdmadmin -Q -enable -s csvr-3 -requirepassword
Disable authentication of clients for the Connection Server instance csvr-1.
vdmadmin -Q -disable -s csvr-1
Display information about clients in text format. Client cm-00_0c_29_0d_a3_e6 has an automatically generated password, and does not require an end user or an application script to specify this password to Horizon Client. Client cm-00_22_19_12_6d_cf has an explicitly specified password, and requires the end user to provide this. The Connection Server instance CONSVR2 accepts authentication requests from clients with automatically generated passwords. CONSVR1 does not accept authentication requests from clients in kiosk mode.
C:\ vdmadmin -Q -clientauth -list Client Authentication User List =============================== GUID : 94be6344-0c9b-4a92-8d54-1brc1c2dc282 ClientID : cm-00_0c_29_0d_a3_e6 Domain : myorg.com Password Generated: true GUID : 471d9d35-68b2-40ee-b693-56a7d92b2e25 ClientID : cm-00_22_19_12_6d_cf Domain : myorg.com Password Generated: false Client Authentication Connection Servers ======================================== Common Name : CONSVR1 Client Authentication Enabled : false Password Required : false Common Name : CONSVR2 Client Authentication Enabled : true Password Required : false