You have two options when using a ProfileDisk while also requiring CAC authentication. Each is explained below, with the first one being the recommended method.
Option 1: Use the local computer account for ProfileDisk file access operations (Recommended)
Note: Azure Files does not support "Domain Computers" on share/ACL permissions. Use Option 2, "Use an Active Directory service account for ProfileDisk file access operations" instead.
This option involves the following tasks:
- Change the path for ProfileDisks to a common location
- Modify the ProfileDisk path under Administration and make sure to update and download ClientSettings.xml using the following as guidance:
- From: \\server\share\%username%\Profiledisk\%username%.vhdx but use a common path for all ProfileDisks
- To: \\server\share\Profiledisk\%username%.vhdx
- Open your Computer Group Policy for ProfileUnity.
- Navigate to Computer Configuration > Administrative Templates > Classic Administrative Templates > Liquidware Labs > ProfileUnity.
- Under BOTH 32 and 64 Bit sections, set ProfileDisk System Mount Unmount setting to Enabled.
- Set the "Domain Computers" group to have access to create/read/modify on the share and folder that contains the ProfileDisk VHDX files. Similar to following this knowledge base article "What are necessary NTFS Permissions on user's home directory? (Storage Path)."
- Modify the ProfileDisk path under Administration and make sure to update and download ClientSettings.xml using the following as guidance:
- Enable Logon Notification Events for SmartCard-based logons
- On the master image or pushed to persistent machines via a GPO AND rebooted, we need to verify or create the following registry value if it does not exist:
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Type: DWORD
Value: SmartCardLogonNotify
Data: 1
Option 2: Use an Active Directory service account for ProfileDisk file access operations
Note: This service account option cannot be used if the Secondary Logon service is disabled. If that is the case, use Option 1 above.
Another method is to use an Active Directory service account for ProfileDisk file access operations.
- Create a Service Account to use for ProfileDisk file access
- In Active Directory, create an account or don’t and instead use an existing account.
- Make sure the service account has at least Read/Write permissions on the share where the VHD ProfileDisks are to be stored.
- In the ProfileUnity Management console, click your username in the top right corner of the screen.
- In the drop-down menu that appears, click Administration.
- The Administration screen opens with the Settings tab displayed.
- Scroll down to ProfileUnity Tools section.
- Add relevant service account info and deploy/download the service .creds file to the share or netlogon folder where the ProfileUnity client tools (ini path) reside.
Note: If the password for this account expires or changes you will need to repeat this process.
- Ensure that startup.exe in that same path of the creds file gets executed by the pool/machines on boot as a startup script in the ProfileUnity Computer GPO. It does not need to be re-run on the master image unless you are using Instant Clones in Horizon.
- Enable CAC authentication
- Open your Computer Group Policy for ProfileUnity.
- Navigate to Computer Configuration > Administrative Templates > Classic Administrative Templates > Liquidware Labs > ProfileUnity.
- Under BOTH 32 and 64 Bit sections, set ProfileDisk VHD CAC support to Enabled. As with CAC logins, Kerberos pass-through also requires a setting so we know to impersonate the ProfileUnity as a Service user when connecting to the file share.
- Enable Logon Notification Events for SmartCard-based logons
- On the master image or pushed to persistent machines via a GPO AND rebooted, we need to verify or create the following registry value if it does not exist:
- Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Type: DWORD
- Value: SmartCardLogonNotify
- Data: 1
