Jump to content
Welcome to our new Citrix community!

Inter-company ICA connections to be authorised in both source and destination domains

Andras Tudos

Recommended Posts

Today we have RDGW proxies in company A which are authenticating from source domain A and then authorized users are connecting to RD endpoints at company B in a destination domain B.

This setup needs to be replaced by a Citrix VDI solution and we need to understand how we could do such a double authenticated setup with two non-trusted domains.

The use case is that company A users who are members of specific AD groups in domain A should be able to connect to a Citrix farm at company B which is in domain B. All authorized users have accounts in both domains, interconnection is via private MPLS links, the two domains cannot have a trust relationship. Everything is fully redundant (two proxies, two links, two destination sites).

Could we use multiple Gateways/VPXs, can they be cascaded somehow? What are our options?

Link to comment
Share on other sites

Citrix Gateway can authenticate company A using LDAP. Or Citrix Gateway can do SAML to company A.


After Gateway authentication, then StoreFront can ask for company B credentials. Or Gateway can translate an user attribute from Company A to a Company B UPN and use that to Single Sign-on to StoreFront.


If the user's password is not available to Gateway, then Citrix Federated Authentication Service can generate certificates for each user, or the final VDA machine can prompt the user for a password.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...