Author : jacquiew
Topic Name : VMware Horizon Client for Windows User Guide
Publication Name : VMware Horizon Client for Windows User Guide
Product/Version : VMware Horizon Client for Windows/4.9
Question :
Hi, We have users which their AD accounts have expired already in active directory. This is not about password expiry. They are trying to login on Horizon Client but the error is only Logon failure: Unknown user name and password. It should be something like Account has expired. Is this a limitation of Horizon Client or Horizon 7?
My understanding is that there is not a way for Horizon to know that. Active Directory treats a expired password the same way as a locked account.
Horizon supports changing a expired password as long as the account is not locked out.
Do you by chance use a MFA solution through RADIUS? We've seen where that will result in what you are seeing and it's a known limitation.
We don't use MFA. Just AD authentication. Even without MFA is it still a known limitation?
Are you getting an error message? My password expired last week and I successfully changed it by connecting to Horizon using my old password and then I was prompted to change it. You should see something similar to this image that I found online.
We don't have issue for users which password has expired already. They can change their passwords similar to the image you shared.
Our problem is with AD users with expired accounts.
For an expired account when they try to login the error they receive is "Logon failure: Unknown user name and password". The error should be something like i.e. "Login failure: Account has expired"
My understanding is that there is not a way for Horizon to know that. Active Directory treats a expired password the same way as a locked account.
Yes its correct. VMware support checked internally and confirmed that the user expiration status for an account will be available in backend logs,
however, in user interface though the account is expired we will be getting the invalid username or password error during login attempt.
It will be raised as a feature request with their product team which will be considered for upcoming release.
According to our internal AD team this is a Microsoft limitation. When a password is expired it essentially sets the same bit as if the account was locked out so it's one in the same.