VMware App Volumes Agents Fail when LDAP Channel Binding is Enabled

When applying the security enhancements in Microsoft KB 4034879, we noted that the VMware App Volumes desktop agents in our VDI environment stopped functioning. After setting the value LdapEnforceChannelBinding=1 on all Domain Controllers, desktop sessions returned an App Volumes error “NTLM Authentication Invalid: Authentication failed” and no app stacks were attached to the user session.

VMware KB 2146459 provides a workaround to the specific error by disabling NTLM authentication. The KB article stated that disabling the NTLM authentication challenge would reduce security. We reached out to support to clarify the risks imposed and they were able to confirm our suspicion that skipping this check would leave the environment exposed to a potential session impersonation attack, potentially exposing another user’s App Volumes assignments. I haven’t tested the theory, but we assume that an impersonated logon message could be sent to the App Volumes manager API for a different user, and that the manager would then comply by attaching any volumes assigned to the impersonated user.

According to VMware support, the issue exists because the App Volumes manager must be able to intercept and man-in-the-middle the NTLM authentication process. Enabling channel binding on NTLM effectively disables the man-in-the-middle approach.

There were no other workarounds available at this time.