Hi,
I have made a trial VDI setup. Virtual Center and all other components are on corresponding virtual machines. Till now setup is working fine. I am able to launch a Virtual Machine from view client using username and password.
Now I want to make it Smart Card compatible. So trying the steps given in View Manager Admin guide.
It is written on Page 86 about "*Configuring User Profiles" --> *To set the UPN to the SAN on ADAM -> Step 2 about CN=Users
As of now if i try to see CN=Users, it is not viewable. I can see other entries but not this entry. I read in a KB artivle that ADAM provides four default, role-based groups: Administrators, Instances, Readers, and Users. But i do not see any of these 4.
Any idea how to view these ?
Did you evey get an answer to this one? I'm have the same issue.
Thnxz
This part of the Administration Guide is incorrect and this should be done on the actual Active Directory where the user has an account, not in ADAM, using Microsoft's ADSIEdit.msc plug in (http://technet.microsoft.com/en-us/library/cc773354.aspx);
If the certificate on the smart card was issued from a Certificate Authority on the user's domain, for the user, it is likely that this is already set.
If the smart card environment is not new for VMware View it is likely that a procedure to do this already exists.
This procedure is really intended for, but not limited to, use in a test/PoC environment where certificates on smart cards are issued from an external source and the user needs to have the UPN set manually for a particular smart card.
hi all
i have another problem about smart card logon vmview, according to the guide i did the following:
1. create a keystore file using the command keytool...
2. copy the keystore file to the installation path
3. create a new locked.properties file and give the keystore file name to the paremeter "trustKeyfile"
4. restart the vm
the above is just a structure, not very detail...
but when i use smart card logon the vmview, the error "No user could be found for your certificate" pops up. The cert i imported to the card is "smart card logon" certificate applied by domain administrator from domain CA. And i can use the card and cert logon the machine in domain by RDP.
Need i do some other setting to resolve the issue? looking forward to your advice.
thanks
oh, thanks GOD! i have resolved the issue! it has troubled me for one week!
just now, i edit the administrator account (i use it to apply "smart card logon" cert) in AD, go to "administrator properties"->account tab, and FILL IN the "user logon name" part!
Thanks
This worked for me too. But just to clarify:
On the Certificate Authority machine that hosts the Active Directory
and is the Domain Controller for the View Manager (View Connection Server
component) I visited:
Start->Administrative Tools->ActiveDirectory Users and Computers
I selected the Administrator user from the Users folder, and selected
the "Account" tab on pop-up dialog. In the User login name field,
I entered "Administrator" and in the blank field to the right of it I selected
my domain name from the pull down list (for example @card.net).
Thanks so much for the tip! That saved me a lot of time.
This is effectively changing the userPrincipalName attribute as in the manual, however if the smart card is issued from a separate domain it will not appear in the drop down list.
In general if the certificate is issued from the same domain as the user account there would be an automated method of setting this (issuing certificates from a Microsoft CA using the provided web interface) and this section of the manual describes what to do if this is not the case.
Jul 20, 2009
Re: Vmware View and Smart card configuration problem
This is effectively changing the userPrincipalName attribute as in the manual, however if the smart card is issued from a separate domain it will not appear in the drop down list.
In general if the certificate is issued from the same domain as the user account there would be an automated method of setting this (issuing certificates from a Microsoft CA using the provided web interface) and this section of the manual describes what to do if this is not the case.
-
I don't know if it is a docs bug or not, because I don't have the manual in front of me,
but as I recall the section pertaining to the UPN indicated that those steps were only
necessary if the cert came from out of domain or something. My cert was enrolled
for Administrator in the same domain, but somehow the field on the account was
not updated.
Having said that, the Administrator account is there by default and was there
before the domain was established. So perhaps that explains it? Maybe it
wouldn't have occurred if the user had been added after I upgraded the AD
machine to a domain controller. It might be worth someone at VMware to
check this out and update docs accordingly, as these kind of things can take
a long time for an uninformed user monkey to chase down in a configuration
scenario as involved as this. In fact, had I not see a forum topic talking about
this, and followed the documentation as I recall it to be, i could have been
stuck for a very long time.
Thanks for replying. I'm gradually becoming more of an expert than I wanted to be
As noted in an earlier comment the 3.0 documentation was incorrect in specifying where the user account was to modify the userPrincipalName.
3.1 documentation has an update to this and specifies that this is really intended for certificates from external domains.
Issuing of certificates to smart cards and allocating them to users is not part of the VMware View administration and will depend on individual installations, but in general when using smart cards and Active Directory the method of issuing certificates to smart cards and then allocating those smart cards to users in the AD would provide this functionality and update the UPN, so these steps would not be necessary.
Smart card authentication for VMware is exposing a standard methodology for smart card authentication, did your smart card allow authentication to a PC in the domain without using VMware View before updating the UPN?
Did your smart card allow authentication to a PC in the domain without using VMware View before updating the UPN?
Don't remember if I enrolled the user before or after installing some of the VMware components.
Anyway, whether you are technically right or not is not totally the point. I think the
goal is to make it as turn key as is reasonable and appropriate, and if not, try to
write the documentation to help steer the end user (who may be facing a steep
learning curve in a complex environment) around pitfalls.
I my case, using the latest documents, I was confused. You might want to mention
in the manual somewhere that if the user cannot be found on the cert to verify
it via one account panel as a troubleshooting step.
In fact, citing a few more verification steps / troubleshooting steps in the manual
could save both your customers and VMware a lot of trouble regarding both this,
and the Smart Card PIN prompt in View.
I think the thing that is confusing with View and the PIN prompt is that it is possible
to have it in a state where one things the View Connector is working properly because
it is requiring a smart card, when in reality a separate property is preventing the
connector from enabling it for the client! Not realizing that the connector was
preventing the client from displaying the PIN dialog kept me spinning my wheels
with the wrong component for much longer than necessary and documentation
would have helped.
For example, identifying which is the log file, and what is displayed in the log
file when Smart Card authentication is set up properly, would be very helpful.
When people are troubleshooting their own configurations it is helpful for them
to ways to validate things on a per-component basis rather than stand on the
outside when something isn't working and wonder what in the heck in all
of that configuration mire could be wrong.
It's a great product, don't get me wrong. I just see this as feedback to help you
and your customers with a few fairly simple improvements to the documentation
based on valid customer experience.
Customers can be imperfect and uninformed. The goal is to find the best
way to make everyone happy and enthusiastic about using the products.