Rule ID
SV-246912r879887_rule
Version
V1R2
CCIs
When the Horizon native smart card capability is not set to "Required", the option for "Unauthenticated Access" is enabled. This would be true in the case of an external IdP providing authentication via SAML. The "Unauthenticated Access" option allows users to access published applications from a Horizon Client without requiring AD credentials. This is typically implemented as a convenience when serving up an application that has its own security and user management. This configuration is not acceptable in the DoD and must be disabled.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. Under "Horizon Authentication", find the value in the drop-down below "Unauthenticated Access". If "Unauthenticated Access" is set to "Enabled", this is a finding. Note: If "Smart card authentication for users" is set to "Required", this setting is automatically disabled and greyed out. This would be not applicable.
Log in to the Horizon 7 Console. From the left pane, navigate to Settings >> Servers. In the right pane, select the "Connection Servers" tab. For each Connection Server listed, select the server and click "Edit". Click the "Authentication" tab. In the drop-down below Horizon Authentication >> Unauthenticated Access, select "Disabled". Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.