oh, thanks GOD! i have resolved the issue! it has troubled me for one week!

just now, i edit the administrator account (i use it to apply "smart card logon" cert) in AD, go to "administrator properties"->account tab, and FILL IN the "user logon name" part!

Thanks

This worked for me too. But just to clarify:

On the Certificate Authority machine that hosts the Active Directory

and is the Domain Controller for the View Manager (View Connection Server

component) I visited:

Start->Administrative Tools->ActiveDirectory Users and Computers

I selected the Administrator user from the Users folder, and selected

the "Account" tab on pop-up dialog. In the User login name field,

I entered "Administrator" and in the blank field to the right of it I selected

my domain name from the pull down list (for example @card.net).

Thanks so much for the tip! That saved me a lot of time.

This is effectively changing the userPrincipalName attribute as in the manual, however if the smart card is issued from a separate domain it will not appear in the drop down list.

In general if the certificate is issued from the same domain as the user account there would be an automated method of setting this (issuing certificates from a Microsoft CA using the provided web interface) and this section of the manual describes what to do if this is not the case.

Jul 20, 2009

Re: Vmware View and Smart card configuration problem

This is effectively changing the userPrincipalName attribute as in the manual, however if the smart card is issued from a separate domain it will not appear in the drop down list.

In general if the certificate is issued from the same domain as the user account there would be an automated method of setting this (issuing certificates from a Microsoft CA using the provided web interface) and this section of the manual describes what to do if this is not the case.

-

I don't know if it is a docs bug or not, because I don't have the manual in front of me,

but as I recall the section pertaining to the UPN indicated that those steps were only

necessary if the cert came from out of domain or something. My cert was enrolled

for Administrator in the same domain, but somehow the field on the account was

not updated.

Having said that, the Administrator account is there by default and was there

before the domain was established. So perhaps that explains it? Maybe it

wouldn't have occurred if the user had been added after I upgraded the AD

machine to a domain controller. It might be worth someone at VMware to

check this out and update docs accordingly, as these kind of things can take

a long time for an uninformed user monkey to chase down in a configuration

scenario as involved as this. In fact, had I not see a forum topic talking about

this, and followed the documentation as I recall it to be, i could have been

stuck for a very long time.

Thanks for replying. I'm gradually becoming more of an expert than I wanted to be

As noted in an earlier comment the 3.0 documentation was incorrect in specifying where the user account was to modify the userPrincipalName.

3.1 documentation has an update to this and specifies that this is really intended for certificates from external domains.

Issuing of certificates to smart cards and allocating them to users is not part of the VMware View administration and will depend on individual installations, but in general when using smart cards and Active Directory the method of issuing certificates to smart cards and then allocating those smart cards to users in the AD would provide this functionality and update the UPN, so these steps would not be necessary.

Smart card authentication for VMware is exposing a standard methodology for smart card authentication, did your smart card allow authentication to a PC in the domain without using VMware View before updating the UPN?

Did your smart card allow authentication to a PC in the domain without using VMware View before updating the UPN?

Don't remember if I enrolled the user before or after installing some of the VMware components.

Anyway, whether you are technically right or not is not totally the point. I think the

goal is to make it as turn key as is reasonable and appropriate, and if not, try to

write the documentation to help steer the end user (who may be facing a steep

learning curve in a complex environment) around pitfalls.

I my case, using the latest documents, I was confused. You might want to mention

in the manual somewhere that if the user cannot be found on the cert to verify

it via one account panel as a troubleshooting step.

In fact, citing a few more verification steps / troubleshooting steps in the manual

could save both your customers and VMware a lot of trouble regarding both this,

and the Smart Card PIN prompt in View.

I think the thing that is confusing with View and the PIN prompt is that it is possible

to have it in a state where one things the View Connector is working properly because

it is requiring a smart card, when in reality a separate property is preventing the

connector from enabling it for the client! Not realizing that the connector was

preventing the client from displaying the PIN dialog kept me spinning my wheels

with the wrong component for much longer than necessary and documentation

would have helped.

For example, identifying which is the log file, and what is displayed in the log

file when Smart Card authentication is set up properly, would be very helpful.

When people are troubleshooting their own configurations it is helpful for them

to ways to validate things on a per-component basis rather than stand on the

outside when something isn't working and wonder what in the heck in all

of that configuration mire could be wrong.

It's a great product, don't get me wrong. I just see this as feedback to help you

and your customers with a few fairly simple improvements to the documentation

based on valid customer experience.

Customers can be imperfect and uninformed. The goal is to find the best

way to make everyone happy and enthusiastic about using the products.