SSO How To: Fix Single-sign-on issues with VMware View

Posted by on January 23, 2012 in Blog, VMware Tech No comments

If you have to enter credential twice when accessing VMware  check the following:

  1. Confirm that the Agent/Client installation or configuration is correct. During installation, select Log in as current user.


  2. Verify that disclaimers or login banners are not being used when using PCoIP as the display protocol. 

This issue occurs if a legal disclaimer GPO is configured. When this disclaimer is present, the Single Sign-On (SSO) sends the username and password incorrectly, and the connection times out.  To work around this issue by disable the legal disclaimer until a GPO is performed, remove these registry keys:

  • LegalNoticeCaption
  • LegalNoticeText.
To remove the keys:
  • Open the Registry Editor. Click Start > Run, then type regedit.
  • Locate the key:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Locate and delete the LegalNoticeCaption and LegalNoticeText keys.

     3.  Confirm that userinit is configured properly to pass credentials. 

The userinit string is responsible for listing applications that are launched upon successful authentication to a Windows guest operating system. Sometimes, the installation of new applications, application of new GPOs, and manual user edits leave the userinit string in a mode thats detrimental to the successful operation of things like logins, single sign on, and other portions of an operational environment.

 A normal userinit string in a VMware View virtual desktop looks like this:

 C:\Windows\System32\userinit.exe, “C:\Program Files\VMware\VMware View\Agent\bin\wssm.exe”,
To check the current userinit string:
  • Log on to your virtual desktop, the template your virtual desktop pool is based on, or the virtual machine base image that you are using for your virtual desktops.
  • Click Start > Run, type regedit and click OK. This opens the Windows Registry Editor.
  • Go to HKEY_LOCAL_MACHINE > Software > Microsoft > Windows NT > Current Version > Winlogon . The Userinit entry is located here.
  • Edit the Userinit string if necessary. There should be a comma between each program executable path. If there is not, edit the string so that there is a comma between each entry, remembering to add the trailing comma at the end of the string.
  • Restart the virtual desktop to commit the changes.
  • If you are editing a virtual machine base image, power down the base image, take a snapshot, and recompose using the new snapshot as your base image.

     4.  Confirm that the GINA is chaining correctly. 

  • Log on to your base image, template virtual machine, or virtual desktop.
  • Click Start > Run > type regedit and press Enter.
  • In the registry, find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\GinaDLL. The value of this should be C:\Program Files\VMware\VMware View\Agent\bin\wsgina.dll.
  • Occasionally, depending on the behavior of software that you install, the chaining GINA still calls the default GINA, or msgina. This software places its key in its own installation directory, and has a structure similar to this example key. If you are still experiencing issues with your virtual desktop, ensure that there are not any vendor specific keys loaded. GINA replacement dlls are usually related to network management or security software. If you’ve installed any software of this kind, this is another good place to check for a link in the chain.

HKEY_LOCAL_MACHINE\Software\<Vendor_ID_or_Name>\<GINA_key_reference>\<GINA_Load_Instruction> = msgina

     5.  Ensure that no Group Policy conflict exists. 

  • Install the Group Policy Management Console on either your domain controller or the Windows XP machine that you use to manage your Active Directory (AD) Domain.

You can download the Group Policy Management Console at Group Policy Management Console with Service Pack 1.

  • Log in to your Domain Controller or the machine that you use to manage your domain.
  • Click Start > Run, type dsa.msc, and click OK. The Active Directory Users and Computers (ADUC) Management console opens.
  • Click Action > Find.
  • Search for the user/computer object for which you want to test the GPOs.
  • Temporarily relocate the computer/user object to an Organizational Unit (OU) which has no applied GPOs.

Note: You may have to create an OU without any applied policies.

  • Click Start > Run, type gpmc.msc, and click OK. The Group Policy Management Console (GPMC) opens.
  • In GPMC, ensure that there are no GPOs on the OU by temporarily blocking the inheritance of GPOs to these objects.
  1. Right-click the object and click Properties.
  2. Click the Group Policy tab.
  3. Click Block Policy Inheritance.
  • Return to the computer/virtual machine that is experiencing the issues.
  • Click Start > Run, type gpupdate /force, and click OK. The user and computer policies on the machine are refreshed.
     6.  Ensure that the Interactive logon: Do not require CTRL+ALT+DEL GPO policy is disabled. 
  • Open the Local Security Policy Console.
  • In Windows XP:
    • Click Start > Run
    • Type gpedit.msc.
  • In Windows 7:
    • Click the Start Menu.
    • Type Local Security Policy and press Enter.
  • Expand Local Policies.
  • Click Security Options.
  • Double-click Interactive logon: Do not require CTRL+ALT+DEL.
  • Select Disabled.
  • Click OK.

Full Details

Leave a Comment

More in Blog, VMware Tech (10 of 287 articles)
pcoip


If you are having issue with multi-monitor setting while using PCoIP resulting in any of the following Unable to connect to a multi-monitor PCoIP ...