2 Replies Latest reply on Nov 21, 2017 1:36 PM by Erossman

    Horizon Published Apps -  Client Restriction

    Erossman Enthusiast

      Hi Guys,

       

      I test the new feature in horizon 7.3.1 with rds host 2012r2 to restrict access to my published apps.

      I enabled "client restrictions" for wordpad in the application options. After that I created a new security group and put my trusted windows endpoints in this group.

      This group is entitlement for the wordpad app. My user is entitled, too.

       

      If I now try to start this published app on my windows 7 client (horizon client 4.6.1), I get an error message: My client is not allowed to use the application.

       

       

      rds.png

       

       

       

      In the logs on the connection server I can see following....

       

       

      2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Processing: set-user-global-preferences

      2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Finished processing: set-user-global-preferences, Result: ok

      2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Processing: application-connection

      2017-11-16T10:04:37.855+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] ws_winauth_operation: getUserInformation

      2017-11-16T10:04:37.855+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Impersonation not indicated

      2017-11-16T10:04:37.856+01:00 DEBUG (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] fetching information for S-1-5-21-116911503-2493464564-1551068218-1107

      2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Reusing a connection list (bind=LDAP://ffm.testdomain.de, authId=03e7)

      2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Reusing connectionEntry (bind=LDAP://ffm.testdomain.de, connectionEntry=0x147c830)

      2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] pDS=0x4468d08 being used by connectionEntry=0x147c830

      2017-11-16T10:04:37.858+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Releasing a connection to the freepool (bind=LDAP://ffm.testdomain.de)

      2017-11-16T10:04:37.858+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Released a binding (bind=LDAP://ffm.testdomain.de)

      2017-11-16T10:04:37.859+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [EventLogger] (SESSION:6922_***_e468) Info_Event:[BROKER_APPLICATION_REQUEST] "User FFM\ero requested Application wordpad": UserSID=S-1-5-21-116911503-2493464564-1551068218-1107, SessionType=APPLICATION, Node=VDICB01.ffm.testdomain.de, Severity=INFO, Time=Thu Nov 16 10:04:37 CET 2017, Module=Broker, UserDisplayName=FFM\ero, ApplicationId=wordpad, Source=com.vmware.vdi.broker.DesktopsHandler, Acknowledged=true

      2017-11-16T10:04:37.861+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [f] (SESSION:6922_***_e468) App map: {appDN=cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int, serverProtocolLevel=[PCOIP, RGS, RDP, BLAST], executablePath=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk, serverProtocolDefault=RDP, name=Wordpad, objectClass=[top, pae-Entity, pae-App, pae-WinApp, pae-ThinWinApp, pae-RDSApplication], member=[CN=S-1-5-21-116911503-2493464564-1551068218-515,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1518,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1476,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1107,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int], serverGroup=cn=admin,ou=server groups,dc=vdi,dc=vmware,dc=int, clientRestrictions=true}

      2017-11-16T10:04:37.863+01:00 WARN  (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

      2017-11-16T10:04:37.863+01:00 ERROR (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Failed to launch cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int for user ero: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

      2017-11-16T10:04:37.864+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Exception while launching cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int:  com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:2285)

      com.vmware.vdi.broker.ClientRestrictionException: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

      at com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:2047)

      at com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:1850)

      at com.vmware.vdi.broker.xml.ProcessorApplicationConnection.a(SourceFile:82)

      at com.vmware.vdi.broker.xml.AbstractConnectionProcessor.c(SourceFile:282)

      at com.vmware.vdi.broker.xml.AbstractProcessor.a(SourceFile:124)

      at com.vmware.vdi.broker.servlets.XmlServlet.doPost(SourceFile:75)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)

      at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at org.apache.catalina.filters.FailedRequestFilter.doFilter(FailedRequestFilter.java:94)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.modules.properOps.ManagementFilter.doFilter(SourceFile:655)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.AuthorizationFilter.doFilter(SourceFile:2476)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.ClientAuthFilter.doFilter(SourceFile:100)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at com.vmware.vdi.broker.filters.DisclaimerAuthFilter.doFilter(SourceFile:238)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.ValidatingFilter.doFilter(SourceFile:87)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.XmlAuthFilter.doFilter(SourceFile:84)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.EncodingFilter.doFilter(SourceFile:28)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.ServerConfigurationFilter.doFilter(SourceFile:209)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at com.vmware.vdi.broker.filters.LoggingFilter.doFilter(SourceFile:104)

      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

      at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)

      at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

      at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)

      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)

      at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

      at java.lang.Thread.run(Thread.java:748)

      2017-11-16T10:04:37.864+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [EventLogger] (SESSION:6922_***_e468) Error_Event:[BROKER_APPLICATION_LAUNCH_FAILURE] "Unable to launch from Pool admin for user FFM\ero: The broker encountered an error while processing the request, please contact support for assistance": ProtocolId=PCOIP, SessionType=APPLICATION, PoolId=admin, Node=VDICB01.ffm.testdomain.de, Severity=ERROR, Time=Thu Nov 16 10:04:37 CET 2017, Source=com.vmware.vdi.broker.DesktopsHandler, UserSID=S-1-5-21-116911503-2493464564-1551068218-1107, Module=Broker, UserDisplayName=FFM\ero, ApplicationId=wordpad, Acknowledged=true

      2017-11-16T10:04:37.864+01:00 INFO  (10D0-16EC) <ajp-nio-8009-exec-10> [SessionLaunchContext] (SESSION:6922_***_e468) FFM\ero, Application=wordpad: Session request failed.

      (SESSION:6922_***_e468) [FFM\ero, Application=wordpad] (2ms): Application launch failed, exception was: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

      2017-11-16T10:04:37.865+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Finished processing: application-connection, Result: error, Error Code: APPLICATION_LAUNCH_ERROR, Error Message: failed launching connection: com.vmware.vdi.broker.ClientRestrictionException: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int, User Message: Der Client darf diese Anwendung nicht verwenden. Wenden Sie sich an Ihren Systemadministrator.

      2017-11-16T10:04:37.865+01:00 DEBUG (0D5C-1F5C) <MessageFrameWorkDispatch> [MessageFrameWork] System::WriteWindowsEvent

      2017-11-16T10:04:37.865+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) End processing: set-user-global-preferences,application-connection

      2017-11-16T10:04:37.866+01:00 DEBUG (1260-1734) <AJP-0> [SimpleAJPService] (ajp:broker:Request14551) Response 200 OK

       

       

       

       

      So what did I wrong?

       

       

      Regards,

      VM-Master