Note: Please do not confuse VMware View SSO with VCenter SS0, they are not the same.
VMware View single sign on (SSo) is enabled by default which is excellent. The bad thing is that the default timeout setting is set to infinite which is very insecure. Not having a timeout setting by default means a bad guy could go behind you while you’re taking a bathroom break and back out to “Desktop Library” and choose a different vm that you are entitled and SSO will take the bad guy in without prompting for credential.
The fix is documented since 4.6 release http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-DB5C245D-AD48-4598-A7C6-C8FC75FC3339.html
Multiple site shows you how to use Windows built in tools ADSI EDIT but I could see why few folks still gets lost using the instruction. If you follow this instruction, I can guarantee success.
1. Open ADSI EDIT from one of the clustered View Connection Server. Tip: c:\windows\system32\adsiedit.msc
Without any spaces type “cn:common,ou=global, ou=properties,dc=vdi,dc=vmware,dc=int” to connect to “localhost”
2. Right click the “Common” folder and change the value of “pae-SSOCredentialCacheTimeout” from “-1” to whatever value you want in minutes (mine is 5 minutes). Hit apply.
This will replicate to all the View Connection Server replicas. I hope you take the time to close this neglected security hole. I wish VMware have chosen a more secure default value or include this on the Web Interface but no big deal.