Table of Contents
Advertisement
Log In as Current User Feature
When View Client users select the Log in as current user check box, the credentials that they provided when
logging in to the client system are used to authenticate to the View Connection Server instance and to the View
desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the View Connection Server instance and on the
client system.
On the View Connection Server instance, user credentials are encrypted and stored in the user session
n
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when the user
logs out, the session times out, or authentication fails. The session object resides in volatile memory and
is not stored in View LDAP or in a disk file.
On the client system, user credentials are encrypted and stored in a table in the Authentication Package,
n
which is a component of View Client. The credentials are added to the table when the user logs in and are
removed from the table when the user logs out. The table resides in volatile memory.
Administrators can use View Client group policy settings to control the availability of the Log in as current user
check box and to specify its default value. Administrators can also use group policy to specify which View
Connection Server instances accept the user identity and credential information that is passed when users
select the Log in as current user check box in View Client.
The Log in as current user feature has the following limitations and requirements:
If smart card authentication is set to Required on a View Connection Server instance, smart card users
n
who select the Log in as current user check box must still reauthenticate with their smart card and PIN
when logging in to the View desktop.
Users cannot check out a desktop for use in local mode if they selected the Log in as current user check
n
box when they logged in.
The time on the system where the client logs in and the time on the View Connection Server host must be
n
synchronized.
If the default Access this computer from the network user-right assignments are modified on the client
n
system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
Restricting View Desktop Access
You can use the restricted entitlements feature to restrict View desktop access based on the View Connection
Server instance that a user connects to.
With restricted entitlements, you assign one or more tags to a View Connection Server instance. Then, when
configuring a desktop pool, you select the tags of the View Connection Server instances that you want to be
able to access the desktop pool. When users log in through a tagged View Connection Server instance, they
can access only those desktop pools that have at least one matching tag or no tags.
For example, your VMware View deployment might include two View Connection Server instances. The first
instance supports your internal users. The second instance is paired with a security server and supports your
external users. To prevent external users from accessing certain desktops, you could set up restricted
entitlements as follows:
Assign the tag "Internal" to the View Connection Server instance that supports your internal users.
n
Assign the tag "External" to the View Connection Server instance that is paired with the security server
n
and supports your external users.
Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.
n
Assign the "External" tag to the desktop pools that should be accessible only to external users.
n
VMware, Inc.
Chapter 5 Planning for Security Features
53
Advertisement
Table of Contents
