I'm running into a strange issue with automated linked clone pool (using composer)
Horizon 7.6
VDI Gold Image: Windows 10 LTSC
Persistent Disks
Roaming Profiles with redirected folders
When I build the pool from scratch, it works very well. New users log in, the VDI picks up their account, and logs them in. Log off and log in works as it should, bringing the user right back to their desktop.
I went and updated the gold image, and recomposed the pool with the new snapshot. When any user tries to log in after the recompose finishes, they are met with a login prompt displaying the name of the local account used in image creation.
It feels to me that the VDI doesn't pick up the credentials passed to it from the Horizon client, but I am at a loss as to where to look to resolve this. I've tried it with both domain user and domain admin credentials and it's the same issue. If a user logs in manually to the VDI from that prompt, they get their desktop but any changes that were made prior to the recompose are lost.
Any ideas would be very much appreciated. I do have a case open with VMWare Support, but it's at the 2nd round of digging through logs and I'm starting to feel the pressure from the higher ups to get this working.
Thanks!
In one that doesn't work check and see if the netlogon service is running.
Hi sjesse,
Okay I checked a few of them, and the netlogon service is running on them. Set to Automatic.
Check out this article. Verify that the authentication provider is present in the userinit string in the register:
If that all looks good, I would suggest reinstall the agents on the gold image.
If the userinit fix referenced doesn't help I'd remove all the virtual desktop agents and reinstall them in the correct order.
I would agree with sjesse on this one. Did you remove and install the Horizon Agent after the OS update was performed?
I apologize for the delay. I'm checking on the userinit now. If that's present I'll reinstall the agents again to be sure they're done in the proper order.
Okay checked the userinit and it was there. I DID do a uninstall/reinstall of the agents as well, and unfortunately I still get that login prompt. I am in the process of spinning up another VDI to test as the gold image, this one is an earlier version of LTSB.
If your starting a new image follow this, and then adjust if need be
Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop | VMware
I've had good luck so far.
Found this kb VMware Knowledge Base which then led me to this one VMware Knowledge Base
Old, but maybe it will give you an idea. I'm wondering about your Win 10 policies regarding Interactive logon: Do not require CTRL+ALT+DEL GPO policy is enabled.
I apologize for the delay, I was out for the rest of the day.
So I went back and redid my gold image. Did the agents in the proper order, and re-installed my apps. I went and recomposed with the new image and snapshot and it worked! So I went back in to make a new snapshot to test again.
I noticed that I had forgotten to leave the domain I was joined to. So I went and added an app, and also unjoin the domain. This time, the issue came back!
I haven't been keeping the gold image on the domain, as I understood there were problems with that. Is there something I need to be doing instead to put these on the domain properly? When I recompose it DOES look like these machines are domain joined, but that local account login prompt is there.
I enabled this policy on my gold image and it resolved the issue.
Security Settings > Local Policies > Security Options>Interactive Logon: Do not display last username
I think this is a step in the right direction! I modified that policy to enabled, and snapshot the gold image. After a recompose, I am presented with a login prompt, same as before, but this time it's asking for domain credentials.
I checked that setting just now and it was set to enabled. I followed the KB and set it to Disabled, so I'm whipping up another snapshot now and trying it again.
Okay i found something strange.
I redid my gold image the other day, and just did another recompose a moment ago. I got the same login prompt, but then I decided to test something.
I disconnected from my Horizon client on my laptop, and reconnected. I was then able to pass through my credentials and log into the VDI without issue.
So right now things work if I:
1. Recompose pool
2. Disconnect from Horizon Client
3. Connect back into the Horizon Client.
I made sure I was on the newest version of the client as well. 4.9.0
I beleive there is an SSO timeout of few a hours no matter what, I've see this before, and I think its expected. I'm not sure if you can disable it in newer versions but it looked like it was possible in older ones
So you implemented the policy I suggested: Security Settings > Local Policies > Security Options>Interactive Logon: Do not display last username and you're still seeing the Admin account or most recent user when logging into one of the clones?
I have, and we're still running into this issue, but for now we've decided to workaround it. When we do a recompose, we make sure that everyone logs out of the Horizon client. Most of our users are on terminals, so it's not an issue for them. Once the recompose is done, the users log in successfully.
I wish I had a more solid solution, but for now it seems to work fine.
I am also facing the same problem from last many days.
I have one master image with multiple snapshots. Pools created from pervious snapshots work properly without SSO login errors while if I wish to create new pool from latest snapshot of my existing master image , it prompt me for SSO login screen.
I don't know what kind of policy is getting updated with this newly created snapshot on same image.
Even I prepared another fresh Windows 10 LTSC 1809 golden image which is giving same SSO login errors but rest is working as usual with manual user logion on SSO screen.
I am also facing the same problem from last many days.
I have one master image with multiple snapshots. Pools created from pervious snapshots work properly without SSO login errors while if I wish to create new pool from latest snapshot of my existing master image , it prompt me for SSO login screen.
I don't know what kind of policy is getting updated with this newly created snapshot on same image.
Even I prepared another fresh Windows 10 LTSC 1809 golden image which is giving same SSO login errors but rest is working as usual with manual user logion on SSO screen.