Vmware View SSO do-submit-authentication

SiHumphrey · ‎08-12-2012

Hello,

I have written a small amount of test code to find out which RDP machines an authenticated user has access to if they were to use a Vmware View client. This test script takes the remote address of a View Connection Server, and the users name and password, and performs http posts to the View Connection Server. I have used the following documentation to do this: https://vmware-view-open-client.googlecode.com/files/VMware-view-client-protocol-spec-4.5.0-GA.pdf .

The 'do-submit-authentication' method (specifically Request: Password Authentication on page 14) states that the password field should contain a secret and I am able to authenticate if I use the plain text password for the user in this field. However, running wireshark between Vmware View Client 5.0 and my View Connection Server, I see it's do-submit-authentication instead includes an {SSO-AES1} parameter for the password field.

<?xml version="1.0"?><broker version="5.0"><do-submit-authentication><screen><name>windows-password</name><params><param><name>username</name><values><value>simon</value></values></param><param><name>domain</name><values><value>TEST</value></values></param><param><name>password</name><values><value>{SSO-AES:1}ZXbtEwRmeGs80cyD1sRsS6sVRgVt7pYR</value></values></param></params></screen></do-submit-authentication></broker>

My main question is how is the above SSO-AES:1 key value generated? I do not want to send a password in plain-text between my test app and View Connection Server. I am familiar with kerberos / AD authentication, but cannot find any documentation on SSO for Vmware View authentication.

Further details:

My broker does support kerberos, as the following is returned by the get-configuration method.

<broker-service-principal>

<type>kerberos</type>

<name>VIEWCS$@renamed.domain.com</name>

</broker-service-principal>

Many many thanks in advance,

Simon

markbenson · ‎08-13-2012

Newer View clients and all third-party View clients use a plain-text password in do-submit-authentication.

{SSO-AES1} information to encrypt this password is not published, and is in any case now depricated functionality.

As View Clients always send do-submit-authentication requests over SSL, the password and all other elements are already encrypted.

Stick with plain text and perform encryption using SSL so that all communication between the client and the Connection Server (or Security Server) is protected.

Mark

SiHumphrey · ‎08-13-2012

Hi Mark,

Thank you for your reply - very helpful.

An extension to my test code was going to look at how to use Kerberos authentication to perform do-submit-authentication as I may not always have the plain text password. For example, I may be on a PC that has a Kerberos TGT (ticket granting ticket) having already authenticated against active directory, but I no longer have the plain text password.

Are you aware of any documentation that explains how this (Kerberos authentication) works in the VMWare View API (or are you able to?).

Thanks again,

Simon

markbenson · ‎08-13-2012

View Connection Server (and the View Client XMLAPI protocol) doesn't support Kerberos authentication because it needs to perform an "interactive" login to the Windows desktop and for this a password (or SmartCard X.509 certificate) is required.

You should use a password in do-submit-authentication for what you are doing.

Mark

SiHumphrey · ‎08-13-2012

Hi Mark,

Thanks for clearing this up.

Cheers,

Simon

All

Vmware View SSO do-submit-authentication