VMware Horizon Community
michael12
Contributor
Contributor
‎08-22-2011 09:17 AM

Smart card authentication with SSO works with RDP but not with PCoIP

Hi

I try to connect to our view connection server using an aladdin eToken Pro 64k and then logon to the virtual desktop using single sign-on. My local client is running Windows 7 using the SafNet Authentication Client 8.0 SP2 as PKI Client and eToken Driver. View connection server, view Client and view agent are release 4.6.0 366101..

If I connect to the view connection server I’m asked to enter my PIN and get forwarded to the Pool selection mask. So, smart card authentication works fine I think.

If I now choose our test pool and connect to it using RDP the single sign-on works and I can use my certificate to sign emails etc as usual on my physical client.

If I chose PCoIP to connect to the same pool/VM single sign-on doesn’t work and Windows 7 comes up with the user selection screen (3 icons in the middle). The first icon is the last logged in user, the center icon is "different user", and the third icon is "VMware SSO User". When I now login using my username and password, I’m not able to use my smart card, even if I connect it manually to the VM using the pull-down menu.

There is a KB Article describing my problem but I couldn’t find log entries as described in this article and I think that I don’t need to update KMDF on Windows 7, right?

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=103651...

I also enabled SSO thru GPO Policy AllowSingleSingon = true on the view agent and “connect all USB devices to the Desktop on launch”on the view client, without success. Also using the Registry key AllowHardwareIDs for redirecting the smart card didn’t help. Probably I’m on the wrong way but I really don’t know what to try out next. Can anybody help me? Thanks!

Reply
0 Kudos
11 Replies
michael12
Contributor
Contributor
‎08-31-2011 02:15 AM

We solved the problem with our aladdin eToken. The problems were caused by the latest SafNet Authentication Client (v8.0 SP2). As we took the old Aladdin eToken PKI Client (v5.1 SP1) every thing was working perfect, Smart Card authentication, SSO and singning and encrypting documents and e-Mails. For the moment we'll use the old tool. We hope SafNet will fix the problems in future versions of theirs client software.

Reply
0 Kudos
arakelian
VMware Employee
VMware Employee
‎10-21-2011 01:40 PM

Check out our new video about smart card gotchas.

Reply
0 Kudos
gavee
Contributor
Contributor
‎11-11-2011 04:09 AM

Hi,

I have a similiar issue with smart card logon:

I try to connect to View client with PCoIP using "log in as current user" (I login at my local PC with the smartcard too), i choose the Pool and it shows me the login panel with three tiles like Michael12 says: the last user i had logon, other user, and VMware SSO User.

If I use RDP it doesn´t happens, but an error appears telling me that an unexpected error has ocurred and my PC keeps blocked (not Virtual desktop).

I have read some things about to allow SSO in GPO`s but I dont find that policy neither where i have to change it, at AD or View Server. At last, the installation of view agent in the desktop doesn´t fail me so I cant think the KMDF doesn´t installs properly like they say here:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=103651...

The most important issue is connecting with PCoIP. Please ¿Can anybody help me? I dont use eToken like Michael12 or any other software, only PKIs from Microsoft to manage certificates.

A lot of Thanks.

Regards.

Reply
0 Kudos
unitronics
Contributor
Contributor
‎11-14-2011 03:01 AM

At the end, I solved this using VMware View Client 5.0 to connect with the desktop and then it passed the credentials to de Virtual desktop correctly.

To discard an incomplete installation of view agent (PCoIP functionallity), I reinstall agent in one of the desktop with this feature. Now I can log in to desktop using RDP and PCoIP without issues (I dont remember if at the first installation I choose this feature). But I check that the View Client 4.6 doen´t work neither with this feature installed.

This is my case and i solved this way. Probably ther are more reasons why this happens like Michael12 tell us.

Thanks a lot.

Kind Regards.

Reply
0 Kudos
BryanHorton
Contributor
Contributor
‎07-20-2012 08:16 AM

I realize this post is pretty old but thought I would go ahead and share my experiences anyway just in case others run into the VMware SSO User tile issue.  In August of 2011 I built a Vista SP2 linked clone parent image to be used in a View 4.6 environment.  Most of the initial configs and application install were performed via a local admin account.  Once the parent image was ready (or so I though) I created the snapshot and recomposed one of our test pools.  Using the full View client I  connected to the View server and selected the test pool.  Low and behold the infamous VMware SSO User tile pops up.  Last August was the first time I had seen this issue so I was definately baffled.  Finally, I uninstalled ActivClient 6.2, the View agent, .Net Framework 3.5 and VMware Tools.  After the reboots I reinstalled in the correct order.  At this same time I also installed an msi version of an app the DOD uses to install the DOD root certs into the OS.  Note I already had the DOD roots installed on the parent from both group policy and from an exe version of the DOD app.  The app is called InstallRoot 3.15a.msi.  Magically, after another snap and recompose of the test pool I could logon via CAC.  At the time I was not sure which app reinstall fixed the issue and did not worry too much about it.  Now, recently I ran into an issue where ActivClient 6.2 was causing our users desktop icons to freeze after they closed Internet Explorer.  So, after a significant amount of troubleshooting I completely uninstalled ActivClient 6.2 and the InstallRoot 3.15a app on the parent image.  I only reinstalled ActivClient 6.2 and applied the 6.2.0.162 patch.  After creating a snap and recomposing up pops the infamous VMware SSO User tile upon logon.  My first thought was, "Could this be because I removed the InstallRoot 3.15a app?".  Sure enough, after reinstalling this msi app on the parent and another recompose no more VMware SSO User tile.  My guess is the InstallRoot 3.15a msi version is putting the root certificates to the proper stores in the parent image OS.  No idea why the exe version of this same app does not do the same but hopfully this will save someone out there many hours of troubleshooting.

Note: I have also seen the VMware SSO tile issue if the time is way off on the ESX/ESXi hosts.

Reply
0 Kudos
MNKrantz
Enthusiast
Enthusiast
‎09-02-2012 03:33 PM

Can you provide a location where I could download the .msi version?

Reply
0 Kudos
Faizan130
Contributor
Contributor
‎07-24-2014 02:37 PM

Hello guys, I am currently facing the same problem. I have deployed VMware Horizon 6 connection server component only. Created RDS shared Desktop pool and published applications both on windows server 2008 R2 SP1. I am successfully connect to horizon client using smart card pin but when i am trying to access resources it is asking for the directory credentials. If i change RDS farm setting form PCOIP to RDP, the setup works perfectly. I am using Gemalto .net 2.0 smart cards. 

Reply
0 Kudos
Linjo
Leadership
Leadership
‎07-24-2014 11:28 PM

Have you installed the PCoIP SmartCard feature? It is a part of the View Agent installer but is not installed by default.

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
Faizan130
Contributor
Contributor
‎07-27-2014 10:22 AM

According to the VMware technical guide for creating RDS hosted desktops and applications, i have to first install remote desktop services on the server operating system and than perform the view agent installation. When i perform the view agent installation, the option for installing PCOIP Smart-card feature is unavailable. I thing Horizon does not support PCOIP smart-card with RDS hosted desktops and applications. 

Reply
0 Kudos
Linjo
Leadership
Leadership
‎07-27-2014 11:03 PM

Sorry I must have missed that detail in your post, you are correct SmartCard authentication is not supported with Hosted Apps yet.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
bbmark
Enthusiast
Enthusiast
‎08-01-2014 09:19 AM

Is any official documentation could be referred to?

BTW, quote from questioner "If i change RDS farm setting form PCOIP to RDP, the setup works perfectly", it seems only the ressources published by PCoIP protocol Farms wouldn't work.

Reply
0 Kudos