Jump to content

[SOLVED] Single Sign On Passtrough

D81

By D81
in Horizon 8

 Share
Go to solution Solved by Sean Massey-1,

Recommended Posts

D81 Apprentice

D81

Posted
Posted (edited)

Hi

Im have recently implemented a Horizon 8 site. The test users are complaining regarding one basic thing when a user wants to access his published Destlops:

  1. The user log into his local computer (which is joined to the AD)
  2. Then he launches the Horizon client and selects the Horizon Connection server
  3. Then he logs again with the AD credentials on the horizon client

So, is there any way to automaticaly passthrough the credentials of the user computer (AD) to the horizon client?

The main problem is that the customer has a GPO that forced to lock the screen of the user sesion each 10 minutes, so in case the user is idle for 10 minutes the session closes on both the VDI and the local computer and when the user comes back he must first unlock his computer session and later he must unlock his VDI session again.

Thanks

Edited by D81
SOLVED
Link to comment
Share on other sites
  • Replies 6
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Dominik
Dominik

Hello @D81, please check: https://docs.omnissa.com/bundle/Horizon-AdministrationV2312/page/UsingtheLogInasCurrentUserFeatureAvailablewithWindows-BasedHorizonClient.html

Sean Massey-1
Sean Massey-1

So this can be easy to solve.  It requires two things.  First, it requires enabling the connection server to accept logon as the current user as @Dominik stated and posted directions for.  Second, it

D81
D81

Thanks Sean! I didnt see the Login as current user option on the horizon client but I will check it again and I will provide with feedback. Regarding the second case, I think that one simple opti

Posted Images

D81 Apprentice

D81

Posted
  • Author
Posted

Thanks! Thats suposed to be the solution but I have activated the "login as current user" and it doesnt work.

The user has to log in always on both the local computer and the VDI session. 

This is the current config:

image.png.0b7ab25fbd574cacee0927e7ad730d90.png

Link to comment
Share on other sites
Sean Massey-1 Tech Trail Blazer

Sean Massey-1

Posted
Posted

So can you clarify the problem you're looking to solve?  I'm hearing two different things here.

1. The user has to enter their username and password to sign into Horizon and launch a virtual desktop.

2. The user's session (both local and remote) get locked when the local session locks after 10 minutes of inactivity.

Am I understanding this correctly? 

I feel like there are details missing here, like is the user launching the Horizon Client for the first time (ie - the client is closed/not running on the PC) and seeing this?  Or is the client running but minimized and they are constantly being prompted for their password because they're local session is idle?

Sean Massey
Independent Consultant/Analyst/Blogger | VCDX-EUC 247
Vice Chairman of the Board - World of EUC
Blog: thevirtualhorizon.com  Mastodon: @seanpmassey@vmst.io Instagram/Thread: @seanpmassey LI: https://www.linkedin.com/in/seanpmassey/

Link to comment
Share on other sites
D81 Apprentice

D81

Posted
  • Author
Posted
5 minutes ago, Sean Massey-1 said:

So can you clarify the problem you're looking to solve?  I'm hearing two different things here.

1. The user has to enter their username and password to sign into Horizon and launch a virtual desktop.

2. The user's session (both local and remote) get locked when the local session locks after 10 minutes of inactivity.

Am I understanding this correctly? 

I feel like there are details missing here, like is the user launching the Horizon Client for the first time (ie - the client is closed/not running on the PC) and seeing this?  Or is the client running but minimized and they are constantly being prompted for their password because they're local session is idle?

Hi @Sean Massey-1

Sorry if I wasn't clear on my explanations. Let me explain it again...

The customer has two different anoying behaviours related with the user logins:

In the first case the problem is that when the userarrives at the morning to his office and logs in the local computer with his AD credentials, then he has to login again with the same credentials on the Horizon client. This is not very anoying cause it is suposed to happens just once a day, but it would be nice if the first "local computer login" could pass the credentials to the Horizon client authomaticaly.

The second problem is that the customer has a GPO to block sessions at 10 minutes of idle activity which is applied by default to all the computers of the Domain. Thus it also affects both the local (laptop) and remote (VDI) sessions. So when the user session is idle for 10 minutes then both the local and remote sessions get locked. At that point when the user comes back and logs into his local computer, he has to log again with the same credentials on the remote VDI sesion. That is the most annoying problem for them.

As far as I understand the feature mentioned on the previous message "Accept logon as current user" should fix the problem (at least on the first case) cause when the user logs for the first time on the local computer and then he opens the Horizon client, he should not be requested for credentials cause it should use the local computer credentials. However he still is.. 

So at this point I'm not sure if I'm doing something wrong or if I haven't properly understood the "accept logon as current user" use case.

Link to comment
Share on other sites
  • Solution
Sean Massey-1 Tech Trail Blazer

Sean Massey-1

Posted
  • Solution
Posted
7 minutes ago, D81 said:

In the first case the problem is that when the userarrives at the morning to his office and logs in the local computer with his AD credentials, then he has to login again with the same credentials on the Horizon client. This is not very anoying cause it is suposed to happens just once a day, but it would be nice if the first "local computer login" could pass the credentials to the Horizon client authomaticaly.

So this can be easy to solve.  It requires two things.  First, it requires enabling the connection server to accept logon as the current user as @Dominik stated and posted directions for.  Second, it requires the user to enable the logon as current user option in the Horizon Client as documented in step 3 here: https://docs.omnissa.com/bundle/HorizonClient-WindowsGuideV2406/page/ConnecttoaRemoteDesktoporPublishedApplicationfromHorizonWindowsClient.html

Quote

To log in as the currently logged-in Windows domain user, click the Options menu (… icon) in the upper-right corner of the menu bar and select Log in As Current User.

 

9 minutes ago, D81 said:

The second problem is that the customer has a GPO to block sessions at 10 minutes of idle activity which is applied by default to all the computers of the Domain. Thus it also affects both the local (laptop) and remote (VDI) sessions. So when the user session is idle for 10 minutes then both the local and remote sessions get locked. At that point when the user comes back and logs into his local computer, he has to log again with the same credentials on the remote VDI sesion. That is the most annoying problem for them.

As far as I understand the feature mentioned on the previous message "Accept logon as current user" should fix the problem (at least on the first case) cause when the user logs for the first time on the local computer and then he opens the Horizon client, he should not be requested for credentials cause it should use the local computer credentials. However he still is.. 

I'll be honest.  I've never tested that feature.  So I can't say how well that works.

It has been an annoyance for users I've worked with in the past, and it may just be a change they need to get used to.

  • Thanks 1

Sean Massey
Independent Consultant/Analyst/Blogger | VCDX-EUC 247
Vice Chairman of the Board - World of EUC
Blog: thevirtualhorizon.com  Mastodon: @seanpmassey@vmst.io Instagram/Thread: @seanpmassey LI: https://www.linkedin.com/in/seanpmassey/

Link to comment
Share on other sites
D81 Apprentice

D81

Posted
  • Author
Posted (edited)

Thanks Sean! I didnt see the Login as current user option on the horizon client but I will check it again and I will provide with feedback.

Regarding the second case, I think that one simple option could be to apply the lock screen GPO only to the client machine and not to the VDI (or at least increase the timeout for the VDI). Cause if the main reason is that if the user client session is already blocked then anyone can log into the user session from it. 

 

EDIT: It works! by activating the "Log as current user" on both Connection Server and Horizon Client it fixed the first and the second annoying issues, so both cases are solved! 

Edited by D81
fixed
  • Like 1
Link to comment
Share on other sites
  • D81 changed the title to [SOLVED] Single Sign On Passtrough

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...