VMware Horizon 2106 (8.3) Configuration

Last Modified: Jul 17, 2021 @ 10:54 am


This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2021 Jan 8 – updated entire article for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka Horizon 8)


Horizon Service Account

  1. Create an account in Active Directory that VMware Horizon will use to login to vCenter. This account can also be used by Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for Horizon

This role has all permissions needed for both full clones and instant clones. See Privileges Required for the vCenter Server User With Instant Clones at VMware Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, go to Administration.
  2. In the Roles node, click the plus icon to add a Role.
  3. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  4. On the left, click Datastore. On the right, enable Allocate space, Browse datastore, and Low level file operations.
  5. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  6. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable, Manage custom attributes, Set custom attribute, and System tag.
  7. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  8. On the left, click Network. On the right, enable All Network Privileges.
  9. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  10. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  11. On the left, click Storage views. On the right, enable View.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and click Edit Inventory to enable all Inventory permissions.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Next.
  14. Name it Horizon or similar. Then click Finish

Assign role to service account:

  1. Create an account in Active Directory that Horizon will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.

Active Directory Delegation for Instant Clones

Horizon Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

Horizon 2103 (8.2) and newer support PostgreSQL. See Prepare a PostgreSQL Database for Event Reporting at VMware Docs.

Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at VMware Docs.

A new empty SQL database is needed for storage of Horizon Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon Administrator Console. This console no longer needs Flash. The older Flex console has been removed from Horizon 2006 and newer. Don’t use Internet Explorer.

The URL entered in the browser must either be https://localhost, or the Secure Tunnel URL (Horizon Console > Settings > Servers > Connection Servers tab > Edit). By default the Secure Tunnel URL is the FQDN of the Connection Server. If you don’t use one of these URLs then you’ll see a Login Failed message. If you want to use a different URL than the Secure Tunnel URL (e.g. short name instead of FQDN), then configure checkOrigin=false in locked.properties file as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon.


To configure licensing:

  1. Open Horizon Console.
  2. Login using a Horizon administrator account.
  3. On the left, expand Settings and click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.
  5. In the Edit License window, enter your Horizon 8 (Horizon 2006) license serial number, and click OK. Horizon 7 license keys will not work.
  6. Licensing information is displayed:
    • License expiration is shown.
    • Instant Clones are available in all editions. See Horizon Perpetual Feature Comparison.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Teams Optimization requires Horizon Advanced Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool requires Horizon Enterprise Edition.
    • App Volumes requires Horizon Enterprise Edition.
    • Smart Policies (Dynamic Environment Manager) requires Horizon Enterprise Edition.
    • Rest APIs require Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console, expand Settings, and click Administrators.
  2. On the right, near the top, click Add User or Group.
  3. In the Select administrators or groups page, click Add.
  4. Enter the name of a group that you want to grant Horizon Administrator permissions to, and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.
  6. Continue adding groups, or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators or Help Desk Administrators, which grants access to the Help Desk tool). Then click Next.
  8. Select an Access Group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Federation Access Groups are available in Horizon 2103 (8.2) and newer and let you restrict admin permissions to specific Global Entitlements (Cloud Pod Architecture).
    • Not every role can be applied to Access Groups. E.g. Help Desk tool permission is a global permission and can’t be limited to specific pools.
    • Note: If you intend to integrate Horizon with VMware Identity Manager (aka VMware Access), then only pools in the Root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk Website

Horizon has a web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console, simply enter a user name in the search box at the top of the page.
  • VMware also has an alternative Horizon Helpdesk Utility Fling

The Desktops and Applications tabs let you see what the user is entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. The Product Licensing page indicates if Help Desk is licensed or not.
  • Horizon has a built-in Help Desk Administrators role that enables members to use the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.
  • 15 minutes of History – There’s only 15 minutes of collected metric data.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones
  • Update virtual machines using Instant Clones

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Client, go to the vCenter Server > Configure > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

To add the vCenter connection:

  1. In Horizon Console expand Settings, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
    4. Horizon 2106 (8.3) and newer have a Deployment Type drop-down. If on-premises, leave it set to General.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.

  6. In Horizon 2012 and newer, View Composer is no longer an option.
    1. In Horizon 2006, in the View Composer page, select Do not use View Composer. There’s no need to use Composer since all editions of Horizon 2006 and newer include Instant Clones. Click Next.
  7. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. It’s only useful for the rare persistent Instant Clones use case and thus is generally unchecked.
    2. Check the box to Enable View Storage Accelerator and increase the host cache size up to 32768. Notes:
      • View Storage Accelerator is required for Instant Clones replica disks.
      • The cache size value is removed from RAM and that RAM is no longer accessible to virtual machines.
      • Higher host cache sizes should speed up Instant Clone Smart Provisioning (without parent image).
  8. Click Next.
  9. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console 2012 and newer, on the left expand Settings, and click Domains.

    1. In Horizon Console 2006, on the left, expand Settings and click Instant Clone Domain Accounts.
  2. On the right, the Connection Server tab shows the domains that the Connection Servers see.
  3. On the tab named Instant Clone Engine Domain Accounts, click Add.
  4. Select the domain.
  5. Enter credentials of a service account that can join machines to the domain. Click OK.

Restrict Remote Access

The Users and Groups node has a Remote Access tab. If you add groups or users to this tab, then only these groups and users can login through Unified Access Gateway (UAG).

Users not in the list can’t login through Unified Access Gateway (UAG).

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it, and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the PCoIP Secure Gateway.
  5. For Blast Secure Gateway, change it to Use Blast Secure Gateway for only HTML Access connections to machine. Click OK.

Event Database and Syslog

To add the Events Database:

  1. In Horizon Console, on the left, expand Settings and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type. Note: Horizon 2103 (8.2) and newer have an option for PostgreSQL.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter HE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple Horizon installations.
  4. Click OK.
  5. Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at VMware Docs.
  6. On the right, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.
  7. To add a Syslog server, look on the right side of the page.
  8. There are configuration options for logging to a file (Events to File System).
  9. You can go to Monitor > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware Horizon View 6.x and 7.0.x is extremely slow: Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article 2089816 – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. In Horizon Console, on the left, expand Settings and click Global Settings.
  2. On the right, under Global Settings, in the General Settings tab, click Edit.
  3. Set the Horizon Console session timeout. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon Connection Server again.
  5. Under Client-dependent settings you can set an idle timeout. This is a disconnect, not logoff.

    • In a pool’s Desktop Pool Settings, you can configure Log Off After Disconnect.
  6. Other methods of configuring an idle timeout for desktop sessions:
  7. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Console.
  8. The Send domain list option is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box (and uncheck Hide domain list) to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon.
  9. Make other changes as desired. Click OK when done.

Log On as Current User is also disabled by default. To enable this client feature:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Highlight a Connection Server and click Edit.
  4. Switch to the Authentication tab.
  5. Scroll down. Check the box next to Accept logon as current user. Click OK.

Client Version Restrictions

Horizon can restrict connections to a minimum version of Horizon Client.

  1. In Horizon Console, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Additional options are available if you scroll down.
  5. Block Additional Clients blocks all clients other than the ones you selected. One use case is to block HTML Access.
  6. You can customize the message that users see if their client is too old. This feature requires Horizon Client 2006 (aka 8.0) or newer.
  7. Click OK when done.
  8. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console, go to Settings > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection (MMR) to Allow, and click OK. Notice that Multimedia redirection is not encrypted.


Connection Server LDAP Backup can be configured in Horizon Console.

  1. in Horizon Console, on the left, expand Settings and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  4. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab.
  5. You can schedule automatic backups. See VMware 1008046 Performing an end-to-end backup and restore for VMware Horizon View.


VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

14 thoughts on “VMware Horizon 2106 (8.3) Configuration”

  1. Hello Carl!
    I searched for information about the Instant Clone Domain Accounts without success.
    Is it possible to add several Instane Clone Accounts in order to create pools in different domains without trust?

  2. Hello, my vcsa in mngmt network with esxi hosts. How to me add public domain network to working vcsa with horizon 8? Vcsa going to domain? Thx.

  3. Hello Carl,

    When I try to add vCenter 7.0.2 to Horizon 8.2 I receive an error message “Certificate validation failed”
    What could be the problem?

    1. Is it a custom certificate? Or is it the built-in VMCA certificate? Was the certificate revoked?

      1. Thanks for answering. It`s s bulit-in VMCA certificate. I even downloaded the certificate from vcenter and import it on horizon and tried also with different browser but no success. The weird part is that whatever I put in the fields (even wrong name of vcenter or wrong credentials), the message is the same.

        1. What operating system is your Connection Server? Any firewall or proxy between Connection Server and vCenter? Is outbound Internet blocked from the Connection Server?

          Do the Connection Server logs show any more info?

          1. Problem solved. It was some firewall between Connection Server and vCenter. Thank you for your time.

  4. Hi Carl,
    How do you think why Remote Access restriction may not work in Horizon 8 (2103)?
    I have Horizon 8 (2103), Horizon 7.9.0 and UAG 2103. If I point UAG to Horizon 7.9.0 Remote Access restriction work as expected. If I point UAG to Horizon 8 (2103) users from UAG can login even although no users added to Remote Access tab.

    1. In UAG > Horizon Settings > More, Gateway Location is set to External?

      In Horizon Console > Users and Groups > Remote Access, you added at least one group or user? If you don’t add anybody, then it allows everybody.

      I just tested UAG 2103.1 with Connection Server 2103 (8.2) and it works.

      1. The key words was “If you don’t add anybody, then it allows everybody. ”

        You saved my brain!! I have already install few version from scratch receiving same result, and asking yourself – why? While in other production setup all worked fine.
        Anyway this is strange logic, isn’t?
        Thanks a lot Carl!

Leave a Reply