Home > Blogs > VMware End-User Computing Blog > Monthly Archives: December 2010

Monthly Archives: December 2010

The Virtual Whiteboard Jungle – Chapter 2

by Andy Powell – Sr. Business Strategist, End User Computing

 

Chapter 2: Life after the physical PC

It sits there in the classroom, lab, backpack or library.  It is a portal to unlimited resources. It is seen by many well intentioned people as the key to the future, and one of the most important things that we can provide to our students and teachers. Those that brought it, fought for it through referendum, grants and bake sales. In many cases, photos and speeches heralded its coming to the lucky and progressive district. It sits there, and only there. The software to provide enlightenment and development, the applications that fulfill promise of the investment sit there too.  It is like a book in a locker, but it has to be actively maintained and supported.  It is like a map on a wall, but it needs electricity and a network to be engaged. It is like a pencil next to the paper, but the user has to have significant and specialized trained to make it work. It is a tool. It sits there and only there, until someone can use it.

The physical PC is expensive, even though the per unit cost has been driven down over time.  It is the support/maintenance that becomes the Achilles' heel of the PC.  See the CoSN-Gartner TCO Case Studies for more on this.

The value can be debated.  See The Cost-Benefit Analysis of Computers in Schools and A Puzzling Fact about High-Tech Use in Classrooms for more on this.

The result of much of our investment in technology has been focused on what we can see.  That is why it sits there.  We can point to it and say "See what we provided you!!!!"  However, like the locker bound book, the map on the wall, and the pencil on the paper, the PC is of no use if someone is not in front of it.  Considering that schools are only open for a very limited amount of time (If you consider a 24X365/year model), the investment is even more inefficient. And, don't forget about the other parts:  We have significant investment in applications, curriculum and training. We have significant investments in school network access through E-Rate. We have an ever increasing number of access devices that are being used. So, what do we do with it? Transform it from physical to virtual.  Make it not a "it is there" limitation, but a "it is where you are" revelation.

Next up… Chapter 3:  I don't get virtualization…

Previous… Chapter 1: Lessons, thoughts and Ideas for the virtualization of End User Computing for Education

Hi. My name is Betty and I love VDI.

I know the title sounds like the beginning of some sort of VDI anonymous or support group but it’s not.  I am proud to say “I LOVE MY VIEW VM!”  I access my corporate workspace from my zero client, laptop, home PC, other people’s computers, iPhone and soon iPad.  Currently I am writing this post from my home office via my View 4.5 virtual machine.

And no I’m not a call center agent.  I am what you would classify as a “knowledge worker/road warrior” and I travel frequently for my awesome job.  So I am on a plane, on the road about 1-2 times a month.  AND I STILL USE VDI.

The reality is, most of us are a good fit for VDI.  My opinion is that people are scared of change so that keeps them from adopting a model that is really better than the one they are used to

My relationship with my VM is a long one… We first met about 3 years ago and it made me suffer through RDP.  But the greater value of being able to have MY workspace follow me across a variety of devices changed the way I worked.  Experiencing almost no downtime from several different hardware failures made me commit to VDI.  The only downtime I had was the time it took me to walk over to another device and log in.  No need to try and extract my documents from a hard drive or reinstall a bunch of apps.  The only thing standing between me and my workspace was a little login screen (which you can carry around on a USB stick).

PCoIP took our relationship to a whole new level.  It’s a whole new experience – I almost cannot describe how awesome it is.  Sometimes the WAN is slow but that only means the screen goes out of focus, but it doesn’t impact my ability to interact with the applications (aka, no more screen painting and no more waiting).  Who cares if the picture is fuzzy if everything else is still in real time?  For most workers out there, if having the occasional fuzzy picture defines your inability to use VDI means you’re just looking for an excuse to avoid change.

Yes change is scary and difficult in the beginning but is often beneficial.  And VDI isn’t a complete departure from what you already know. VDI is an evolution of the desktop – taking what you need from the traditional PC and giving you a workspace accessible from whatever and wherever you need it.

By the way – Wifi on planes is sufficient to access VDI, hotel internet – also fine and so is 3G.  Besides, how much work are you really doing on a plane?  The best thing about VDI is that my workspace state is always as I last left it when I disconnected – saving me a ton of time.  Most workers when they are "offline" it's because they are 1)in a meeting, 2)driving or flying or 3)wouldn't be using the computer anyways so it's a bit misleading to think that every second you are offline you actually need an environment to work in.  Plus, most road warriors know where all the free wifi spots are or have a laptop internet card which are both sufficient to access your VM.  And with more client support coming in View, why even bother with your laptop when on the road?  Just use your iPad or other fancy tablet…

So what are you waiting for?  Go get yourself one.

The Virtual Whiteboard Jungle

by Andy Powell – Sr. Business Strategist, End User Computing

 

Chapter 1 – Lessons, thoughts and Ideas for the virtualization of End User Computing for Education

What we want… Do we really know?

The calls are often made by educators, parents, politicians and students: We need to integrate more technology into our cirriculum delivery.  We need to use technology to enhance the the education experience.  We need to infuse technology into our classrooms to ensure we have students ready for 21st century job. We need PCs in every classrooms and notebooks in every backpack! 

But what are we really doing when we force technology into a situation just to be using technology?

Are we making ourself feel good because we are doing "something", without really looking at how technology can and should be utilized?

Are we really providing our educators with an "better mouse trap" or just a different mouse?  Are our students getting a "better interface" to education and learning or just another gui?

Does the magic PC box provide us what we really need?

One can see that many school districts and universities list a ratio of students per computers as being a sign that they are progressive. But what relevance does the number of computers per student really mean?  If those machines are 4 years old (or older!), have limited software, and continually breakdown what value to they really have to the student. A major advantage of a book, is that the knowledge is mobile, and the cost for that mobility is included in the purchase price.  Can you say the same for applications that are loaded on a physical desktop in a class room?  Sure, the information on the printed page can be come out of date, but doesn't the same apply to a computer based curriculum as well?  And, if a book becomes damaged, how many hours of a technician's time does it take to fix the book?  Does a book become infected with damaging virus that can release sensitive information to the world and affect the other books in the district?  Clearly, it is not a completely clean comparison, but the case can be made that a pc desktop is not an effective tool for education. Where is the freedom? Where is the mobility? Is this what we wanted?

We have been trapped by the success of a technology.  Client / Server application deployment and it's most popular extension, PC desktop applications, replaced the mainframe/timeshare model of the 60s and 70s. We liked the pc because it gave us freedom from the structured control, poor interfaces, limited applications and slow pace of the mainframe model.  The PC gave developers the platform, marketspace and incentive to release the creative wave to make the applications that drove technology into the classrooms in the 80s and 90s. Those devices and their applications crept into the classroom as new curriculum were developed to take advantage of interactive graphics and sound. We became a captive of ReaderRabbit and CAD applications.  Now the Web appeared, and all was going to be easy and free.  The promise of the browser, and collaborative communities around the world seemed to be full answer.  But, the browser ran on a pc. The web applications needed plug ins. The pcs needed virus/malware protection because they were connected to external networks.   But the PC was cheap to buy, until you realized (and many still have not considered this) the costs associated to support the OS updates, application updates, security updates, printer drivers, device drivers.  And, you were still stuck with only being able to do this from the device that is on your desk or lab. Where was the freedom? Is this what we wanted?

In reality, the old desktop model is actually taking away time, effort and money from school districts rather than adding significant value. The old desktop model requires continued attention, updating and support for a device that can only be used 7 hours a day… at best.  This is like being only able to see the video content that have at your desk.  And you have to maintain the video tape player, because the district did not have the funding to buy you/your classroom a DVD player. So much for the new content that is being delivered in a few format…  Is this what we wanted?  An interesting view from Todd Oppenheimer.

It would appear that what we want is freedom, flexibility and accessibility with security and control.  And of course, we would like it with a low cost of acquisition and a low and predictable cost of support. The PC desktop model gives us some, but not enough.  The desktop limits our access and choices.  It controls our budgets and time by the immense effort that it takes to maintain and support. It is a dead end… just like the video tape player, analog telephone and broadcast television.   To be exact, it is access and mobility, not the device that is important.  A student survey of technology is listed here.

 

I am hoping that this blog can act as a meeting of the minds for the discussion of technology in education.  Now granted, I would like to tighten the focus of conversation to the concept of how a "end-user computing" model can benefit schools better than the traditional "pc centric" model, but would be happy to expand the conversation in later chapters.  Let me knwo what you'd like to hear about in the comments below.

Next up: Chapter Two – Life after the desktop PC

 

 

Troubleshooting single sign-on into a remote desktop in View

Note: This is the second in a series of articles about troubleshooting authentication in View.  The previous article in the series was: Troubleshooting smart card authentication using the Windows View Client.

When I get requests to troubleshoot single sign-on for a customer, the decision tree often is a bit complicated given the variety of Windows versions, protocols, and 3rd-party products we support.  So I wanted to write a post about how I tend to troubleshoot single sign-on problems into a remote desktop.

The most important variables are: 1) protocol (e.g. RDP, PCoIP, or Local Mode), 2) authentication method (password, smart card, proximity card, or biometric), 3) remote desktop OS (with Vista, Microsoft significantly rewrote their authentication stack), and 4) whether any 3rd-party single sign-on products are installed in the remote desktop (e.g. Imprivata OneSign).

Third-party single sign-on products

When installing third-party SSO programs, we recommend that you install the 3rd-party product first then install the View Agent.  On XP, this allows us to set up GINA chaining so our GINA is primary and the 3rd-party GINA is secondary.  I am not aware of any 3rd-party GINA's that we don't work with; the only one that needs a little work is the Novell Client GINA when connecting over PCoIP (see VMware KB article 1025114 for more information).  Note that in View 4.0, PCoIP SSO would fail when GINA chaining was enabled; this is fixed as of View 4.0.1 and later.  On Vista and later, Imprivata recently fixed some issues they have so if you have a recent version of OneSign it should work fine side-by-side with our single sign-on functionality.

To verify that GINA chaining is set up correctly on XP remote desktops, open regedit on the Agent and navigate to the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".  You should see a REG_SZ named "GinaDLL" that is set to the absolute path of our GINA, wsgina.dll.  This means that the VMware View Agent's GINA is the primary GINA, which is required.  In that same registry key, you should see a REG_SZ named "VdmGinaChainDLL", which should be set to the absolute path of the 3rd-party GINA that is also installed.  With both of these registry values set correctly, this GINA chaining should cause VMware View's SSO to work correctly and the 3rd-party software to function as well.

XP remote desktops

For XP remote desktops, our single sign-on functionality stays out of the way for most of the time.  With PCoIP and Local Mode, it does the programmatic equivalent of setting the text of the username and password edit boxes and clicking the OK button.  With RDP, it uses functionality built into Windows to provide the credentials directly to Windows.  As a result, in all cases, the chance of problems here is pretty small.

One known issue is when connecting via RDP to XP remote desktops that have multiple vCPUs configured.  There is a race condition here where single sign-on will occasionally fail.  We will have a fix in our next release, but for now the only workaround you can provide is to change the VM to use only 1 vCPU or just use PCoIP instead of RDP.  This issue is described more directly in the View 4.5 Release Notes.

If you aren't running into the previously mentioned known issue and you configured 3rd-party software correctly (or don't have any), there is no good reason for SSO to fail and it is best to work with VMware support to see if any of the components are not communicating correctly.  In a case like this, submitting TRACE logs from the View Agent is important.  You can also post questions to the VMware Forums.

Vista and Win7 remote desktops

For Vista and Win7 remote desktops, the single sign-on process is a bit more complicated.  People tend to report issues in terms of "single sign-on isn't working", but there are many ways in which the failure could manifest.  It is best to start with the question: when you connect to the remote desktop and single sign-on fails, what screen do you see?

If you see the "Press Ctrl+Alt+Delete to log on" screen

This means that a Windows policy is not set correctly.  This problem can only happen in PCoIP connections and Local Mode desktops.  When the desktop is launched, the View Agent signals a Ctrl+Alt+Del to start the login process but Windows must be configured to allow this to happen.  The View Agent installer configures Windows to do this, but often times administrators will override this with a GPO and not realize that they did this.  The registry value we set is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration and it is best to check that registry value in the problematic remote desktop to see what it is set to.  The GPO that controls this registry value is named "Disable or enable software Secure Attention Sequence".  Our installer sets the registry value to 1 (corresponding to the Services option).  This value is required to either be 1 (Services) or 3 (Services and Ease of Access Applications).

If you see a screen with tiles or one tile automatically selected

A tile corresponds to a method of authentication or a credential.  You tend to have one tile per certificate on a smart card, one tile for the most recent password user, and one tile to provide a different password user.  When connecting in this case, Windows may leave you at a screen with multiple tiles or it may automatically select the last tile and show you some username/password controls.  Regardless, the causes for getting into this situation are the same.

One problem that could cause this is if you have "AllowSingleSignOn" GPO set to "false" and we didn't try SSO.  Another problem that could cause this (however only for PCoIP; RDP doesn't have this requirement) is if you have the "Interactive logon: Do not require Ctrl+Alt+Del" GPO set to "Enabled".  We require that this GPO be disabled or not set, because our SSO code depends on our View Agent signaling a SSO after the connection.

But more likely, the issue depends on the method of authentication.  If you did password authentication to the View Connection Server, the only real explanation here is that there was some sort of communication error in getting the credentials to our SSO components; VMware support or our forums could help you with this issue.  If you did smart card authentication to the View Connection Server, then the most likely problem is that our SSO component couldn't find the correct certificate on a smart card.  Problems that could cause this would be: 1) you are using PCoIP but didn't choose to install the "PCoIP Smart Card" option in the View Agent installer, 2) you are using Local Mode but didn't install the Microsoft USB CCID driver that we require, 3) the smart card wasn't completely inserted when SSO was being attempted in the remote desktop, or 4) you didn't install the middleware your smart card requires on the remote desktop.  If you want to get more info, open the View Agent log and search for the most recent occurrence of the string "GetSerialization".  Immediately after that, you will see some log lines that give information about the certificates that the SSO code found.  They are in a format pretty similar to those described here in the section discussing "IsValidCertificate".

If you see a "VMware SSO User" tile automatically selected

The other screen you may see when single sign-on fails is a screen that says "VMware SSO Tile" and only has as Cancel button.  If you see this, it means that our single sign-on failed for some reason, but there is no general guidance I can give here.  You would want to post a question on the Forums with info about what you are seeing.

Woot! View 4.5 Selected as an eWeek 2010 Product of the Year!

Here at VMware, we're used to raking in a lot of awards.  But every now and then one comes along that you've gotta stand up and shout about.  We're a little extra chuffed over this one:

eWeek 2010 Product of the Year: VMware View 4.5

Aside from the fun of rubbing award season elbows with the likes of the Apple iPad, what's extra gratifying here is the very hard work that went into this release coupled with the broad validation of exactly what we were trying to accomplish:

VMware View 4.5 showed that it is possible to operate a secure, manageable and scalable virtual desktop infrastructure in 2010.

It's commonly asserted that the industry is near a key tipping point where desktop virtualization moves from niche to mainstream.  And let's not kid ourselves, many debate whether that point is here today, or still a year or two out.  With View 4.5, we set out to make sure that the broad promise of secure, manageable and scalable VDI really could become a reality for a much broader range of organizations in 2010.  Many on the team worked heads down on the release for over two years to make that vision possible; many customers provided us invaluable feedback and guidance along the way.

Thanks everyone who helped make View 4.5 what it is today!

Thanks eWeek for recognizing that the future is now, and that View 4.5 plays a big role in getting us here.

- The View 4.5 Product Team