VMware Horizon Community
Rdiaz29
Enthusiast
Enthusiast
‎10-20-2022 12:23 PM

Protecting Horizon View with MFA

Hi,

For those of you that have protected Horizon View with MFA (Multi-Factor Authentication), are you also protecting the desktops with MFA when users lock/unlock their OS (Operating System) screen? I ask because we would like to also protect the desktop when the user locks/unlocks their desktop, but if we load our MFA agent on the desktop OS, users will get a double MFA prompt when they connect to the VDI: 1) At the Horizon View level and 2) at the desktop OS login screen. 

Thanks.

Labels (2)
Labels
Reply
0 Kudos
5 Replies
bjohn
Enthusiast
Enthusiast
‎10-23-2022 05:30 PM

We only have it on the initial login. As you said installing the agent (SafeNet in our case) would cause a double login.

Reply
jmacdaddy
Enthusiast
Enthusiast
‎10-24-2022 08:13 AM

You could create a Windows scheduled task for all users that runs tsdiscon.exe when triggered by the user locking the workstation.  This would disconnect their virtual desktop session but leave them logged in.  The user would be presented with the Horizon Client login window where they would have to re-enter their MFA challenge with their username and pw.

Reply
0 Kudos
Rdiaz29
Enthusiast
Enthusiast
‎10-24-2022 08:58 AM

In my experience, a disconnect will kick the user back to the Horizon View Login page only on Teradici Zero Clients and that solution works great with these devices. However, if you use the HTML or Horizon Client software, the window or page that contains the available desktops pools is still there. The user can reconnect by using the pools. If credentials have been discarded, they will be prompted for the AD password. If credentials have not been discarded, they will reconnect with no password needed.

If I was able to disconnect the user (not log them off as you said) and also kick them back to the Horizon Login page, that would definitely be a solution. I don't think this is even possible via the Horizon Admin console or PowerCLI. I've looked around. You can only disconnect  or log the user off from the desktop which still leaves that pools window in the background.

Reply
0 Kudos
jmacdaddy
Enthusiast
Enthusiast
‎10-24-2022 09:05 AM

Not sure about the HTML client, but with the full Windows Client you can add "-hideClientAfterLaunchSession true" to the shortcut and you should get the desired behavior. 

https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Force-View-Client-to-close-after-logoff-... 

Reply
0 Kudos
Rdiaz29
Enthusiast
Enthusiast
‎10-24-2022 09:51 AM

Good to know there is an option for the Horizon Client. Internally we use Teradici Zero Clients so there is not shortcut to manage. For external users we don't manage their devices and therefore can't manage their shortcuts.

Reply
0 Kudos