Horizon 7.x Security Server Management

Script to manage Horizon 7.x Security Servers via the View-API without needing the FLEX based Administrator Console


Script to manage VMware Horizon Security Servers via the View-API

There is no support for this tool - it is provided as-is

Please provide any feedback directly to me - my contact information:

Chris Halstead - Senior Staff Architect, VMware
Email: chalstead@vmware.com
Twitter: @chrisdhalstead

Thanks to Andrew Morgan for the assistance! @andyjmorgan

Updated May 21, 2021

Problem Overview

Due to the deprecation of Adobe Flash on 12/31/20 the VMware Horizon 7 Administrator (FLEX) will no longer be able to be used. More details are here: https://kb.vmware.com/s/article/78589

It is recommended to get to a minimum of VMware Horizon 7.10 (Version 7.13 is recommended) which has an HTML5 based administrative console (Horizon Console) with feature parity with the FLEX console. There are only two features that were not ported to this new HTML5 administrative console

  • ThinApp integration into Pools (ThinApp still works)
  • Security Server Management

It is recommended to move off the Horizon Security Server to the Unified Access Gateway as the Security Server is no longer supported in Horizon 8 and it is a superior solution for providing remote access. If you have existing Horizon Security Servers there is no way to manage them with the new Horizon Console HTML5 console. This script can be used to manage those existing Security Servers and create a Security Server Pairing password. These are the two features needed for adding and updating Security Server.

Preparing Security Server for Upgrade or Reinstallation

If you need to upgrade your security server and are looking for the "Prepare for Upgrade or Reinstallation" button in the admin console - it is no longer there. Thankfully, the solution is just a matter of removing IPsec rules on both the Security Server and the Connection Server that it is paired with.

  1. Start > Control Panel > Windows Firewall

  2. In the left pane, click Advanced Settings

  3. Expand Windows Firewall with Advanced Services and select Connection Security Rules

  4. In the right pane, select VMware View Security Server QM Pairing with xxx.xxx.xxx.xxx. Select this rule and delete it.

Do that on both the security server and the connection server it's paired with. Then you can upgrade your security server.

Reference: https://communities.vmware.com/t5/Horizon-Desktops-and-Apps/Security-Server-Upgrade-Problem/td-p/395429

Script Overview

This is a PowerShell script that uses PowerCLI and the View-API to query and set the Security Server settings. For more information on how to setup PowerCLI check out this great article by my colleague Graeme Gordon. There are two functions that the script can be used for.

  • Setting the Security Server Pairing Password on the Connection Server you authenticate to
  • Retrieve a list of Security Servers bound to the Connection Server you authenticate to
    • This is a GUI and looks very similar to same management page in the FLEX console

Script Usage

  1. Run Horizon - Manage Security Server.ps1


    Login to Horizon Connection Server

  2. Choose 1 to Login to a Horizon Connection Server

    • Enter the FQDN of a connection server (NOT a Security Server) when prompted to "Enter the Horizon Server Name" hit enter. If you want to set a Security Server pairing password, enter the name of the Connection Server you want to pair here.

    • Enter the Username (samAccountName) of an account with Administrative access to the Horizon Server you are connecting to when prompted to "Enter the Username" hit enter

    • Enter that users Password and click enter

    • Enter that users Domain and click enter

      You will see that you are now logged in to Horizon - click enter to go back to the menu


Manage Security Servers

  1. Enter 3 to manage and update the Horizon Security Servers bound to the connection server you logged in to - this will open up a GUI The GUI may behind other windows if you don't see it after hitting 3 on the menu.

    Note: If there are no connection servers detected you will see a message in the console "No Security Servers Found"


  2. If there are Security Servers bound they will all be added to the "Security Servers" dropdown. If there are none - you will see "No Security Servers"

  3. Select the Security Server you would like to manage and click "Get Details" - this will populate the form.


  4. Review and click the "Cancel" button to exit without changing . You can also select different Security Servers and click "Get Details"

  5. To update the settings make changes to any fields you would like to update and click "OK". You will be prompted if you would like to update that Security Server. Click "Yes" to make the changes or "No" to exit without making changes. All three value must NOT be empty. They are required fields and you will get a warning message if you try to set an empty value


  6. Make any other changes and click "Cancel" when ready to Exit.

    Set Security Server Pairing Password

    This section is only needed when adding a new security server. It is recommended to migrate to the Unified Access Gateway. Only use the Security Server if you absolutely have to

    Make sure that you connected to the Connection Server you want to set the Security Server pairing password for with this script.

    In order to add a new Security Server - you need to specify a pairing password for one-time authentication to the connection server. This password is good for 30 minutes and just a one-time password. This script allows you to set that password.

    Make sure the Timezone of the connection server that you will connect to with the script is set to (UTC) Coordinated Universal Time prior to running the script on it

    Any other variant of the UTC time zone will not work


    While putting together the script I realized that the pae-securityserverpairingpasswordlastchangedtime parameter in the ADAM database which is used to determine when the password was last set and used to compare to the validity time is not being set properly if you connection server is not using the UTC time zone. If you leave the connection server to a non UTC time zone and run this script the password last set time will be the time zone of the connection server which almost certainly deem the password invalid. If your connection server is in a time zone other than UTC you will need to set to set it to the UTC time zone, restart the "VMware Horizon View Connection Server" service. Run the script to set the password, then you can change the time zone on the connection server back.

    • Enter 2 to specify a Security Server pairing password.

    • You will see a pop up warning you that the Connection Server time zone needs to be set to UTC while running this script (see above)

    • Enter the password you would like to use and hit enter

    • The password will be set and is good for 30 minutes


    You can now install a Security Server and specify the Pairing Password you set in the script.


If the script hangs after entering credentials, you are most likely running PowerShell 7.x, this script has a problem with 7.x and works best with PowerShell 5.x.

You can verify the password was set properly by connecting to the ADAM database on the server you set the password on.


  • Navigate to OU=Properties | OU=Server | Double-Click the Server name you set the password on and navigate to:
    • pae-SecurityServerPairingPassword - this should have an encrypted value
    • pae-SecurityServerPasswordLastChangedTime - This is the important value, to make sure that when you double-click on it the UTC time is less that 30 minutes from the current time in UTC
    • pae-SecurityServerPairingPasswordTimeout - This should be set to 1800 (30 minutes) if the password was set with this script.


Sign in to be able to add comments.

Comments 6

9260928640 1 year ago
I am having trouble with the script. I choose 1 to login. Provide the FQDN of the connection server. Enter the UPN of the user with rights, then the password. For the Horizon Domain I enter the same as I would if logging into the admin panel for Horizon. The script just seams to hang, nothing reporting back on the screen. Ran PS as regular user and ran as administrator. Same outcome.
7884992264 1 year ago
I too am having the same issue as mentioned above - after entering all the details the script hangs while attempting to connect (a previous run worked perfectly) - is something being left behind from the previous successful run that is stopping any more connections from working? - all firewall rules were cleared with no effect.
chalstead 1 year ago
Make sure to login with samAccountName and not UPN. The problem could be the -Force on line which allows connection on non-trusted certs on line 40.

$script:hvServer = Connect-HVServer -Server $horizonserver -User $username -Password $UnsecurePassword -Domain $domain -Force

Try removing -Force and try again.

chalstead 1 year ago
Also, if you are experiencing a hang after entering credentials, it could be PowerShell 7.x. Please try again on PowerShell 5.x. Thanks
2020529354 1 year ago
We are experiencing the hanging issues following credential entry but we are using PowerShell 5.1.19041.1320. Should this version be affected by the hang?
8144508631 1 year ago

"Set Security Server Pairing Password
This section is only needed when adding a new security server."

This section in the documentation above implies that I don't need a pairing password, if i am not adding a new security server, or do I interpret it wrong?

I am about to upgrade our Horizon from 7.13.0 to 7.13.1, and consequently also need to update our current Security Server.
Do I or don't I need to create and use a pairing password? Will I not be asked for a pairing password during the upgrade installation process?