In the last few years I came in contact with three customers who all faced the same problem. Let me first explain what the problem is. With the release of Blast in version 5.3 (and higher) it became possible to logon to the desktop through HTML5. Now as long as you are using a single domain all works well, but in my case all customers had multiple domains which were connected through two-way trusts. Using multiple domains in Horizon View works well when the “primary domain” is the same domain, as where the users must logon. The “primary domain” is the domain where the Connection Servers are joined to. This blog is to warn and clarify what the limitations are with domain filtering in the current version of Horizon View.
Limitation by design
So what`s the catch here…
In my case the customers joined their Horizon Connection Servers to a separate management domain, where no user can logon to. This must be no issue I thought and opened the View PowerCLI and tried to exclude the “primary domain” from the search fields with the VDMADMIN command. The command resulted in success but from BLAST (HTML5) access the “primary domain” was still set as active. Yes, I know the manual states that the “primary domain” cannot be excluded. But in some cases I only want to hide the “primary domain” not exclude.
Feature request at VMware
I tried all options within Horizon View but none work. I tried this again in version Horizon 6 and now in Horizon 7 this “limitation” still exists. Horizon View has all to do with the user experience, so why isn`t it possible to change the order (or make another another domain active?) of the domains with the VDMADMIN commands? Now many users must use the dropdown menu to select the right domain before they are able to logon to HTML5. I already sent a feature request to VMware to make an VDMADMIN command to change the domain order in all (Cluster and Connection Server) options. So fingers crossed in this case!
! Warning !
Be aware during the design workshops that multiple domains can have a huge impact on the user experience.
Choosing the right (primary) domain will be crucial in this case (as long as we can`t change or hide the “primary domain”). I find this an important feature that must be added to this wonderfull product. Not all of my customers have enough money to implement for example Identity Manager which solves this issue.
Demo domain filtering with multiple domains
To make the story clear I build three domains which are connected through two-way forest trusts with each other. I used the latest version of Horizon View 7.0.1 to demonstrate it.
The names of the domains are:
- BRAVO (primary domain)
From within the Horizon View Administrator it looks like this.
All domains are joined and healthy.
When connecting to Blast it shows the drop down menu with the default domain set on domain BRAVO.
Next I wanted to check the “primary domain” within Horizon View by using the View PowerCLI.
The first command shows a list of (primary) domains:
vdmadmin -N -domains -list -active
Now that we now with what domains we are dealing with we can start to exclude some domains.
We have three levels where we can exclude domains, let me explain them.
All Connection Servers which are joined or gonna join the Horizon View Block.
Specific per Horizon View Connection Server.
In this demonstration I exclude the domains ALPHA and CHARLIE from the search field.
This can be done with the following command:
vdmadmin -N -domains -search -domain ALPHA -add -s CON-01
To control if the command has worked use the following command:
vdmadmin -N -domains -list
After these adjustments, the only available domain in Blast is BRAVO.
Now we first remove the ALPHA and CHARLIE domains with the following command:
vdmadmin -N -domains -search -domain ALPHA -remove -s CON-01
And for the last test we exclude the BRAVO “primary domain” from the Connection Server with the following command:
vdmadmin -N -domains -search -domain BRAVO -add -s CON-01
The end result in the Blast portal should be that there will be two domains available namely: ALPHA and CHARLIE. But no, all three domains are still there…