VMware Horizon Community
rcmcguir
Enthusiast
Enthusiast

Why create Kiosk accounts on connection server instead of AD?

I'm somewhat confused on why it is necessary to create Kiosk accounts in the connection server rather than just directly creating in AD yourself.  The connection server creates an AD account but what else is it accomplishing?

You can go in and manually create a "custom-*" account and use it with Kiosk mode and it appears to work just as one created on the server would.  The only differences is now you have to manage the accounts also from a second sources.


What am I missing?

Thanks,

Reply
0 Kudos
5 Replies
markbenson
VMware Employee
VMware Employee

Kiosk accounts are always created in AD and never on the Connection Server itself.

"When you add a client in kiosk mode, View Manager creates a user account for the client in Active Directory.".

The command:

vdmadmin -Q -clientauth -add

just allows you to script the creation of these AD accounts with all the correct settings for kiosk mode and is provided as a convenient way to bulk add these accounts for all the kiosk mode client devices.

Mark.


Reply
0 Kudos
rcmcguir
Enthusiast
Enthusiast

Thanks for the reply.

However, they must be create in some way on the server itself since the command "vdmadmin -Q -clientauth -list" will show you a list of the accounts you have created and not just a list of whatever shows up in AD.


For instance I created a new user account called "custom-Test-Kiosk" in AD directly in the same OU as the others were placed when using the "vdmadmin -Q -clientauth -add" command.  When I then used "vdmadmin -Q -clientauth -list" my newly created test account was not listed.  However, when using the custome-Test-Kiosk account for Kiosk mode it worked fine.

So that makes me wonder, why have accounts in two spots?  To me it would be easier to add and clear accounts directly in AD and not have to worry about what the accounts are on the connection server.

It's not that big of deal.  I can manage it on the connection server, but I was just trying to learn more as to why we need to.

Thanks,

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

rcmcguir wrote:

... they must be create in some way on the server itself ...

We don't create Windows accounts on the Connection Serve itselfr. Windows accounts for kiosk device pseudo user accounts are only ever in AD.

In the LDAP repository on each Connection Server we do create ClientAuthSettings for each device. If you just create AD accounts for kiosk users, View won't know about them without the corresponding ClientAuthSettings and that is why you are seeing them as missing when you run "vdmadmin -Q -clientauth -list".

If you use ADSIEdit or LDP to look at the LDAP instance for View on the Connection Server (or look at one of the vdmexport LDAP LDF backups), you can see the ClientAuthSettings. Search for pae-ClientAuthSettings-a.

Always use "vdmadmin -Q -clientauth -add".

Mark

Reply
0 Kudos
rcmcguir
Enthusiast
Enthusiast

Thank you again for your response.

I'm sorry I wasn't clear.  I wasn't trying to say it was creating local user accounts.  Just that it was creating some sort of record of the account on the server.

So now I know that it is creating LDAP instances on the server.  I guess my last question then is, is that done just in case we don't have our own LDAP service?  Since I've already verified that manually creating a "custom-*" account in AD works, that would leave me to believe that is the case since we run LDAP already.

Thanks,

Message was edited by: rcmcguir

Reply
0 Kudos
markbenson
VMware Employee
VMware Employee

rcmcguir wrote:

... is that done just in case we don't have our own LDAP service? ...

All configuration in View is stored in an LDAP instance on each View Connection Server. With a setup with replica Connection Servers, this LDAP repository is replicated between all Connection Servers so that they all have access to a local copy of the shared configuration data. Kiosk mode uses ClientAuthSettings to represent each client and it is these entries that are added with the vdmadmin command.

This is not elated to a situation of you not having an LDAP service. LDAP (AD) is a requirement for View.

Mark 

Reply
0 Kudos