VMware

Horizon Application Manager 1.5 Hosted Release Notes

Application Manager 1.5.2r3 | 22 FEB 2013 | Build 1015617

Connector 1.5.3 | 24 JAN 2013 | Build 978568

Horizon Agent 1.5 | 29 JUN 2012 | Build 736755

Last Document Update: 24 JAN 2013

What's in the Release Notes

The release notes cover the following topics:

What's New

Horizon Application Manager

New Features

Horizon Application Manager 1.5.2r3 now supports:

  • This version of Horizon Application Manager adds user authentication support with third-party Identity Providers (IdPs), initially supporting only the Active Directory Federation Service (AD FS) 2.0 IdP. Customers can leverage their existing ADFS 2.0 infrastructure to provide user authentication while using the Horizon Connector for user provisioning.
  • SAML providers that require a signing certificate in the SAML assertion: Some service providers require that you send a SAML signing certificate with every SAML assertion. Now, the admin user can create SAML 2.0 applications that include the signing certificate in the SAML assertion by enabling the Include the signing certificate in the response option on the Add Application page.
  • Automatically activate end user applications during first login: Applications that entitle users in the User-Activated mode are automatically activated within Horizon Application Manager during the users first login to the application.

Horizon Connector

The Connector supports end-user authentication and single-sign on through Application Manager to existing directory services, profiles, and policies without making changes or disrupting existing directory architectures.

New Features

Horizon Connector 1.5.3 now supports:

  • SLES security patch for Horizon 1.5: Since version 1.5.2, the Connector has been upgraded to SLES 11Sp2 which resolves numerous security issues in the older version of SLES.
  • Support HTTP proxy for outbound requests: The admin user can configure the proxy through the CUI interface in the Configure Network section.  This feature is relevant to customer networks where all outbound HTTP/S connections have to go through a network proxy.
  • Note: You must reboot the Horizon Connector virtual appliance after you update the proxy configuration.

  • Easier configuration for Connectors that use load balancing: This improvement allows the Horizon Connectors to support DNS round-robin for load balancing. It also allows the Horizon Connector to support load balancers that do not support Kerberos authentication out of the box. The admin user turns this feature on and off on the Windows Authentication page in the Horizon Connector.

User Application Catalog

The User application catalog has several new enhancements. The unified User application catalog in the User Web interface delivers a single IT view of all entitled Windows, SaaS, and Web applications across the public and private cloud. The catalog comes with an inventory of industry leading SaaS applications to streamline deployment. In addition, your IT department is able to customize the catalog to support existing enterprise, Web, and ThinApp applications by adding the new applications. Expanded support of VMware ThinApp virtualized Windows applications enables your IT department to gain control of leases and patch updates to end-users.

  • Ships with SaaS templates for major SaaS applications like Salesforce.com
    • SaaS templates provided to make it easy to set up federation (SSO).
  • Add your own SaaS App
    • Administrators can add their own SaaS applications using federation standards. UI based for easy setup and testing.
  • SaaS provisioning adapter SDK
    • Java SDK for Partners/Integrators to create provisioning adapters.
    • Adapters are uploaded by operators.

Horizon Agent for Windows

Provides support for ThinApp Windows application delivery and synchronizing to Windows-based client devices.

New Features

  • Application activate and deactivate
  • Support for application updates
  • Support for domain and non-domain authentication to the Horizon Agent
  • Support for streamed ThinApp packages (non-persistent desktops)

Resolved Issues

The Resolved Issues section includes fixed issues for Application Manager, the Connector, and Horizon Agent.

Application Manager Resolved Issues

  • Java script errors occur during Webex SSO login process.
  • Customers using the Mozy client to access the Mozy web portal are redirected to the wrong Web page when authenticating through the Horizon connector.
  • Race condition in Mozy provisioning adapter causes errors in provisioning and de-provisioning users.
  • If the first or last name of your LDAP username contains special characters, it can cause errors and the affected users will not sync with Horizon Application Manager.

Before You Begin

Compatibility

Browser Compatibility
Platform and browser compatibility for Application Manager (except for Kerberos-based authentication in Connector Authentication mode):

• Windows XP – Internet Explorer 8; Firefox; Safari 5; Chrome
• Windows Vista – Internet Explorer 8 and 9; Firefox
• Windows 7 – Internet Explorer 8 and 9; Firefox; Safari 5; Chrome
• Mac OS X through 10.7 – Firefox; Safari 5; Chrome
  
Currently, only Windows platforms support Application Manager for Kerberos-based authentication in Connector Authentication mode:

• Windows XP – Internet Explorer 8; Firefox; Chrome
• Windows Vista – Internet Explorer 8 and 9; Firefox
• Windows 7 – Internet Explorer 8 and 9; Firefox; Chrome

Hypervisor Compatibility
The Connector virtual appliance and the Application Manager on-premise virtual appliances are supported on vSphere 4.0 and later.

Upgrading Connector 1.3/1.5.x to 1.5.3

You can upgrade to Connector 1.5.3 from version 1.3/1.5.x (x = version 0, 1, or 2).

  1. Export the configuration file.
    1. Login to the existing Connector 1.3/1.5.x Web console.
    2. Unjoin the connector from the domain to disable Windows authentication. (For Kerberos to function, you must have already joined the domain and enabled Windows for Kerberos.)
    3. Export the Connector configuration file.
      1. Click Advanced > Configuration > Export.
      2. Download the exported configuration file.
    4. Copy the network configuration of the existing Connector 1.3/1.5.x, including the following information:
      • IP address
      • Hostname
      • DNS server entry details
    5. Shut down the existing Connector 1.3/1.5.x.
  2. Download and deploy the new Connector 1.5.3 virtual appliance on your vSphere system.
  3. Configure the network.
    1. From the Connector 1.5.3 Console, click Configure > Configure Network.
    2. Type the IP address, hostname, and DNS server captured in Step 1d.
  4. Import the configuration file.
    1. Go to the Configuration page for Connector 1.5.3 at https://:8443/admin/config/.
    2. Click Import to import the configuration file for Connector 1.5.x.
    3. Join the domain to enable Windows authentication.
    4. Click Advanced > External Access.
    5. Click Generate new SSL Certificate and click Save.
    6. (Optional) Include intermediate SSL certificates signed by a trusted certificate authority on the Connector. See the Horizon Connector Administrator’s Guide to install an intermediate certificate authority.
    7. Restart Connector 1.5.3.
    8. Verify that the authentication, application launch, and basic end-to-end flow is functioning.
  5. Note: Users who are logged in during the update must log out and log in again in order to test Kerberos authentication.

  6. (Optional) Purge the existing Kerberos tickets if you have problems.
    1. Go to the Active Directory (Kerberos Distribution Center) server command line.
    2. Run the klist purge command.

Upgrading Horizon Agent 1.0 to 1.5

You can upgrade Horizon Agent 1.0 to 1.5.

  1. Uninstall Horizon Agent 1.0.
  2. On the Agent host, delete the ThinAgentLease.db file.
    The ThinAgentLease.db file is a hidden file. Therefore you might need to adjust your Windows system to view hidden files.
    The location of the ThinAgentLease.db file differs according to the Windows version as follows:
    • Windows XP: C:\Documents and Settings\LocalService\ThinAgentLease.db
    • Windows 7 32-bit: %windir%\System32\config\systemprofile\ThinAgentLease.db
    • Win 7 64-bit: %windir%\SysWOW64\config\systemprofile\ThinAgentLease.db
  3. Install Horizon Agent 1.5
  4. Restart the Horizon Agent.

Deleting a ThinApp Package from Application Manager

If you want to permanently remove a ThinApp package from Application Manager, implement the steps that follow.

  1. Delete the ThinApp package subfolder from the Windows application network file share.
  2. Delete the application from Application Manager.
    1. Log in to Application Manager as an administrator and navigate to Admin > Applications.
    2. Click the icon of the application (ThinApp package) you want to delete.
    3. Click Edit in the Application Info section.
    4. Click Delete this Application and verify that you want to delete the application.
  3. Use the Connector virtual appliance interface to issue commands to remove the ThinApp database.
    1. Select Login and Log in to the underlying Linux operating system of the Connector virtual appliance.
    2. Issue the following command to stop the ThinApp service:
      /opt/likewise/bin/lwsm stop thinapprepo
    3. Issue the following command to delete the ThinApp database:
      rm /var/lib/vmware/tam/repo/repodb
    4. Issue the following command to restart the ThinApp service:
      /opt/likewise/bin/lwsm start thinapprep

Known Issues

The Known Issues section includes known issues for Application Manager, the Connector, and Horizon Agent.

Application Manager Known Issues

The known Application Manager issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

  • Users cannot create complex passwords for the Google Apps application
    Users are prompted to generate a complex password when they launch the Google Apps application. After the system tries to generate a complex password, users cannot access the Google Apps application, and the  following error occurs, " Org is configured by admin...."

    Workaround:
    The Administrator must complete these steps before the user can log in successfully.

    1. In the Application Manager Administrator Web interface, click the Applications tab.
    2. Click the icon for the Google Apps application.
    3. Click Edit in the SAML Subject section, and click Save.

You only need to perform this workaround once. Subsequently, all Google Apps users can generate complex passwords and log in to Google Apps successfully.

  • Extended attributes might not appear on some Administrator Web interface pages
    Although you create extended attributes in the Connector Web interface, these attributes might not appear in the various drop-down menus in the Administrator Web interface that should list the attributes.

    Workaround:
    If you do not see a previously added extended attribute on the Administrator Web interface page, manually enter the name of the attribute.
  • Application Manager Web interfaces might display content improperly with Internet Explorer 8 and 9
    The Operator, Administrator, and User Web interfaces of Application Manager improperly display content when the Browser Mode and Document Mode settings of Internet Explorer do not match the Internet Explorer version.

    Workaround:
    In Internet Explorer 8 or 9, go to Tools > Developer Tools to change the applicable settings, if necessary.
    • For Internet Explorer 8, confirm that Browser Mode and Document Mode are both set to IE8.
    • For Internet Explorer 9, confirm that Browser Mode and Document Mode are both set to IE9.
  • You cannot add applications to the temporary administrator on the Applications tab
    You cannot use the Application tab to add an application to the temporary administrator because the temporary administrator does not appear in that specific list.

    Workaround:
    Use the Users & Groups tab to select the temporary administrator. Then, add applications.
  • Renaming an application in Application Manager does not always take effect
    When you rename an application, the former application name might appear instead of the new name.

    Workaround: Be aware of this issue and search for the former application name if necessary.
  • On the Edit Group Rules page, the autocomplete function does not work consistently with non-ascii characters

    Workaround:
    Continue typing the entry with non-ascii characters until the autocomplete function responds or you have finished typing the entry.

Connector Known Issues

The known Connector issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

  • When you use the hostname in the Connector Address text box of the SecurID page, the information is not saved
    The RSA authentication agent, which in this case is the Connector, relies on InetAdress.getLocalHost() in Java. If that call returns 127.0.0.1 or another dummy or loopback address, what transpires between the Connector and the RSA SecurID server is unclear. This issue is due to an RSA agent known issue (see RSA release notes), and can occur even when DNS works properly and hostnames are resolved.

    Workaround:
    Use an IP address in the Connector Address text box instead of a hostname. If you want to use the hostname, you must override the IP address on the Connector in the /etc/hosts file, and then clear the node secret.
  • When users abort the setup of an RSA SecurID token but try again soon after, their PIN can be set inaccurately
    While setting up their RSA SecurID token, if users cancel the attempt or allow it to time out, upon return they can complete the token setup. However, the passcode the user entered on the previous page might be set as the new PIN.

    Workaround:
    Inform users not to abort the RSA SecurID token setup.
  • On the Directory page in the Connector Web Interface, using non-ascii characters in the Server Host text box might fail
    The use of non-ascii characters for the Active Directory hostname might cause an error message about not resolving DNS.

    Workaround:
    Use ascii characters in the Server Host text box.
  • The Connector does not warn you when a new Active Directory group has the same name as an existing Horizon group
    When you create an Active Directory group with a name that exactly matches an existing Horizon group name, the new group does not get pushed to Application Manager. The appropriate behavior in this situation is not overriding the existing group. However, no alert is sent to explain the situation.

    Workaround:
    Ensure that you do not create duplicate group names.
  • The Join Domain page in the Connector Web Interface implies that the password is stored
    After you click Join Domain, the AD Password text box remains populated with what appears to be a hidden password. However, the password is not stored on the Connector.

    Workaround:
    Ignore the fact that the AD Password text box remains populated after you have joined the domain.
  • The Connector allows you to remove the Bind DN user account that has administrative access to Application Manager
    Initially, only the user associated with the Bind DN user account has administrative access to Application Manager.

    The following actions can cause you to unintentionally remove the Bind DN user account from Application Manager:
    • You can filter out the Bind DN user account in the Connector when you select users
    • You can make the Bind DN user account invalid for directory synchronization by making a user attribute a required attribute while the Bind DN user account does not have that attribute

    At the next directory synchronization, following one of the preceding actions, Application Manager receives changes from Active Directory, which includes the removal of the Bind DN user account. At this point, you can no longer log in to Application Manager as an administrator. While you can add the Bind DN user account back, the account no longer has administrative privileges.

    Workaround:
    Prevent the removal of the Bind DN user account by cautiously selecting users and mapping user attributes. Also, accessing Application Manager as soon as possible to assign several delegated administrators access to the Connector reduces the chance of this issue occurring in the future.

    If you unintentionally remove the Bind DN user account from the Application Manager, you must contact Horizon customer support.
  • On the Join Domain page in the Connector Web Interface, using non-ascii characters in the AD Username text box might fail
    The use of non-ascii characters for the Active Directory username might result in an error message about failing to join the domain.

    Workaround:
    Use ascii characters in the AD Username text box.
  • On the Join Domain page in the Connector Web Interface, using non-ascii characters in the AD FQDN text box might fail
    The use of non-ascii characters for the Active Directory domain name might result in an error message about failing to join the domain.

    Workaround:
    Use ascii characters in the AD FQDN text box.
  • Sync Safeguards: Next button to either Ignore/Update safeguard is not shown when the browser is in maximized view
    This issue occurs when you access the Connector Web Interface with the browser window maximized. If safeguard alerts are triggered, a dialog box appears displaying the alerts. When several alerts are displayed, the Next button can be pushed off the page and become inaccessible while the browser window remains maximized.

    Workaround:
    Resize the browser window to make the Next button accessible.
  • Resetting the Connector on the Configuration page in the Connector Web Interface might fail when Join Domain is configured
    After you have configured the Join Domain page, when you click Reset on the Configuration page, the reset might fail and cause an error message to display.

    Workaround:
    Reload the page.
  • On the Select Users page in the Connector Web Interface, the error message might display the first and last names in reverse order
    When a required attribute for a user is missing, the users name appears in the View Errors tab of the Select Users page. However, the user's last name and first name are displayed in reverse order.

    Workaround:
    This issue does not affect functionality. Supply the missing attribute in Active Directory to complete the synchronization of the user's record.
  • On the Windows Apps page in the Connector Web Interface, using non-ascii characters in the path text box might fail
    If you use non-ascii characters in the Applications Share Path text area, the attempt might fail with an ERROR_PATH_NOT_FOUND error.

    Workaround:
    Use ascii characters in the Applications Share Path text area.
  • On Internet Explorer 8 in the Connector Web interface, some application icons might not appear on the Windows Apps page
    The name of the application appears correctly, but in specific cases, the icon does not.

    Workaround:
    This issue is only visible to administrators. It does not affect functionality and can be ignored.
  • Cannot access the Connector Web interface using Internet Explorer 8 on Windows XP
    Attempts to reach the Connector login page result in an error explaining that Internet Explorer cannot display the Web page.

    Workaround:
    Use Firefox browser on Windows XP.
  • The "Domain Users" and "Domain Guests" built-in Active Directory groups do not properly synchronize to Application Manager

    Workaround:
    Create dynamic Application Manager-based groups, configured directly in Application Manager, which can use rules to replicate the behavior of the Domain Users or Domain Guests groups.
  • LDAP queries to AD from the root of the tree (in other words, with DC only or without any OU or CN elements) are not working in the Directory Sync wizard

    Workaround:
    Use OU or CN instead of DN or DC only to sync AD users and groups. You can specify as many OUs or CNs as necessary.
  • In the Connector setup wizard, on the Select Users page, on the View Results tab, users are listed twice (or multiple times) in Active Directory sub-branches

    Workaround:
    The user appears twice (or multiple times) because the user is a member of the main branch and the sub-branch (or sub-branches) specified as your listing criteria. After pushing, each user will appear only once and your user count will be correct.
  • Filtering users by givenName (first name) and sn (last name) does not omit them from the Select Admin page

    Workaround:
    Use mail (email) or sAMAccountName (username) for filtering users on the Select Admin page.

Horizon Agent Known Issues

  • The Horizon Agent uninstaller does not uninstall the ThinApp shortcuts or the Horizon folder from the desktop

    Workaround:
    Manually delete the folder and shortcuts.