Citrix Cloud – Active Directory Forest/Domains Considerations

Continuing on my Citrix Cloud focused series of blog, in this article i have concentrated on  Active Directory Forest/Domains consideration when deploying citrix cloud. As the Citrix cloud connector performs AD management , allowing the use of AD forests and domains within your Resource Locations it is important to understand where the cloud connectors need to placed from a active directory point of view.

Multiple domains/forests are commonplace in enterprise environments, either through security practises or multiple acquisitions.

Limitation

  • Cloud Connector cannot transverse domain-level trusts, therefore additional cloud connector should be installed per user domain.
  • Citrix Cloud Hosted Storefront cannot authenticate user’s in domain not listed in the Identity & Access Management Domain List.

Scenario’s

I’ll test a number of different scenario’s so you can understand where cloud connectors needs to be placed to cover your total authentication requirement.

The scenario’s are as follows:-

  • A – Single Forest, Single Domain (CCTEST.LOCAL)
  • B–  Forest Trust between Two Separate Forest with Cloud Connector Installed on One Forest. (CCTEST.LOCAL and CCTEST2.LOCAL)
  • C -Child Domain with Cloud Connector Installed on parent domain (CHILD – UK.CCTEST.LOCAL, PARENT : CCTEST.LOCAL)
  • D -External Domain Trust between CCTEST.LOCAL and CCTEST2.LOCAL with Cloud Connector Installed on One Forest (CCTEST.LOCAL)

Citrix Cloud Connector has been deployed in a Single Forest/Domain called CCTEST.LOCAL

Identity and Access Management Citrix Cloud Configuration.

Selecting the Hamburger (top left) , Selecting Identity and Access Management

CC_AD-2

Selecting Domain will provide a list of Active Directory forests that are available:-

CC_AD-1

Scenario A – Single Forest, Single Domain

CC_AD-5

Forest/Domain Name CCTEST.LOCAL
Trusts NONE
Cloud Connector Installed on VM which is member of CCTEST.LOCAL Domain
AD User & Groups/Library Subscriptions User & Groups: Domain Local Group created called “ctxgroup” on CCTEST.LOCAL with ctxuser1 in CCTEST.LOCAL added. CC_AD-12 CC_AD-22PNG

Cloud Hosted Storefront/Workspace

  • Log into citrix cloud hosted workspace (new name for storefront) with user in CCTEST Domain with access to resources

CC_AD-3.PNG

  • As expected the resource are enumerated.

CC_AD-4

Resource Location provided Storefront/Workspace

  • Log into resource provided storefont with user in “CCTEST” Domain with access to resources

CC_AD-3.1.PNG

  • As expected the resource are enumerated.

CC_AD-4.1

Scenario B– Two Forest Trust between CCTEST2.LOCAL & CCTEST.LOCAL

CC_AD-7

Forest/Domain Name CCTEST2.LOCAL
Trusts Two way Forest trust to CCTEST.LOCAL
Cloud Connector Installed on VM which is member of CCTEST.LOCAL Domain
AD User & Groups/Library Subscriptions User & Groups: Domain Local Group created called “ctxgroup” on CCTEST.LOCAL with ctxuser1 in CCTEST2.LOCAL added. CC_AD-11 CC_AD-22PNG

Cloud Hosted Storefront/Workspace

  • Log into Citrix cloud hosted Workspace (new name for storefront) with user in CCTEST2 Domain with access to resources

CC_AD-6.PNG

  • As per above error , the request is denied. Only domains that appear on the Identity and Access Management are allowed to log into Cloud Hosted Storefront.

Resource Location provided Storefront/Workspace

  • Log into resource provided storefont with user in “CCTEST2” Domain with access to resources

CC_AD-8.PNG

  • As expected the resource are enumerated.

CC_AD-10.PNG

Scenario C– UK.CCTEST.LOCAL child domain of CCTEST.LOCAL

CC_AD-13

Forest/Domain Name UK.CCTEST.LOCAL
Trusts Child
Cloud Connector Installed on VM which is member of CCTEST.LOCAL Domain
AD User & Groups/ Library Subscriptions Domain Local Group created called “ctxgroup” on CCTEST.LOCAL with ctxuser1 in UK.CCTEST.LOCAL added. CC_AD-14 CC_AD-22PNG

Cloud Hosted Storefront/Workspace

  • Log into Citrix cloud hosted Workspace (new name for storefront) with user in UK.CCTEST.LOCAL Domain with access to resources.

CC_AD-23PNG.PNG

  • As per above error , the request is denied. Only domains that appear on the Identity and Access Management are allowed to log into Cloud Hosted Storefront.

CC_AD-24PNG

Reviewing the identity and access management in the Citrix Cloud, the child domain now appears.

CC_AD-25PNG

note-md

The cloud connector had to be rebooted and was not discovered instantly to detect the additional child domain has been added.

Resource Location provided Storefront/Workspace

  • Log into resource provided storefont with user in “UK.CCTEST.LOCAL” Domain with access to resources

CC_AD-16.PNG

  • As expected the resource are enumerated.

CC_AD-17

Scenario D– External Domain Trust from CCTEST2.LOCAL to CCTEST.LOCAL

CC_AD-19PNG

Forest Name CCTEST2.LOCAL
Trusts External Two way Domain Trust to CCTEST.LOCAL
Cloud Connector Installed on VM which is member of CCTEST.LOCAL Domain
AD User & Groups/Library Subscriptions Domain Local Group created called “ctxgroup” on CCTEST.LOCAL with ctxuser1 in CCTEST2.LOCAL added. CC_AD-14 CC_AD-22PNG

Cloud Hosted Storefront/Workspace

  • Log into Citrix cloud hosted Workspace (new name for storefront) with user in CCTEST2 Domain with access to resources

CC_AD-6.PNG

  • As per above error , the request is denied. Only domains that appear on the Identity and Access Management are allowed to log into Cloud Hosted Storefront.

Resource Location provided Storefront/Workspace

  • Log into resource provided storefont with user in “CCTEST2” Domain with access to resources

CC_AD-8.PNG

  • Although it logs in which indicates authentication , there is no resource available to the end user as cloud connector has been unable to transverse domain-level trusts.

CC_AD-20PNG

note-md

As indicated by limitations , the cloud connector cannot transverse domain-level trusts.

Conclusion

Testing all of the scenario’s called out at the beginning of the article here is an overview of the scenario’s and conclusions when testing against the Citrix cloud hosted storefront vs resource location provided storefront.

CC_AD-18PNG

It’s quite clear, that for cloud hosted storefront to provide access to resources a cloud connector  cannot use trusts, although a parent/child domain is allowed and is discovered in Citrix Cloud domain lists.

Resource Location provided Storefront will allow access to any forest level trust but cannot transverse through domain level trusts so consideration around your own specific forest/trusts need to be understood.

Below is a workflow diagram that will allow you to understand where cloud connectors need to be deployed to allow users access to appropriate resource via Citrix Cloud.

CC_AD-26PNG

Any feedback/Comments are welcomed to improve/add to this article.

7 comments

  1. Grammar check here:

    “As the Citrix cloud connector performs AD management , allowing allowing the use of AD forests…”

    Should be:

    “As the Citrix cloud connector performs AD management, allowing the use of AD forests…”

      1. You should consider using the free Grammarly tool to grammar check your articles. The paid version is way too picky for me. I have no idea if you are a native English writer, or not, so I hope I do not offend you with these suggestions.

  2. Hi David,

    First of all thank you for your blog ! I didn’t find this informations in other locations !

    I am deploying a new Citrix Cloud environment for a customer who has 4 AD Forest with each one domain. Each AD Forest are trusted. Based on your experience, could you confirm me the choices I have ?
    1 – Deploy two Cloud Connector by domain (so a total of 8) and used Cloud Hosted Storefront/Workspace
    2 – Deploy two Cloud Connector for all domain and used a Citrix Storefront on Prem
    3 – Other ?

    The goal of my customer is to have the less machine has possible 🙂

    THanks for your answer !

    1. 3 – Other – install two cloud connectors on top level domain on one forest. This will the be allowed to transit through forest trusts and authenticate the other forests/domains. You’ll need a Citrix on-prem storefront as well but achieves the less no go cloud. My article covers this scenario but less forest domains involved

Leave a Reply