STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware Horizon 7.13 Connection Server Security Technical Implementation Guide

V-246888

CAT I (High)

The Horizon Connection Server must require DoD PKI for administrative logins.

Rule ID

SV-246888r879554_rule

STIG

VMware Horizon 7.13 Connection Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000166

Discussion

The Horizon Connection Server console supports CAC login as required for cryptographic non-repudiation. CAC login can be configured as disabled, optional or required but for maximum assurance it must be set to "required". Setting CAC login as "optional" may be appropriate at some sites to support a "break glass" scenario where PKI is failing but there is an emergency access account configured with username/password. Satisfies: SRG-APP-000080-AS-000045, SRG-APP-000149-AS-000102, SRG-APP-000151-AS-000103, SRG-APP-000153-AS-000104, SRG-APP-000177-AS-000126, SRG-APP-000392-AS-000240, SRG-APP-000391-AS-000239, SRG-APP-000403-AS-000248

Check Content

Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Scroll down to "Horizon Administrator Authentication". Find the value in the drop down next to "Smart card authentication for administrators".

If "Smart card authentication for administrators" is not set to "Required", this is a finding.

NOTE: If another form of DoD approved PKI is used, and configured to be required for administrative logins, this is not a finding.

Fix Text

Log in to Horizon Connection Server Console and copy all root and intermediate certificates, in base-64 '.cer' format, required for CAC authentication to ‘C:\Certs’. If "C:\Certs” does not exist, create it.

Copy the provided make_keystore.txt to the Horizon Connection Server in "<install_directory>\VMware\VMware View\Server\sslgateway\conf". Rename "make_keystore.txt" to “makekeystore.ps1”.  The "make_keystore.txt" content is provided in this STIG package.

Launch PowerShell as an administrator on the Horizon Connection Server and execute the following commands:

cd "<install_directory>\VMware\VMware View\Server\sslgateway\conf"
Set-ExecutionPolicy unrestricted
(type ‘Y’ when prompted)
.\make_keystore.ps1 -CertDir C:\Certs -Password <store password> -KeyStore keystore -LockedProperties locked.properties’

Copy the created "locked.properties" and "keystore" files to any Horizon Connection Server that shares the same trusted issuers. Omit this step if multiple connections servers are not utilized.

Log in to the Horizon Connection Server Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Select the "Authentication" tab. Scroll down to "View Administrator Authentication". Select "Required" for the "Smart card authentication for administrators". Click "OK". Repeat for all other Horizon Connection Servers.

Restart the "VMware Horizon View Connection Server" service for changes to take effect.