Skip to end of metadata
Go to start of metadata

Hello! Long summer past, and time to blog some more. One of our customers has decided to make a security audit of Horizon View. So we sat together with their specialist and started to go over how Connection Server works with users. And he found a surprise for me: I never thought about the details of user management and believed it all came from Active Directory. And I was wrong - Connection Server does have several "cached" accounts: one of them is the account used to work with vCenter, which can be a local non-AD vCenter user account. Another account is a local SQL account used to store Horizon Events logs. So thanks to my EUC colleagues and Sarah Swatman, who pointed out these things inside the AD LDS database, which accompanies the Connection Server instance. I wrote on the details of connecting to the local AD LDS DB in a KB page.

Once you are there, you can find a pae-VcUserPassword field in AD LDS in CN=<uuid>,OU=VirtualCenter,OU=Properties. Right click on this and select Properties to find “pae-VcUserPassword”.

Cluster Master Secret, also called Key Vault Master Key is currently used to protect secret/sensitive data in LDAP. Encrypted data always has this format: {keyname-algname:algversion}, and the encryption algorithm in use is AES.

Back in the article, I also pointed out the place, where Console admin roles are attached to Active Directory users. So in case you have similar questions from security, now you know where to find everything!