2. Choose the Windows authentication radio button.
3. Select the Default database for App Volumes Manager if it was already created. You can assign it later after creating the database if needed.
4. Select the Default language
Do not click OK!
On the Server Roles page, choose the sysadmin checkbox to grant the role to the user. Don’t click OK, yet.
On the User Mapping page, Choose the checkbox next to the database being mapped to the user (computer) account (assuming the database has already been created).
Click OK.
Verify the computer account is added to the list of logins.
I will start out this post to mention that if you try to install App Volumes 4 and are stuck on the SQL database portion trying to get Windows Integrated Authentication (WIA) working, you are not alone. I have spent countless hours troubleshooting this and looking for documentation. Documentation seems to be almost non-existent regarding the database requirements, besides which version to use, but nothing specific on database settings or user/computer/other authentication settings. It is very frustrating.
I am going to assume that you have some level of technical proficiency if you are this far along in your journey and will not add mundane details like how to mount an ISO or what buttons to click unless following a particular workflow and feel the details are absolutely necessary. Let’s get started…
Check the I accept the terms in the License Agreement checkbox (you did read all that, right?) and Click Next.
Choose the Install App Volumes Manager radio button since we are installing the App Volumes Manager. Click Next.
Not Shown! – You may be presented with a Windows User Account Control (UAC) prompt. Move past this accordingly. The installation up to this point has been a bootstrap of sorts. The next screens will do the actual Manager installation.
Déjà vu? Groundhog Day? Now we proceed with the actual installation of App Volumes Manager. Click Next.
Choose the Connect to an existing SQL Server Database radio button. Click Next.
There is a lot going on at this step. If you read the beginning of this post and followed the two additional articles provided, you should not have any trouble using Windows Integrated Authentication here. To quickly recap:
Your MS SQL server and App Volumes Manager servers can resolve DNS forward and reverse lookup records
Your MS SQL server has a TLS certificate in the local machine certificate store
The user running your MS SQL service has been provided access to the MS SQL server’s private key
The MS SQL server has been configured to use the machine’s TLS certificate
Choose the Windows Integrated Authentication radio button.
Click the Browse… button. If your authentication works properly, this is a good test as it will either show you the databases or it will present you an error.
Choose the database specified for use with App Volumes and click Next.
4. Check the Enable SQL Server certificate validation checkbox.
Click Next.
Almost there, if you are to this point, the hardest part of the installation is over! Leave the default ports unless you like to complicate your life. Click Next.
Optional: Change the installation location if necessary.
Click Next.
Click Install. Take a break! The installer will need a few minutes to install the software.
Confirm that the Wizard completed successfully. See Troubleshooting section below if you did not have a successful installation.
Click Finish.
You have completed the install, but there are some prerequisite steps to take to make the configuration easier and work the first time. Check out the article here: Installing VMware App Volumes 4 Manager – Part 2.
Troubleshooting
Be sure to read the finished dialog! You may receive the following, reporting that the Wizard ended prematurely. You will have to open up the logs and investigate; navigate to your installation directory and look at the logs. The issue that generated the following screenshot for me was either a self-signed certificate issue or a SQL Server issue because I didn’t add the App Volumes Manager server login to the MS SQL server and assign it to the App Volumes database (see below for specific error message and how to fix). Delete the Cloud Volumes directory and try the installation again.
From the inst_ruby_script.log file, you see the following:
E, [2020-11-19T11:43:30.666302 #3196] ERROR -- : ERROR: 28000 (18456) [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'AARONROMBAUT\APP-001V$'.
E, [2020-11-19T11:43:30.666571 #3196] ERROR -- : ["script/odbc_driver_validator.rb:145:in drvconnect'", "script/odbc_driver_validator.rb:145:inconnect_using_conn_string'", "script/odbc_driver_validator.rb:34:in odbc_connection'", "script/odbc_driver_validator.rb:76:invalidate_conn_and_version'", "script/odbc_driver_validator.rb:183:in <encoded>'", "script/odbc_driver_validator.rb:2:inRGLoader_load'", "script/odbc_driver_validator.rb:2:in `
'"]
Unable to connect to SQLServer. Exiting with status -1.
4. Open Sql Server Configuration Manager. Right-click Protocols for <INSTANCE-NAME>, choose Properties.
5. Click on the Certificate tab.
6. Choose the machine certificate you added earlier, click OK.
7. Back on the Sql Server Configuration Manager window, double-click TCP/IP.
8. Ensure the following settings:
9. Check the Active, Enabled, IP Address, and TCP Port settings. Modify as necessary and click OK. If you do make any modifications, be sure to restart the SQL service.
Creating the VMware Horizon Database and User
Open Microsoft SQL Server Management Studio.
Ensure the SQL server authentication is set to SQL Server and Windows Authentication mode. VMware Horizon does not use Integrated Windows Authentication. (https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-installation/GUID-1360BFDF-9F90-47FD-8B6C-E842CF951A53.html)
3. Right-click Databases and choose New Database…
4. Fill in the Database name with a meaningful name. Click OK.
5. Expand Security and Right-click Logins.
6. On the General page, fill in the Login name with a meaningful name. Also choose a password and uncheckEnforce password policy unless you use a strong password. Change the Default database and Default language accordingly.
7. On the Server Roles page, check the sysadmin role.
8. On the User Mapping page, check the database name you created earlier. Click OK.
Configure the Event Database on Horizon View Connection Server
It’s an odd thing that VMware does not include this in their other Compatibility Matrix tools. If they do, they sure hide it well. I decided to make a quick chart for easy reference since there is a lot of confusion as to what can be installed on what versions. Take a look at the documentation for VMware Horizon Client for Mac page for Release Notes, User Guides, and Installation and Setup Guides. The Release Notes also include Resolved Issues and Known Issues for each version.
Air Force Reserve Command (AFRC) has been at the forefront of many projects before “Big Blue”. The Desktop Anywhere service not only enables Reserve Air Force Airmen, but more recently enabled “Big Blue” to increase productivity and raise its awareness and use of the service.
Update: I am now retired from the Air Force, but I am still involved with the DoD. This page will not be maintained but please contact me if there are any questions that come up.
Disclaimer 1: I am a Traditional Reservist in the United States Air Force Reserve from the 914th Communications Squadron located in Niagara Falls, NY. My Air Force Specialty Code (AFSC) is 3D072 (Cyber Systems Operations).🤓 When I am not fulfilling my military obligation, I work as a Senior Consultant, Federal for VMware, Inc. Please follow along at your discretion. It is obligatory for me to write that these are my opinions and suggestions and my guidance only. The material provided here is not “Official” USAF or VMware, Inc guidance. Rest assured, what I provide you will likely result in a successfully working configuration, I just don’t want to be reprimanded or fired. 😉
Disclaimer 2: I am using a new and clean installed version of macOS Catalina 10.15.4 on a VMware Fusion virtual machine. While this should not cause any difference from a bare metal installation (like your MacBook or iMac), I wanted to provide full transparency.
Assumptions: If you are reading this, I assume you need a little guidance, but are not such a novice that you won’t know to click an ‘OK’ button, open a web browser, navigate and download programs, or something similar. I will do my best to make this as easy as possible, but within reasonable expectations that you know how to use your computer. If you need further assistance from what’s provided here, please feel free to reach out to me on the the Facebook Group.
Update Your Mac
It is always wise to ensure you are running the newest versions of software, especially your Operating System. I am writing this using Version 10.15.4.
Check with your local unit to see if they can provide you with a card reader. I am unsure the policy at every installation. My unit provided me with a HID OMNIKEY 3121 USB Card Reader. I like this reader because it is well built and Mac friendly.
If you have a different brand of reader, hopefully it will be a truly plug-and-play model, and will not need a driver. Seek out support from your card manufacturer for support if you need it. You can try to navigate through the MilitaryCAC.com family of websites, but I find the site very obtuse to navigate through. Maybe you will have better luck, though.
Downloaded software components for macOS 10.15.4
Keychain Access
The first step is to install and trust the DoD certificates. Open up Keychain Access and verify your current certificates. Make sure you see only one login Keychain. If you have more than one, backup the items from the old Keychain and remove it so that you only have one active. Change the Category to Certificates so that you can see what certificates are currently loaded. If you see any certificates that are expired, you will want to remove them.
Double-click on each file ending in .pem and .p7b. You may be prompted to provide the Keychain you want to add the certificates. Choose your login keychain.
At this point, you should see a lot of DoD-related certificates in Keychain Access. Scroll down until you see the DoD Root CA certificates. You should notice that they have a white x in a red circle. This indicates that they are not trusted.
Double-click on each of the root certificates, expand Trust, and change the When using this certificate:from Use System Defaults to Always Trust. Only do this for the DoD Root CA certificates.
Before changing When using this certificate:After changing When using this certificate:
Close the windows and provide authentication, either password or fingerprint if you have that configured.
Once you trust the four DoD Root CA certificates, the icons should now be white + in a light blue circle. This indicates the certificate is trusted.
This completes the steps necessary to add the DoD certificates to your Keychain Access and trust the DoD Root CA certificates.
VMware Horizon Client – Installation
Double-click on the VMware Horizon Client package file you downloaded earlier. The installer will open to the License Agreement.
Click Agree, then the actual installer will open. Like typical Mac software, drag the VMware Horizon Client icon onto the Applications Shortcut.
There will not be an indicator that the installation completes besides finding the new icon in the Applications menu of your Finder window. You can close the VMware Horizon Client installer utility. Please refer to VMware’s documentation for Release Notes, Known Issues, User Guides, and Installation and Setup Guides found at https://docs.vmware.com/en/VMware-Horizon-Client-for-Mac/index.html
This completes the installation of the VMware Horizon Client.
VMware Horizon Client – Configuration
Double-click the VMware Horizon Client icon. You can find it using a Spotlight Search (command + space bar) or look in the Applications menu in Finder. You should receive a security warning.
Click Open to allow the Horizon Client to open.
Optional: If you want easier access to the VMware Horizon Client in the future, after you open up the software, right-click (or ctrl + click if right-click option is not configured) on the icon in the Dock and choose Options > Keep in Dock.
On the first launch, you should be presented with a window prompting you to Enter the name of the Connection Server.
At the time of this writing, the address for general use is:
afrcdesktops.us.af.mil
Click Connect.
You should receive a Disclaimer window. If you followed the section above about adding and trusting DoD Certificates, you should see the https in green. If you see it in red, this indicates that your certificates are not being trusted.
Click Accept.
You should now see a Login window requesting your certificate.
Choose your non-email certificate and click Continue.
Enter your PIN and click Continue.
At this point, you should now be presented with your entitled Apps. Your entitlements will most likely not be the same as mine.
Click on the Windows 10 SDC 5.5 (or similar desktop if your base has a different image) in order to access your desktop.
This completes the VMware Horizon Client – Configuration section. I am going to include a troubleshooting section below in case there are any issues.
Smart Card Reader – Troubleshooting
Note: the section below is not complete and most likely never will with the way technology changes. I will try to update it as new issues arise.
If you have not connected your reader or plugged in your Common Access Card (CAC), you should receive the following Alert.
If you have connected your reader and plugged in your CAC, but your CAC is not being recognized, you should receive the following Login window.
The above most likely is a result of not having the appropriate driver for your Card Reader. You can test if your Card Reader is detected from the Terminal.
Open Terminal, type:
pcsctest
Once you press Enter, you will (or you won’t) see your card reader listed.
As you can see, my card reader is not being detected. This indicates that I will need to go to the manufacturer’s website and download and install the correct driver. Once I installed and restarted my computer, I re-ran the command in a Terminal.
If you have received any errors at this point, leave your CAC in the reader, close VMware Horizon Client, Restart your computer, and re-open VMware Horizon Client.
Objective 1.1 – Describe techniques to prepare environment for Horizon
This is a very odd objective to work through. I think the word “techniques” is what is throwing me off. To me, the word should be “requirements” and is asking the test taker what is required to prepare the environment for the installation of VMware Horizon 7.
Objective 1.3 – Determine steps to configure Horizon Components
The link in Objective 1.2 has links to each step that help with the configuration of the components. So far though, the components have not been listed. Below is a list of a few of the components of Horizon 7.
View composer – used if linked clone desktops are going to be deployed
Horizon Connection server – this is the server that clients use to connect to the Horizon environment
JMP (Just-In-Time Management Platform)
Horizon Agent
Horizon Client
ThinApp
App Volumes
Objective 1.4 – Analyze End User Requirements for Display Protocol Performance
End user requirements for display protocol performance are limited to the way the client connects to the virtual desktop. The three display protocols offered are VMware Blast Extreme , PCoIP, and Microsoft RDP. Clients that connect to the desktop with HTML Access use Blast Extreme, and not PCoIP or Microsoft RDP.
For more information choosing a display protocol, reference the following VMware Doc, here.
Objective 1.5 – Diagnose and solve issues related to connectivity between Horizon server Components
This objective seems to be calling out the ports and protocols that are used within the Horizon environment. There are a lot of them as this technology ties together a lot of different components. Also, the firewall will have to be taken into account and configured appropriately. If the components are configured in the local area network or DMZ, this should cut down on the configuration needed at the edge and also provide for a more secure installation.
Here is a link to the VMware docs for the communications protocols.
