VMware Horizon Community
duhaas
Enthusiast
Enthusiast
‎08-28-2012 01:01 PM
Jump to solution

ZeroClient and View Pool Selection Screen

Currently have an issue when a user selects a desktop pool, should that pool be out of desktops, they will get the message that no desktops are avilable and than just walk away from the machine.   THe issue is anyone could come up behind them and retry.  Is there anyways to drive that timeout or logoff after an unsuccessfull attempt at connecting to pool

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Linjo
Leadership
Leadership
‎08-28-2012 06:08 PM
Jump to solution

No thats not the one, did a bit of research and this was actually added in View 4.6.

Here is from the admin-guide:

Set a Single Sign-on Timeout Limit for View Users

By default, when a user logs in to View Connection Server from View Client, single sign-on (SSO) is enabled. The user does not have to log in again to connect to the View desktop. During a desktop session, a user can leave the desktop, allow it to become inactive, and return without having to authenticate again. To reduce the chance that someone else could start using the desktop session, you can configure a time limit after which the user's SSO credentials are no longer valid.

You configure the SSO timeout limit by setting a value in View LDAP. When you change View LDAP on a View Connection Server instance, the change is propagated to all replicated View Connection Server instances.

The timeout limit is set in minutes. The time limit counter starts when the user logs in to View Connection Server. For example, if you set the value to 10 minutes, the user's SSO credentials are invalidated 10 minutes after the user logs in to View Connection Server.

NOTE On View desktops that are used in local mode, a checkout operation that takes longer than the SSO timeout value causes the user's SSO credentials to expire. For example, you might set the SSO timeout limit to 10 minutes. A user might log in to View Connection Server and check out a desktop. If the checkout takes 20 minutes, the user must log in again to connect to the local desktop, even though the user has not yet spent any time in a desktop session.

20

VMware, Inc.

Prerequisites

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows operating system version.

Procedure

  1. 1  Start the ADSI Edit utility on your View Connection Server host.

  2. 2  Select or connect to DC=vdi, DC=vmware, DC=int.

  3. 3  On the object CN=Common, OU=Global, OU=Properties, set the pae-SSOCredentialCacheTimeout attribute to the new SSO timeout limit in minutes.

    The default value is -1, which means that no SSO timeout limit is set. A value of 0 disables SSO.

On remote desktops, the new SSO timeout limit takes effect immediately. You do not need to restart the View Connection Server service or the client computer.

On desktops that run in local mode, the new SSO timeout limit takes effect the next time a client computer that hosts the local desktop sends a heartbeat message to View Connection Server.

Hope this helps.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

0 Kudos
9 Replies
Linjo
Leadership
Leadership
‎08-28-2012 02:24 PM
Jump to solution

What version on View are you on? If I remember correctly there is a timeout implemented in View 5 but its quite long.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
duhaas
Enthusiast
Enthusiast
‎08-28-2012 02:27 PM
Jump to solution

Currently running with version 5.1, I believe your referring to the desktop timeout:

http://monosnap.com/image/503d3785e4b0ca82e9f1298f.png

Problem is I'm not sure if that options is relavant since in this case, the user never establishes a connection with the desktop.

0 Kudos
Linjo
Leadership
Leadership
‎08-28-2012 06:08 PM
Jump to solution

No thats not the one, did a bit of research and this was actually added in View 4.6.

Here is from the admin-guide:

Set a Single Sign-on Timeout Limit for View Users

By default, when a user logs in to View Connection Server from View Client, single sign-on (SSO) is enabled. The user does not have to log in again to connect to the View desktop. During a desktop session, a user can leave the desktop, allow it to become inactive, and return without having to authenticate again. To reduce the chance that someone else could start using the desktop session, you can configure a time limit after which the user's SSO credentials are no longer valid.

You configure the SSO timeout limit by setting a value in View LDAP. When you change View LDAP on a View Connection Server instance, the change is propagated to all replicated View Connection Server instances.

The timeout limit is set in minutes. The time limit counter starts when the user logs in to View Connection Server. For example, if you set the value to 10 minutes, the user's SSO credentials are invalidated 10 minutes after the user logs in to View Connection Server.

NOTE On View desktops that are used in local mode, a checkout operation that takes longer than the SSO timeout value causes the user's SSO credentials to expire. For example, you might set the SSO timeout limit to 10 minutes. A user might log in to View Connection Server and check out a desktop. If the checkout takes 20 minutes, the user must log in again to connect to the local desktop, even though the user has not yet spent any time in a desktop session.

20

VMware, Inc.

Prerequisites

See the Microsoft TechNet Web site for information on how to use the ADSI Edit utility on your Windows operating system version.

Procedure

  1. 1  Start the ADSI Edit utility on your View Connection Server host.

  2. 2  Select or connect to DC=vdi, DC=vmware, DC=int.

  3. 3  On the object CN=Common, OU=Global, OU=Properties, set the pae-SSOCredentialCacheTimeout attribute to the new SSO timeout limit in minutes.

    The default value is -1, which means that no SSO timeout limit is set. A value of 0 disables SSO.

On remote desktops, the new SSO timeout limit takes effect immediately. You do not need to restart the View Connection Server service or the client computer.

On desktops that run in local mode, the new SSO timeout limit takes effect the next time a client computer that hosts the local desktop sends a heartbeat message to View Connection Server.

Hope this helps.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
duhaas
Enthusiast
Enthusiast
‎08-29-2012 08:08 AM
Jump to solution

I guess the one point of clarification I have is, does this only apply to a user that has actually initiated a desktop session, vs a user who might login to the View Client from in this case a zero client, they leave the Desktop Pool selection screen open and than leave, without logging off.  Will the timeout force a user to relogin after lets say a minute

0 Kudos
Linjo
Leadership
Leadership
‎08-29-2012 08:27 AM
Jump to solution

I don't know, have not played around with this setting.

I would expect it to be regardless if the user initiaded a session or not and that the user have to reauthenticate if the timeout is exceeded.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
gmtx
Hot Shot
Hot Shot
‎08-29-2012 02:06 PM
Jump to solution

You asked a great question so I decided to check for myself. After verifying the default SSO timeout was set to 15 minutes, I opened a View session on a zero client and when I got to the pool selection screen I did nothing for about half an hour. After the delay, I clicked on "Connect" and was shown the VDI desktop login screen, but not automatically logged in, so it appears the SSO timeout works as advertised. Tried the same thing with the View software client on a regular PC and got the same result.

Geoff

BTW, if anyone's having trouble finding the setting using ADSIEdit, you have to get to the container in reverse, i.e. go to Properties, Global, and then right-click on Common and select Properties.

duhaas
Enthusiast
Enthusiast
‎08-29-2012 02:48 PM
Jump to solution

This is great information, will have to test it here as well.  Another question I have is, it would be nice if the next user wouldnt even have the ability to launch a desktop from a pool.  The example would be, if the previous user had access to three pools, I walk up and typically only have access to two, nothing would stop me from launching a desktop from the third pool and logging in using my credentials if we as an organization dont do anything to prevent that.  Its nice that it doesnt SSO the previous user to the desktop, but again, it would still allow me to attempt to login.

0 Kudos
Linjo
Leadership
Leadership
‎08-29-2012 03:07 PM
Jump to solution

I see your point, the question is how this functionality should be implmented.

Could you please make a post in how you would like it to work and we can feed that into product management for future versions?

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
duhaas
Enthusiast
Enthusiast
‎08-31-2012 06:31 AM
Jump to solution

Thanks Linjo for all your feedback and spoke with VMware support as well about the topic and recieved the same feedback.  Thanks again.

0 Kudos