To improve the security of the Horizon environment, we are making some changes in the upcoming Horizon 7.8 release. The default settings for the servers will be not to send a list of domains, safeguarding company environment information.
However, this improvement will require that end users provide their domain information during logon. In other words, they will no longer select the correct domain from a drop down.
What this means
There are a variety of use cases, but the highlights are:
• In multi-domain environments, end users will have to enter their UPN or domain\username to authenticate
• Login as Current User does not work with the default settings
But don’t despair! We know habits can be hard to break. It will take time to train end users to change the login process they have been doing every day for years. For this reason, and because the older clients expect some value in the domain list, we have created settings so our customers can select a balance between ease of use and security.
Logon as Current User
In order for the Logon as current user feature to work, the broker must provide the Connection Server’s Server Principal Name (Windows identity) to the clients prior to user authentication. This information is now withheld by default but can be provided by enabling the Accept logon as current user setting in Horizon Administrator.
If not enabled, users are required to enter credentials, even if they have enabled the Logon as current user setting. When deciding whether to enable the Accept Logon as current user setting for a server, consider the threat level to your domain joined devices.
Domain Information Settings
There are two settings the administrator can set.
Send domain list
By default, the Send domain list setting is off. Administrators can choose to send the list of available user domains to connecting clients prior to user authentication. If provided, the list will be available in a drop-down menu.
Note that if the clients connect to the environment through a Unified Access Gateway appliance that is configured to perform two-factor pre-authentication, the risk is greatly diminished since the end user has already pre-authenticated. For more information on configuring two-factor authentication for a Unified Access Gateway appliance, see the Unified Access Gateway documentation at https://docs.vmware.com/en/Unified-Access-Gateway/index.html.
Hide domain list
The Hide domain list in client user interface is a setting which has been in the Horizon broker for some time. It does not control whether the broker sends the list, only whether it is visible to the end user. In previous releases, this setting was disabled by default and the client showed the domain list as a drop down. Upgrades will honor the existing setting, but new installations of the server will set this value to enabled, hiding the domain list.
Older Horizon Clients expect some value in the domain list and will block login if the domain list is empty. For this reason, if Send domain list is disabled the Horizon broker 7.8 sends a dummy value, *DefaultDomain*. The end user sees this value in the client UI. If the user logs in with a username, the broker will apply the one available domain and authenticate the user. If there are multiple domains, authentication will fail.
Combinations
The following tables describe Logon scenarios for the Horizon 7.8 server.
Horizon Clients 4.10 and earlier
Logon Scenarios | Settings | Results |
One domain, optimized for user experience with improved security | • Hide domain list in client user interface = false • Send domain list = false |
• Username works • Domain\username fails • UPN works • Command line with domain fails |
Multiple domains, optimized for user experience with improved security | • Hide domain list in client user interface = true • Send domain list = false |
• Username fails • Domain\username works • UPN works • Command line with domain works |
Optimized for user experience, maintain the Horizon 7 version 7.7 experience | • Hide domain list in client user interface = false • Send domain list = true |
• User selects domain from a dropdown menu • Username works • Domain\username works • UPN works • Command line with domain works |
Optimized for security | • Hide domain list in client user interface = true • Send domain list = false |
• Username fails • Domain\username works • UPN works • Command line with domain works |
Horizon Clients 5.0
In our latest client, we’ve updated the client to give users a better experience when administrators enable higher security.
Logon Scenarios | Settings | Results |
One domain, optimized for user experience with improved security | • Hide domain list in client user interface = true • Send domain list = false |
• Username works • Domain\username works • UPN works • Command line with domain works |
Multiple domains, optimized for user experience with improved security | • Hide domain list in client user interface = true • Send domain list = false |
• Username fails • Domain\username works • UPN works • Command line with domain works |
Optimized for user experience, maintain the Horizon 7 version 7.7 experience | • Hide domain list in client user interface = false • Send domain list = true |
• User selects domain from a dropdown menu • Username works • Domain\username works • UPN works • Command line with domain works |
Optimized for security | • Hide domain list in client user interface = true • Send domain list = false |
• Username fails • Domain\username works • UPN works • Command line with domain works |
Upgrade to Horizon 7.8
As you plan your upgrade to Horizon 7.8, please consider the settings that make sense for your organization.
For more information on configuring Horizon Connection Server version 7.8 domain settings to work with Horizon Clients earlier than version 5.0, see the VMware Knowledge Base article https://kb.vmware.com/s/article/67424.