Solved: Re-authenticating from a Windows client after lock

szilagyic · ‎05-15-2017

Hello:

We are currently deploying our own "Thin client" solution here which is basically on Windows 10 for the thin OS, and using the Windows version of the Horizon Client. The users must log in with their credentials to the physical thin client itself for some required applications to run and identify the user properly, as well as GPOs, etc.

For users on this solution, what we are faced with is the VM and the laptop will lock their screens after 15 minutes. This is a company policy for all machines to lock after 15 minutes for security reasons. When unlocking, they must authenticate to the physical thin client first, then authenticate in the VM both get back to their VM. This only happens when the user is already logged in to their VM and walks away long enough for it to automatically lock. We have our GPOs set to pass through Windows authentication, so when they first logon initially it does pass through the credentials so the user only has to authenticate once there. The issue is when they are already logged in and their machines lock, and they have to authenticate, it doesn't seem to pass that authentication through.

Unfortunately, we are kind of stuck but I was curious if there are any solutions to get around this, that are more baked in or integrated with the Horizon Client or thin clients. If possible we don't want to purchase a 3rd party product unless necessary. I have looked and so far do not see a built in way to handle this. I have not yet looked at 3rd party solutions either, as this is more of a question if it's possible with what we have, basically Windows and the Horizon Client.

I appreciate any and all feedback if any solutions that may take care of the re-authentication. Thanks!!

Ray_handels · ‎05-19-2017

Hey.

It's the exact same issue we have and the answers is very short, no you can't. Thing is that when the machine is locked (the VDI that it) it won't pass the credentials to the client.

What you see happening with tools like Stratodesk or Igel is that they don't log on ot the domain with the client itself, they start the client fullscreen and log in to the VDI directly.

When using a TC you see the exact same thing happening, the TC cannot be locked and thus the VDI can be locked.

You do have 1 other option though but it would require a reg settings and than you must lock the client machine.

Set the following reg setting on all VDI machines that are being connected to with the W10 Thin client machines. This disabled the functionality to lock the workstation.

Please keep in mind if users are using it with a TC or from home they can't lock the workstation either. Or you need it change it with a script depending on client and location. The setting is applied instantly, no need to log off.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation

Here's the link..

How to Disable the Lock Workstation Functionality (Window+L) in Windows

View solution in original post

Ray_handels · ‎05-19-2017

Hey.

It's the exact same issue we have and the answers is very short, no you can't. Thing is that when the machine is locked (the VDI that it) it won't pass the credentials to the client.

What you see happening with tools like Stratodesk or Igel is that they don't log on ot the domain with the client itself, they start the client fullscreen and log in to the VDI directly.

When using a TC you see the exact same thing happening, the TC cannot be locked and thus the VDI can be locked.

You do have 1 other option though but it would require a reg settings and than you must lock the client machine.

Set the following reg setting on all VDI machines that are being connected to with the W10 Thin client machines. This disabled the functionality to lock the workstation.

Please keep in mind if users are using it with a TC or from home they can't lock the workstation either. Or you need it change it with a script depending on client and location. The setting is applied instantly, no need to log off.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation

Here's the link..

How to Disable the Lock Workstation Functionality (Window+L) in Windows

szilagyic · ‎05-31-2017

You do have 1 other option though but it would require a reg settings and than you must lock the client machine.

Hi Ray and thanks for the feedback. I guess it's good that we aren't the only one facing this.

Unfortunately we want our VDI sessions to lock at all times, because we have people connecting in from who knows what. Not only devices, but maybe even public PCs or things like that. We want to ensure the VDI session itself locks, at a minimum. We are only facing the challenge with laptops where people must log in with their own credentials, not only to apply GPOs but to authenticate to wifi and other things. So we are kind of stuck. I did also run this by our local VMware EUC contact for our account and they too did not have anything on this. I guess for now we will have to deal with it as-is. At some point we may have to revisit and I guess pull out the VDI VMs and apply some sort of separate GPO just for laptop users. This would be quite complex so nothing we can do right now.

Again thanks for your help!

Chris

virtualfervent · ‎02-08-2018

Hello Folks,

You may want to upgrade to Horizon 7.2 with client 4.5 and benefit from the Recursive Unlock feature, Hope this address your issue permanently: https://getadmx.com/?Category=VMware_Horizon_7&Policy=VMware.Policies.vdm_client::EnableRecursiveUnl...

TechMassey · ‎02-09-2018

If you set the global SSO setting in View Admin to greater than 15 min, it should resolve this issue. I would set it to 30 min, start a new login session, lock it, come back after 20 min. You should be able to get back to the desktop with only the initial authentication at the thin client.

Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂

All

Re-authenticating from a Windows client after lock