You have two options when using a ProfileDisk while also requiring CAC authentication. Each is explained below, with the first one being the recommended method.
Option 1: Use the local computer account for ProfileDisk file access operations (Recommended)
This option involves the following tasks:
- Change the path for ProfileDisks to a common location
- Modify the ProfileDisk path under Administration and make sure to update and download
ClientSettings.xmlusing the following as guidance: - Open your Computer Group Policy for ProfileUnity.
- Navigate to Computer Configuration > Administrative Templates > Classic Administrative Templates > Liquidware Labs > ProfileUnity.
- Under BOTH 32-bit and 64-bit sections, set ProfileDisk System Mount Unmount setting to Enabled.
- Set the "Domain Computers" group to have access to create/read/modify on the share and folder that contains the ProfileDisk VHDX files. Similar to following this knowledge base article "What are necessary NTFS Permissions on user's home directory? (Storage Path)."
- Modify the ProfileDisk path under Administration and make sure to update and download
- Enable Logon Notification Events for SmartCard-based logons
- On the master image or pushed to persistent machines via a GPO AND rebooted, we need to verify or create the following registry value if it does not exist:
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Type: DWORD
Value: SmartCardLogonNotify
Data: 1
Option 2: Use an Active Directory service account for ProfileDisk file access operations
Note: This service account option cannot be used if the Secondary Logon service is disabled. If that is the case, use Option 1 above.
Another method is to use an Active Directory service account for ProfileDisk file access operations.
- Create a Service Account to use for ProfileDisk file access
- In Active Directory, create an account or don’t and instead use an existing account.
- Make sure the service account has at least Read/Write permissions on the share where the ProfileDisks are to be stored. Consider a location that contains only ProfileDisks, as outlined in Option 1, above.
- In the ProfileUnity Management console, hover over your username in the top right corner of the screen.
- In the drop-down menu that appears, click Administration.
- The Administration screen opens with the Settings tab displayed.
- Scroll down to ProfileUnity Tools section.
- Add relevant service account info and click the Download or Deploy Service Configuration button. Choose where to place the
LwL.ProfileUnity.Client.Service.exe.credsfile to the share or netlogon folder where the ProfileUnity client tools (ini path) reside.Note: If the password for this account expires or changes you will need to repeat this process. Consider acquiring two service accounts that can be rotated when password changes are required.
- Ensure that
startup.exein that same path of the creds file gets executed by the pool/machines on boot as a startup script in the ProfileUnity Computer GPO. It does not need to be re-run on the master image unless you are using Instant Clones in Horizon.
- Enable CAC authentication
- Open your Computer Group Policy for ProfileUnity.
- Navigate to Computer Configuration > Administrative Templates > Classic Administrative Templates > Liquidware Labs > ProfileUnity.
- Under BOTH 32-bit and 64-bit sections, set ProfileDisk VHD CAC support to Enabled. As with CAC logins, Kerberos pass-through also requires a setting so we know to impersonate the ProfileUnity as a Service user when connecting to the file share.
- Enable Logon Notification Events for SmartCard-based logons
- On the master image or pushed to persistent machines via a GPO AND rebooted, we need to verify or create the following registry value if it does not exist:
- Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Type: DWORD
- Value: SmartCardLogonNotify
- Data: 1
