Using login banners with VMware View 4
Windows XP login banners can force VMware View end-users to log in twice when they're trying to access their virtual desktops. But there's a better way that uses a single sign-on.
Almost all government agencies, whether federal, state or local, or any organization that adheres to stringent security standards (such as hospitals), use banners or disclaimers during the user log on process.
The banner is set via group or local policy, and often looks like this to the user:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this website...
Banners are useful; they are intimidating, they cast some semblance of legal jurisdiction over systems, but they do not cooperate well with single sign-on (SSO) and the user's experience.
Banners or disclaimers mean that typically users have to enter their credentials more than once. When and end-user fires up the VMware View client and clicks Connect, he only wants to enter his credentials once.
Here is what the experience looks like for the end-user:
He enters his credentials into the VMware View client and then selects his desktop pool of choice. If a banner is not in use, he has immediate access to his desktop.
However, if a banner is in use, he receives a banner pop-up. When the user clicks OK, the systems shows the user the Windows XP log-in box, asking for credentials a second time.
If you need to show a banner for security reasons and use VMware View 4, there is a way to change the user experience so that end-users only have to enter log-on credentials once.
To do so, remove the Windows banner and use a banner created by the VMware View client.
- Using the VMware View admin console, go to Configuration, then Global Settings, then Pre-Login Message. Click Edit.
- Enter the Windows banner message into this field, and remove it from the group/local policy affecting the virtual desktop.
Following these steps, end users will be forced to click through the banner warning when connecting to the View Connection Server.
You might want to place the computer accounts for the virtual desktops in their own organization unit and disable the Windows banner there. That way, all of the machines that are not accessing the system via virtual desktop will receive the usual Windows banner.
ABOUT THE AUTHOR: Jason Langone heads virtualization, cloud computing and storage for MicroTech, a service-disabled, veteran-owned and 8(a) small business. Langone won the VMware Vanguard Award in 2007 and has architected some of the largest virtualization and cloud computing implementations to date.