With Horizon Client for Windows, when users select Log in as current user in the Options menu, the credentials that they provided when logging in to the client system are used to authenticate to the connection broker instance and to the remote desktop using Kerberos. No further user authentication is required.
If you are enrolled with Windows Hello for Business with certificate trust on the client system, Windows Hello for Business issued user logon certificate is used for single sign-on to the Horizon Agent system. For more information, see "Authentication with Windows Hello for Business" in the Horizon Administration document.
To support this feature, user credentials are stored on both the connection broker instance and on the client system.
- On the connection broker instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails. The session object resides in volatile memory and is not stored in Horizon LDAP or in a disk file.
- On the connection broker instance, enable the Accept logon as current user setting to allow the connection broker instance to accept the user identity and credential information that is passed when users select Log in as current user in the Options menu in Horizon Client.
Important: You must understand the security risks before enabling this setting. See, "Security-Related Server Settings for User Authentication" in the Horizon Security document.
- On the client system, user credentials are encrypted and stored in a table in the Authentication Package, which is a component of Horizon Client. The credentials are added to the table when the user logs in and are removed from the table when the user logs out. The table resides in volatile memory.
When you select Accept logon as current user, you can enable the following user settings:
- Allow Legacy Clients: Support for older clients. Horizon Client versions 2006 and 5.4 and earlier versions are considered older clients.
- Allow NTLM Fallback: Uses NTLM authentication instead of Kerberos when there is no access to the domain controller. The NTLM group policy settings must be enabled in Horizon Client configuration.
- Disable Channel Bindings: An additional security layer to secure NTLM authentication. By default, channel bindings are enabled on the client.
Note: If channel binding is enabled, confirm that NTLMv2 is turned on using the LMCompatibilityLevel switch and that the security level 3 or higher in the user environment. For more information, see the Microsoft documentation here.
- True SSO Integration: Enable this setting on the connection broker to allow SSO to the desktop using True SSO. For example, in a nested mode, True SSO is used to log on to a nested client and then a secondary desktop logon was performed. For information on nested mode, see the Horizon Client for Windows Guide.
- Disabled: The user has to enter login information if the client did not receive logon credentials.
- Optional: Client credentials are used, if available; otherwise True SSO are used. This is the recommended setting if both True SSO and Log in as current user are enabled.
- Enabled: True SSO is used to log on to the desktop.
Administrators can use Horizon Client group policy settings to control the availability of the Log in as current user setting in the Options menu and to specify its default value. Administrators can also use group policy to specify which connection broker instances accept the user identity and credential information that is passed when users select Log in as current user in Horizon Client.
The Log in as current user feature has the following limitations and requirements:
- When smart card authentication is set to Required on a connection broker instance, authentication fails for users who select Log in as current user when they connect to the connection broker instance. These users must reauthenticate with their smart card and PIN when they log in to connection broker.
- The time on the system where the client logs in and the time on the connection broker host must be synchronized.
- If the default Access this computer from the network user-right assignments are modified on the client system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.