VMware Identity Manager 2.4.1 Release Notes

VMware Identity Manager 2.4.1 | 17 NOV 2015 | Build 3230668

VMware Identity Manager Connector 2015.10.1 | 29 OCT 2015 | Build 3190376

VMware Identity Manager Desktop 2.4 | 08 SEPT 2015 | Build 3032643

VMware Identity Manager Integration Broker 2.4 | 08 SEPT 2015 | Build 3003880

Release date: November 17, 2015

Release Notes updated February 3, 2016

What's in the Release Notes

The release notes cover the following topics:

What's New

Workspace Portal is being renamed to VMware Identity Manager.

This release of VMware Identity Manager 2.4.1 delivers the following new feature.

  • Authentication Method Chaining

    Authentication method chaining enables two authentication methods to be chained (invoked in succession) when users sign in to Identity Manager or when they access an application. For example, you can set up an authentication policy to first authenticate using an AD username and password and then pass the authenticated username to a second authentication method, such as RADIUS. This further enhances policy capabilities for multi-factor authentication in Identity Manager.

    Note: When you upgrade from 2.1.x to 2.4.1, authentication method chaining is not automatically enabled. You must update the database to enable this feature.

    To enable authentication method chaining in the PostgreSQL database, on the virtual appliance run the following command as root.

    1. Stop the service. /etc/init.d/horizon-workspace stop
    2. Login to the database. If you have not changed the password, the default password was H0rizon! /opt/vmware/vpostgres/9.2/bin/psql -U horizon saas
    3. Run INSERT INTO saas."OrganizationArtifacts" (id, "idOrganization", "idArtifactType", "strArtifactSubtype", "strData", "createdDate", "idEncryptionMethod", timestamp) VALUES (154, 1, 10, 'orgEnableAuthMethodChaining', 'true', '2015-08-28 11:11:58.334000', 3, 1442290240944850850);
    4. Exit out of the Postgres prompt. \q
    5. Restart the service. /etc/init.d/horizon-workspace restart

    To enable authentication method chaining in the Oracle SQL database, run the following commands.

    1. In the VMware Identity Manager appliance, stop the service. /etc/init.d/horizon-workspace stop
    2. Download and install the Oracle SQL Developer tool to perform this task in the Oracle database. Note: SQL Plus is an alternative to SQL Developer
    3. Connect with the Oracle database server. The following is an example of this command. hostname: Oracle DB server IP , port: 1521 by default , SID : orcl username :"saas" , connection name : any temporary name
    4. Run INSERT INTO "OrganizationArtifacts" ("id", "idOrganization", "idArtifactType", "strArtifactSubtype", "strData", "createdDate", "idEncryptionMethod", "timestamp") VALUES (154, 1, 10, 'orgEnableAuthMethodChaining', 'true', CURRENT_TIMESTAMP, 3, 1442290240944850850);
    5. Commit this query and exit out of the SQL developer tool.
    6. In the VMware Identity Manager appliance, restart the service. /etc/init.d/horizon-workspace restart


VMware Identity Manager 2.4.1 is available in the following languages:

  • English
  • French
  • German
  • Japanese
  • Simplified Chinese

Compatibility, Installation, and Upgrade

VMware vCenter™ and VMware ESXi™ Compatibility

VMware Identity Manager supports the following versions of vSphere and ESXi.

  • 5.0 U2+, 5.1+, 5.5, 6.0+

Browser Compatibility for the VMware Identity Manager administration console

The following Web browsers can be used to view the administration console:

  • Mozilla Firefox 40 or later for Windows and Mac systems
  • Google Chrome 42.0 or later for Windows and Mac systems
  • Internet Explorer 10 and 11 for Windows systems
  • Safari 6.2.8 or later for Mac systems

These browsers can also be used to access the Connector Services and Appliance Configurator pages.

For other system requirements, see Installing and Configuring VMware Identity Manager on the doc landing page.

Component Compatibility

VMware Product Interoperability Matrix provides details about the compatibility of current and previous versions of VMware products and components, such as VMware vCenter Server, VMware ThinApp, and View.

Upgrading from 2.4 to VMware Identity Manger 2.4.1

See the Upgrading to VMware Identity Manager 2.x from 2.4 guide. During the upgrade, all services are stopped, so plan the upgrade with the expected downtime in mind.

Upgrading to VMware Identity Manager from VMware Workspace Portal 2.1 and 2.1.1

You can upgrade from Workspace 2.1 and 2.1.1 to VMware Identity Manager 2.4.1. You must migrate from Horizon Workspace 1.8.1, 1.8.2 and from Workspace 2.0 to Workspace 2.1.


To access the VMware Identity Manager 2.4 documentation, go to the VMware Identity Manager doc landing page.

Product Support Notice

  • The Perform Directory Sync feature to import newly added resource entitlements from View to Workspace, configured in the Workspace View Pool page, is not available in this release of VMware Identity Manager. To add newly added resource entitlements from Horizon View to VMware Identity Manager, you must manually start a directory sync from the Identity & Access Management > Directories page.

Known Issues

  • VMware Identity Manager unable to launch entitled desktops and apps on iOS from the Safari browser

    When users use the Safari browser to launch their Horizon desktops or apps, they see the message "Your application is launching" but the desktop or apps do not launch. This is a known issue with the iOS 9.2.1 Safari browser.

    Workaround: Use another browser type such as Chrome or Firefox.

  • VMware Identity Manager Workspace Client Command-line Installer does not work if there is a literal "/h" in the command
    When you run the documented command-line installer instructions to install Workspace Client, the installation does not install and the help text is printed on the command line. For example, this command would not work, VMware-Identity-Manager-Desktop-2.4.0-3032643.exe /s /v /qn WORKSPACE_SERVER="https://horizon.domain.com" INSTALL_MODE=HTTP_DOWNLOAD POLLING_INTERVAL=60 because the command includes /h.

    Workaround: Do not use /h in the Workspace server parameter. You can remove "https://" and that will remove the "/h" from the command line options. You can enter the command as: VMware-Identity-Manager-Desktop-2.4.0-3032643.exe /s /v /qn WORKSPACE_SERVER="horizon.domain.com" INSTALL_MODE=HTTP_DOWNLOAD POLLING_INTERVAL=60

  • The time format does not fallback correctly when browser's locale is da_DK
    For local da_DK (Denmark) the time in hours, minutes, seconds that appears in the Last Sync column in the Identity & Access Management > Directories page displays with dots instead of a colon. Example, 11.15.12 instead of 11:15:12.

    Workaround: There is no workaround.

  • Unable to add second directory to sync while another directory is syncing
    An additional directory cannot be added while another directory is syncing.

    Workaround: Wait until the first directory is added.

  • Deleting a large number of users at one time causes the administration console progress bar to time out
    When deleting directories that have a large number of users, the Identity & Access Management > Directories page might become unresponsive.

    Workaround: Wait for a while before you attempt other directory related actions because the delete process is still working in the background.

  • XenApp sync does not work if the distinguishedName attribute is not a required attribute
    XenApp sync show the number of apps and entitlements being synched, but the sync does not succeed and no XenApp appear in the Catalog page.

    Workaround: Mark the distinguishedName attribute in the Identity & Access Management > Setup > User Attributes page as required before you create the directory if you plan to sync XenApp to VMware Identity Manager. If a directory is already created, you must delete the directory before making distinguishedName a required attribute. If upgrading to 2.4, make sure that the distinguishedName attribute is a required attribute before the upgrade.

  • Installing a new Integration Broker does not remove the existing one

    Workaround: Uninstall the existing Integration Broker before installing a new one.

  • XenApp cannot be launched with Chrome 42 and above
    XenApp cannot be launched from the Google Chrome 42 and later browsers because Chrome no longer supports NPAPI plugins.

    Workaround: For Chrome 42, 43, and 44, you can enable NPAPI. Beginning with Chrome 45, NPAPI is no longer available.

    To enable the plugin, type "chrome://flags/#enable-npapi" into your Chrome browser bar and click Enable under the section EnableNPAPI. Restart Chrome.

  • When two or more applications are launched using HTML Browser, the browser tab that shows the applications is not in focus
    When users launch a Horizon app from their apps portal, their browser focus is directed to the tab where the app is open. When a second Horizon app is launched from the apps portal, the users' focus remain on their apps portal page.

    Workaround: Users can navigate to the tab where the Horizon apps are running to access them.

  • Users cannot see all running Horizon desktops in the sidebar when they launch multiple Horizon desktops using HTML Access
    In Horizon View 6.1.x, when users launch a Horizon desktop using HTML Access the HTML access tray does not show all previously launched desktops that are in running status.

    Workaround: In the View admin console, set up the desktop pools option "Automatically logoff after disconnect" to be after 1 or 2 minutes.

  • Users cannot see all running Horizon desktops and apps from different brokers in the sidebar when they launch multiple Horizon desktops and apps using HTML Access or Horizon Client

    In Horizon View 6.1 and 6.2 when users launch a Horizon desktop or app from different brokers using either HTML Access or Horizon Client, the HTML access tray does not show all previously launched desktops and apps that are running.

    Workaround: There is no workaround. Only desktops and apps from the current broker are shown in the access tray.

  • After upgrading from Workspace Portal 2.1.1 to VMware Identity Manager 2.4, ThinApp packages cannot be launched using Horizon Workspace Desktop from the user's apps portal
    When VMware Identity Manager is upgraded from 2.1.x to 2.4, users might not be able to launch their ThinApp packages from Workspace Desktop for Windows.

    Workaround: Upgrade the desktop to VMware Identity Manager Desktop 2.4, or if you plan to upgrade later, unlink the client from the server and relink.

  • Kerberos cannot be enabled if the joined domain is different from the domain of the default worker

    Workaround: If you have multiple directories configured on a connector, the connector must be joined to the domain of the first directory to enable Kerberos auth adapter.

  • Connector communication failed with response: command.signature.invalid
    Deleting a connector from the service and adding it back to the service will cause an error.

    Workaround: When a connector is deleted from the Identity & Access Management > Connectors page, power off and power on the connector appliance before adding the same connector back to the service.

  • User might be prompted for the admin password when enabling auth adapters
    When VMware Identity Manager is set up in HA mode, the admin might be prompted for the Identity Manager admin password when enabling auth adapters.

    Workaround: Enter the VMware Identity Manager admin password. Note: This is not the Active Directory admin password.

  • In a clustered environment, when a cloned Identity Manager appliance is down, the User Engagement Dashboard might not show all details and some reports might not be available
    In a cluster when one of the appliances becomes unavailable, the Reports feature might not work.

    Workaround: Start the appliance that is down to correct the problem.

  • When upgrading, unable to join domain with the cloned appliance
    When upgrading to 2.4, the appliance is unable to join the domain.

    Workaround: If you are upgrading from version 2.1.0 and you plan to join the appliance to a domain, leave the domain before upgrading the appliance. After you upgrade the appliance to 2.4, set up the cluster for high availability before re-joining the domain.

  • Identity provider hostname in IdP page changed to recently added connector hostname from load balancer hostname
    When you change the connector of an identity provider, the IdP Hostname might be reset.

    Workaround: If this happens, edit the Identity Provider page and change the IdP Hostname value.