Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
14.0.0
Opened: Jan 29, 2014 Severity: 3-Major
Even though 'Log in as current user' feature is enabled on Vmware View Connection server, when a Windows user accesses a View resource through APM, user is asked to authenticate.
User is required to authenticate to APM.
1. 'Log in as current user' feature is enabled on Vmware View Connection server. 2. Vmware View Connection Server is behind APM. 3. Windows user is in same Active Directory domain as View Connection Server and is already logged into Windows desktop. 4. User attempts to access a View resource through APM.
There is no workaround at this time.
APM now supports "Logon as current user" feature for Horizon client on Windows with following conditions: 1. Only the Horizon View Client for Windows is supported. 2. The client machine must be joined to the same Active Directory domain as the View Connection Server (VCS) and have direct* access to the AD Domain Controller (DC). 3. Re-configure the access policy needs to accommodate this feature: a) Export the keytab file for VCS (VMware Connection Server) computer account. Please consult the vendor regarding the export process. b) Create a Kerberos AAA server using the exported keytab file (GUI: Access -> Authentication -> Kerberos -> New; SPN format should be "Kerberos 5 NT Principal") c) Use this Kerberos AAA Server in access policy "VMware View Logon Page" -> Kerberos Authentication option. Start -> [ Client Type ] -> {VMware View} -> [ VMware View Logon Page ] -> [ Kerberos Auth ] -> [ Advanced Resource Assign ] -> Allow Note: This support is limited to a single VCS. Multiple VCS is not yet supported. 4. When the VCS machine password is changed, repeat steps (a) to (c). ------------- * [ VMware View Logon Page ] Option: "Kerberos Authentication" should use Kerberos AAA Server created in step (b). [ Kerberos Auth ] Option: "AAA Server" should use Kerberos AAA Server created in step (b). [ Advanced Resource Assign ] "VMware View Resource" should point to the same backend that has been used for the keytab file.