kooning
Contributor
Contributor

Roaming Windows credentials in VMware View

I've been working on a solution to provide the roaming of credentials users save in their view Sessions. Users do this mainly in web applications they use, but Office365 can be another reason people need to save credentials.

During this work I found no article that provided adequate information so I was spending hours on trial and error.

I'd like to share my findings with you since I managed to get everything to work as desired.

When you use VMWare View with floating assignment or clean up local profiles after logon you can expect that saved passwords won't be there after the next login. We have two "by design" issues to overcome.

1: VMWare Persona Management does not support roaming the roaming part(!!!) of appdata

2: Windows has a portion of the credential vault stored in %localappdata%. This is by default no roamed location.

When searching for solutions you'll probably find the VMWare KB below.  (KB: 2052573)

View Persona Management cannot redirect Windows credentials for the Crypto, Protect and SystemCertif...

This, however, only addresses the first issue. The steps written in "solution" will fix roaming of the roaming vault, but will not help allot since most applications write passwords to the non-roaming (localappdata) vault.

A better article I found was : http://www.rsmusconsultingpros.com/roaming-vmware-horizon-credentials-with-microsoft-office-click-to...

The steps written did fix my issue, but step 2 (Enable Roam local settings folder) made me worry. Localappdata can get big in amount of data or number of files. Persona management will need alot of time to log off and this will impact performance on View hosts and file servers.

I was surprised to find out this "persona management GPO" did not only enable roaming of the appdata\local folder, but also appdata\locallow. Even with my tiny test Windows account this had a huge impact. All temp files including internet cache will be roamed.

Entire Solution:

Within your VMware group policy go to Computer\Admin Templates\Classic Admin Templates\Vmware View Agent Config\Persona management\Roaming &
Synchronization

  • Enable Roam local settings folder
  • Enable Windows roaming profile synchronization and enter the following lines
    1. appdata\roaming\microsoft\credentials
    2. AppData\Roaming\Microsoft\SystemCertificates
    3. appdata\roaming\microsoft\protect
    4. appdata\roaming\microsoft\crypto
    5. appdata\local\microsoft\credentials
    6. appdata\local\microsoft\vault
  • Enable Files and folders excluded from roaming and     enter the following lines
    1. Appdata\Locallow
    2. Appdata\Local
  • Enable Files and folders excluded from roaming     (exceptions) and enter the following lines
    1. appdata\local\microsoft\credentials
    2. appdata\local\microsoft\vault

These combined settings gave me a profile with only the required folders in appdata\local

0 Replies