Category: Horizon
Notes from the field: Horizon and the locked.properties debacle
On a recent Horizon deployment version 2212.1 we just couldn’t get the workings correctly with the portalhost/balancedhost entries, the “workaround” for that matter until we get it sorted out is to turn back on the unexpected host feature like below: allowUnexpectedHost=true checkOrigin=false enableCORS=false Well this worked only for the original installed URL of the connection…
Notes from the field: The Kerberos chronicles, the one with certificate-based authentication
If you’ve read my previous Kerberos chronicles blogs you see a trend with the Microsoft patches, hardening updates and with this one the upcoming strong mapping / full enforcement mode of certificate-based authentication. See the following article for explanation: KB5014754—Certificate-based authentication changes on Windows domain controllers – Microsoft Support This one is going to have…
Notes from the field: Microsoft Azure MFA Number Matching and the one with NPS extension
Regarding the upcoming change of Microsoft MFA number matching, some customers started to ask me hey what’s going on? Do we need to do something? Is there any impact for our users? Well, the short answer is yes. The long answer is well it depends, can we live with the current setup or is there…
Notes from the field: The Kerberos chronicles, the one with VMware TrueSSO
After a lengthy and cumbersome troubleshoot on a VMware TrueSSO setup finally had the time to blog this one. In summary the situation with a customer was a working VMware TrueSSO setup which stopped working, after lengthy troubleshooting we opened a support case with VMware and later also with Microsoft. The issue was manifesting in…
Notes from the field: VMware Horizon instant clone breaks with Kerberos armoring
On my current customer project we’ve encountered a strange issue when some stricter security policies were implemented. Kerberos armoring was enabled which effectively broke the instant clone process for Windows 10 1809/1909 releases but not for 2009 or 21H2. It all started with a ticket that the image update process in Horizon would error out…
Notes from the field: VMware Access with VMware UAG and JWT validation
It’s been a while since I’ve retested the setup with validating gateway request with JWT entries, because I thought it was depending on an appliance such as F5 for it to work. See Launching Horizon Resources Through Validating Gateways (vmware.com) I did try and configure it none the less but never got it farther then…
Notes from the field: VMware UAG and Citrix ADC scenario’s
On a recent project we were testing some scenario’s for the usage of VMware Blast BEAT through Citrix ADC. For some more information regarding Blast see the following article: VMware Blast Extreme Optimization Guide | VMware Normally you would see that the Citrix ADC setup is an SSL-BRIDGE vserver with accompanying UDP vserver on the…
Notes from the field: VMware Horizon sessions disconnecting after syslog changes on UAG
On a recent project where we have VMware Horizon 7.13 and UAG 20.09 appliances for the external connections some strange behavior was observed when putting in the syslog URL entries. After adding or removing entries here and saving the settings all the connections through the UAG will get terminated. Finding this behavior strange as to…
Notes from the lab: Bye Bye VMware View Composer
I was upgrading my lab to VMware Horizon 2012 and yes shame on me I still had an composer in my setup. It was already mentioned that VMware Composer is deprecated from the 2006 release but now in 2012 it will block your upgrade when you still have it enabled. Only after disabling composer on…
Notes from the field: VMware Horizon Instant Clone and Imprivata OneSign
On a recent project consisting of an VMware Horizon instant clone setup and Imprivata OneSign in the desktop for SSO capabilities I’ve encountered some strange timing issues. Normal logins through the horizon client via connection server would be ok with the OneSign agent online, logins through the UAG without TrueSSO would also be okay. (so…