VMware View Single Sign On Timeout -1

Note:  Please do not confuse VMware View SSO with VCenter SS0, they are not the same.

VMware View single sign on (SSo) is enabled by default which is excellent.  The bad thing is that the default timeout setting is set to infinite which is very insecure.  Not having a timeout setting by default means a bad guy could go behind you while you’re taking a bathroom break and back out to “Desktop Library” and choose a different vm that you are entitled and SSO will take the bad guy in without prompting for credential.

The fix is documented since 4.6 release http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-DB5C245D-AD48-4598-A7C6-C8FC75FC3339.html

Multiple site shows you how to use Windows built in tools ADSI EDIT but I could see why few folks still gets lost using the instruction.  If you follow this instruction, I can guarantee success.

1. Open ADSI EDIT from one of the clustered View Connection Server.    Tip: c:\windows\system32\adsiedit.msc

Without any spaces type “cn:common,ou=global, ou=properties,dc=vdi,dc=vmware,dc=int” to connect to “localhost”

adsiedit 1

2.  Right click the “Common” folder and change the value of “pae-SSOCredentialCacheTimeout” from “-1” to whatever value you want in minutes (mine is 5 minutes).  Hit apply.

adsiedit 2

This will replicate to all the View Connection Server replicas.  I hope you take the time to close this neglected security hole.  I wish VMware have chosen a more secure default value or include this  on the Web Interface but no big deal.  

Advertisements

One response to “VMware View Single Sign On Timeout -1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s