VMware Horizon Community
bverm
Enthusiast
Enthusiast
‎10-07-2014 07:26 AM
Jump to solution

Completely remove sdconf.rec from VMware Horizon View 6 connection server

Greetings,

I want to completely remove the uploaded sdconf.rec file from my VMWare Horizon View 6.0.1 connection server. In earlier versions it was so that I just had to remove the sdconf file from C:\Windows\System32 and set the pae-SecureIDConf attribute under CN=<servername>,OU=Server,OU=Properties,DC=vdi,DC=VMWare,DC=int to "0" but this attribute doesn't seem to exist anymore in version 6!

Just removing the sdconf file doesn't work, after doing this (even after a reboot) it still says "an sdconf file has been uploaded" when I check the settings of the connection server.

Does anybody know how to clear this file in version 6? I'm this close to just removing the whole connection and security server and doing a complete reïnstall. :smileysilly:

Thanks in advance!

Bram

0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee
‎10-08-2014 01:28 AM
Jump to solution

bverm wrote:

Haha, yeah apparently I was typing the variable wrong, modifying the attribute works now but I still see "a sdconf.rec file is already uploaded" even after modifying the attribute and removing the sdconf.rec file in system32, same after a reboot of the connection server. Smiley Sad

That should be OK. What you've done is invalidated the sdconf.rec file. It probably will still exist, but look to see if it has been invalidated. i.e. it should now be much smaller than your original and hence not usable which I guess is what you wanted to achieve.

If you just want to disable RSA SecurID authentication, that can be done in View Administrator.

Please confirm.

Mark

View solution in original post

0 Kudos
5 Replies
markbenson
VMware Employee
VMware Employee
‎10-07-2014 10:19 AM
Jump to solution

Nothing's changed here so the procedure you outlined should still work. The attribute name is called pae-SecurIDConf though (not pae-SecureIDConf). Check with LDP.EXE.

Mark

bverm
Enthusiast
Enthusiast
‎10-08-2014 12:06 AM
Jump to solution

Haha, yeah apparently I was typing the variable wrong, modifying the attribute works now but I still see "a sdconf.rec file is already uploaded" even after modifying the attribute and removing the sdconf.rec file in system32, same after a reboot of the connection server. Smiley Sad

0 Kudos
markbenson
VMware Employee
VMware Employee
‎10-08-2014 01:28 AM
Jump to solution

bverm wrote:

Haha, yeah apparently I was typing the variable wrong, modifying the attribute works now but I still see "a sdconf.rec file is already uploaded" even after modifying the attribute and removing the sdconf.rec file in system32, same after a reboot of the connection server. Smiley Sad

That should be OK. What you've done is invalidated the sdconf.rec file. It probably will still exist, but look to see if it has been invalidated. i.e. it should now be much smaller than your original and hence not usable which I guess is what you wanted to achieve.

If you just want to disable RSA SecurID authentication, that can be done in View Administrator.

Please confirm.

Mark

0 Kudos
bverm
Enthusiast
Enthusiast
‎10-08-2014 01:36 AM
Jump to solution

Yeah I suppose I should clarify what i'm trying to achieve. Smiley Happy

We are having some troubles with our RSA SecureID authentication, we keep getting access denied but on the RSA authentication server we don't see anything in the log. So I wanted to make sure it's not a problem with the sdconf file that we generated. We tried replacing the sdconf file through view administrator as well as through ldp.exe but we keep getting the same errors.


So I figured we might want to start with a clean slate, remove all references to any sdconf file as if we're adding an sdconf file for the very first time, so to accomplish that I wanted to remove the sdconf file before adding a new one seeing as just updating doesn't seem to work.

I created a SR with VMware now because in the rsa_api.log file I see "User TIME's access is denied." and we never enter any logon for a user named "TIME", I figure it might be a bug.

However the original question, to completely remove sdconf.rec, has been answered so I'll mark your answer as correct answer. Thank you! Smiley Happy

0 Kudos
markbenson
VMware Employee
VMware Employee
‎10-08-2014 01:48 AM
Jump to solution

Thanks for the clarification.

OK, you don't need to remove sdconf.rec. In View Administrator, you simply upload a replacement one.

99% of RSA SecurID authentication problems with View are to do with the configuration on RSA Authentication Manager server and/or the subsequent upload of sdconf.rec to the View Connection Server.

We know this works as there are a large number of customers that use RSA SecurID with View without any problems. VMware test this and so do RSA.

Go through the procedure in the Admin Guide very carefully and go through the procedure for clearing node secret and you should get up and running.

Once you upload sdconf.rec into View Connection Server, it updates pae-SecurIDConf in LDAP which is replicated to all replica Connection Servers too and the sdconf.rec file is automatically updated on all servers so you never need to copy the file around to each server or even ever touch that file on each Connection Server.

As you say, the original question is answered now. If you still have trouble configuring RSA SecurID post a new question on this forum and someone will certainly be able to help.

Mark

0 Kudos