VMware Horizon Community
Erossman
Enthusiast
Enthusiast
‎11-16-2017 02:08 AM

Horizon Published Apps - Client Restriction

Hi Guys,

I test the new feature in horizon 7.3.1 with rds host 2012r2 to restrict access to my published apps.

I enabled "client restrictions" for wordpad in the application options. After that I created a new security group and put my trusted windows endpoints in this group.

This group is entitlement for the wordpad app. My user is entitled, too.

If I now try to start this published app on my windows 7 client (horizon client 4.6.1), I get an error message: My client is not allowed to use the application.

rds.png

In the logs on the connection server I can see following....

2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Processing: set-user-global-preferences

2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Finished processing: set-user-global-preferences, Result: ok

2017-11-16T10:04:37.855+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Processing: application-connection

2017-11-16T10:04:37.855+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] ws_winauth_operation: getUserInformation

2017-11-16T10:04:37.855+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Impersonation not indicated

2017-11-16T10:04:37.856+01:00 DEBUG (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] fetching information for S-1-5-21-116911503-2493464564-1551068218-1107

2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Reusing a connection list (bind=LDAP://ffm.testdomain.de, authId=03e7)

2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Reusing connectionEntry (bind=LDAP://ffm.testdomain.de, connectionEntry=0x147c830)

2017-11-16T10:04:37.856+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] pDS=0x4468d08 being used by connectionEntry=0x147c830

2017-11-16T10:04:37.858+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Releasing a connection to the freepool (bind=LDAP://ffm.testdomain.de)

2017-11-16T10:04:37.858+01:00 TRACE (0D5C-2350) <MessageFrameWorkDispatch> [ws_winauth] Released a binding (bind=LDAP://ffm.testdomain.de)

2017-11-16T10:04:37.859+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [EventLogger] (SESSION:6922_***_e468) Info_Event:[BROKER_APPLICATION_REQUEST] "User FFM\ero requested Application wordpad": UserSID=S-1-5-21-116911503-2493464564-1551068218-1107, SessionType=APPLICATION, Node=VDICB01.ffm.testdomain.de, Severity=INFO, Time=Thu Nov 16 10:04:37 CET 2017, Module=Broker, UserDisplayName=FFM\ero, ApplicationId=wordpad, Source=com.vmware.vdi.broker.DesktopsHandler, Acknowledged=true

2017-11-16T10:04:37.861+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [f] (SESSION:6922_***_e468) App map: {appDN=cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int, serverProtocolLevel=[PCOIP, RGS, RDP, BLAST], executablePath=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk, serverProtocolDefault=RDP, name=Wordpad, objectClass=[top, pae-Entity, pae-App, pae-WinApp, pae-ThinWinApp, pae-RDSApplication], member=[CN=S-1-5-21-116911503-2493464564-1551068218-515,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1518,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1476,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int, CN=S-1-5-21-116911503-2493464564-1551068218-1107,CN=ForeignSecurityPrincipals,DC=vdi,DC=vmware,DC=int], serverGroup=cn=admin,ou=server groups,dc=vdi,dc=vmware,dc=int, clientRestrictions=true}

2017-11-16T10:04:37.863+01:00 WARN  (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

2017-11-16T10:04:37.863+01:00 ERROR (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Failed to launch cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int for user ero: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

2017-11-16T10:04:37.864+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [DesktopsHandler] (SESSION:6922_***_e468) Exception while launching cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int:  com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:2285)

com.vmware.vdi.broker.ClientRestrictionException: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

at com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:2047)

at com.vmware.vdi.broker.DesktopsHandler.a(SourceFile:1850)

at com.vmware.vdi.broker.xml.ProcessorApplicationConnection.a(SourceFile:82)

at com.vmware.vdi.broker.xml.AbstractConnectionProcessor.c(SourceFile:282)

at com.vmware.vdi.broker.xml.AbstractProcessor.a(SourceFile:124)

at com.vmware.vdi.broker.servlets.XmlServlet.doPost(SourceFile:75)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at org.apache.catalina.filters.FailedRequestFilter.doFilter(FailedRequestFilter.java:94)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.modules.properOps.ManagementFilter.doFilter(SourceFile:655)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.AuthorizationFilter.doFilter(SourceFile:2476)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.ClientAuthFilter.doFilter(SourceFile:100)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at com.vmware.vdi.broker.filters.DisclaimerAuthFilter.doFilter(SourceFile:238)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at net.propero.portal.filters.ProperoAuthFilter.doFilter(SourceFile:548)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.ValidatingFilter.doFilter(SourceFile:87)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.XmlAuthFilter.doFilter(SourceFile:84)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.EncodingFilter.doFilter(SourceFile:28)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.ServerConfigurationFilter.doFilter(SourceFile:209)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at com.vmware.vdi.broker.filters.LoggingFilter.doFilter(SourceFile:104)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486)

at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)

at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:748)

2017-11-16T10:04:37.864+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [EventLogger] (SESSION:6922_***_e468) Error_Event:[BROKER_APPLICATION_LAUNCH_FAILURE] "Unable to launch from Pool admin for user FFM\ero: The broker encountered an error while processing the request, please contact support for assistance": ProtocolId=PCOIP, SessionType=APPLICATION, PoolId=admin, Node=VDICB01.ffm.testdomain.de, Severity=ERROR, Time=Thu Nov 16 10:04:37 CET 2017, Source=com.vmware.vdi.broker.DesktopsHandler, UserSID=S-1-5-21-116911503-2493464564-1551068218-1107, Module=Broker, UserDisplayName=FFM\ero, ApplicationId=wordpad, Acknowledged=true

2017-11-16T10:04:37.864+01:00 INFO  (10D0-16EC) <ajp-nio-8009-exec-10> [SessionLaunchContext] (SESSION:6922_***_e468) FFM\ero, Application=wordpad: Session request failed.

(SESSION:6922_***_e468) [FFM\ero, Application=wordpad] (2ms): Application launch failed, exception was: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int

2017-11-16T10:04:37.865+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) Finished processing: application-connection, Result: error, Error Code: APPLICATION_LAUNCH_ERROR, Error Message: failed launching connection: com.vmware.vdi.broker.ClientRestrictionException: Client policy restrictions applied. Following launch item has been restricted : cn=wordpad,ou=applications,dc=vdi,dc=vmware,dc=int, User Message: Der Client darf diese Anwendung nicht verwenden. Wenden Sie sich an Ihren Systemadministrator.

2017-11-16T10:04:37.865+01:00 DEBUG (0D5C-1F5C) <MessageFrameWorkDispatch> [MessageFrameWork] System::WriteWindowsEvent

2017-11-16T10:04:37.865+01:00 DEBUG (10D0-16EC) <ajp-nio-8009-exec-10> [XmlServlet] (SESSION:6922_***_e468) End processing: set-user-global-preferences,application-connection

2017-11-16T10:04:37.866+01:00 DEBUG (1260-1734) <AJP-0> [SimpleAJPService] (ajp:broker:Request14551) Response 200 OK

So what did I wrong?

Regards,

VM-Master

Tags (1)
0 Kudos
2 Replies
kevinpower
Enthusiast
Enthusiast
‎11-21-2017 01:55 AM

Hello Erossman,

Just in case, is the user group part of the policy "allow lon on through terminal services" under the Gpo, Security settings, Local Policies, User rights assignment

Greetz,

Kevin

0 Kudos
Erossman
Enthusiast
Enthusiast
‎11-21-2017 01:36 PM

Hi Kevin,

I already set this policy to the group "NT AUTHORITY\Authenticated Users". I had sometimes trouble to logon to the rds server if it was not configured.

0 Kudos