VMware Horizon and Adobe Flash

I found myself in the need to carry out some checks on a horizon infrastructure that I could not access the administration console due to the now-famous problems of Adobe FLASH So I found it convenient to use the powercli, I report some scripts used. Running the scripts requires installing the necessary components which I have already discussed in a previous post of mine.

Script to show last user login to VMware Horizon in the last month

$connectionServer=Connect-HVServer -Server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$Services1=$connectionServer.ExtensionData

$eventdb=Connect-HVEvent -DbPassword $eventDbPassword

$events=Get-HVEvent -HvDbServer $eventdb -TimePeriod month -SeverityFilter AUDIT_SUCCESS

 $events.events | Export-Csv C:\temp\VCSMonthLogin.csv

Script to display Horizon Session

Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$query = New-Object “Vmware.Hv.QueryDefinition”

$query.queryEntityType = ‘SessionLocalSummaryView’

$qSrv = New-Object “Vmware.Hv.QueryServiceService”

$qSRv.QueryService_Query($global:DefaultHVServers[0].ExtensionData,$query) |

Select -ExpandProperty Results |

Select -ExpandProperty NamesData |

Select-Object -Property UserName,DesktopType,DesktopName,MachineOrRDSServerDNS

Script to show user and assigned Computer

Connect-HvServer -server $hvserver -User $hvuser -Password $hvPassword -Domain $hvDomain

$AllVDIInfo = get-hvmachinesummary -PoolName $PoolName

$AllVDIInfo | Format-Table -AutoSize

a special thanks :

Horizon View API – The SLOG – SimonLong/Blog

VMware Horizon and Adobe Flash

VMware Horizon 2106

VMware a few days ago released a new Horizon Version.
The new build 2106 (8.3) brings with it some very interesting features from some relating to the security of intellectual property to those related to the Teams collaboration tool, here is a list of those that I consider the most interesting:

  • Implementation of GPO for blocking the ability to take screenshots of VDI sessions from Windows and MAC Clients
  • Possibility in the instant clone to use the Microsoft Sysprep (this function slows down the deployment of an IC by performing a series of reboots)
  • Functionality for applications of run indefinitely
  • Possibility to use TrueSSO SAML authentication for non-Trust domains
  • Horizon Agent has support for Windows Server 2022 (Currently in Preview)
  • The Horizon Client for Linux has the optimization for Teams (as in some versions the functionality for the Windows client was present)
  • Cloud Burst support to extend your on-prem workload to the Cloud in case of a high load.

More details in this video

VMware Horizon 8 (2106) What’s New – YouTube

VMware Horizon 2106

Horizon Web Client Customization

In the past, I’ve talked about how to customize the Horizon Web Client login page. Normally when you log in you are asked whether to continue with the Web Client or download the Windows client, if required we can omit this page.

To do this you need to change the following value:

enable.download=true

setting it as false

this parameter is found in the file portal-links-html-access.properties in the connection server folder C:\ProgramData\VMware\VDM\portal, if you have a connection server cluster you have to do the switch on all servers

Horizon Web Client Customization

WLS Ubuntu 20.04 – Powercli On Linux and use it for Horizon

Well I want to use my WSL Ubuntu 20.04 to use powercli command to manage old Horizon Version (Flash ko)

  • Start to install all updates on my Ubuntu 20.04

sudo apt-get update

sudo apt-get upgrade

  • Configure source for downlad ed install powercli 

sudo apt-get install curl

 curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add

sudo curl -o /etc/apt/sources.list.d/microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/prod.list

sudo apt-get update

  • Install powershell 

sudo apt-get install powershell

sudo pwsh

Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore

  • Install PowerCli Module

Install-Module -Name VMware.PowerCLI

  • Install the horizon module

Import-Module -Name VMware.VimAutomation.HorizonView

  • Download additional module

For download

Run Example Horizon PowerCLI Scripts (vmware.com)

  • Import Horizon Module

Create Horizon Desktop Pool using PowerCLI – Roderik de Block

PowerCLI-Example-Scripts/New-HVPool.md at master · vmware/PowerCLI-Example-Scripts · GitHub

WLS Ubuntu 20.04 – Powercli On Linux and use it for Horizon

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Import XML on Horizon Connection Servers and configure it

Now we import the XML content in to all Horizon Connection Server, for all server on

Select Edit and after authentication

Select in delegation of authentication ….. the value ALLOWED open

and a new authenticator

Static

Name type Azure

And copy the content of XML file  on the SAML Metadata

Enable truesso for Horizon Authentication method

On a Connection server enable the TRUESSO for a Authentication Method

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –authenticator –edit –name authenticator-fqdn –truessoMode {ENABLED|ALWAYS}

vdmUtil –authAs administrator –authDomain pollaio –authPassword 121212121 –truesso –authenticator –edit –name azure  –truessoMode ENABLED

And now the configuration is done.

Thank You

Fabio Storni fabio1975@gmail.com

REFERENCE

Tutorial: Azure Active Directory single sign-on (SSO) integration with VMware Horizon – Unified Access Gateway | Microsoft Docs

Setting Up True SSO (vmware.com)

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Azure MFA, UAG, Horizon and TRUE SSO – Step 4

Configure a enterprise application on Azure AD, configure it and export XML

Insert:

 Identifier  -> https://<public-FQDN-UAG>/portal

Reply URL -> https://<public-FQDN-UAG>/portal/samlsso

Sign on URL -> https://<public-FQDN-UAG>/portal/samlsso

Download the  XML

Assign Users or Groups permission to Enterprise application

Import XML on UAG and configure it

Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data

Select the identity provider

 Select More Option

And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token  will not passed to horizon Server and it will required a new autentication)

Azure MFA, UAG, Horizon and TRUE SSO – Step 4

Azure MFA, UAG, Horizon and TRUE SSO – Step 3

Export Horizon Enrollment Certificate from Horizon installation and install it in to Enrollment Horizon Server

Connect to Horizon Server and export the Horizon View Certificate  (The certificate with  vdm.ec friendly name)

Now we import the enrollment certificate in to Horizon Enrollment server,  we need import in to Certificate Computer store and add the friwndly name vdm.ec

Configure TrueSSO on Horizon Connection Server

Configure Enrollement server

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –add –enrollmentServer enroll-server-fqdn

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –add –enrollmentServer Enroll.pollaio.lan

Verifica le informazioni

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –list –enrollmentServer enroll-server-fqdn –domain domain-fqdn

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –list –enrollmentServer Enroll.pollaio.lan –domain pollaio.lan

Creare la connessione per il true sso

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –create –connector –domain domain-fqdn –template TrueSSO-template-name –primaryEnrollmentServer enroll-server-fqdn –certificateServer ca-common-name –mode enabled

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –create –connector –domain pollaio.lan –template TRUESSOHORIZON  –primaryEnrollmentServer enroll.pollaio.lan –certificateServer pollaio-NPSSRV-CA  –mode enabled

Verify from the Horizon Connection server dashboard thee TrueSSO status, if it is all green the trueSSO is Ready

Azure MFA, UAG, Horizon and TRUE SSO – Step 3

Error An Invalid Parameter was passed to a service of function” Horizon and TRUE SSO

 When i try to use TrueSSO and Horizon i find this error:

 

Horizon Windows Desktop or App fails with logon error: ‘an invalid parameter was passed to a service or function’ (79644) (vmware.com)

 

 

We have install the last windows 10 comulative update 

 

Fix it
Error An Invalid Parameter was passed to a service of function” Horizon and TRUE SSO