Jump to content
Welcome to our new Citrix community!
  • 0

Authentication and design question for multiple domains

Ulf Johansson1709164058



Recently ran in to a customer with 8 domains, they bought a few companies. The have a 2 way trust between all domains so there is a connection

Iam think of removing all their RDS and Citrix solutions onprem(all 8 domains have their own DDC,Storefront,RDS brokers) and using Citrix Cloud as a common application platform

They are all in the same Azure Ad so that could be a possability to use as an authentication metod

Or should I just add all the domains  as authentication mettohd and put a cloud connector in each domain

And when coming to the VDA/severs/VDI they are all located in each domain....

Anyone done something like this that can share high lvl design to get this working? Or just advice? Can I have 8 domains as an authentacin metod in Cloud?!

Iam thiniing Azure Ad but very unsure if their applications in each domain have support for this and they will get promted so sign in for each app to sign in again and SSO wont work using Azure AD






Link to comment

3 answers to this question

Recommended Posts

  • 0

You absolutely can do this with Citrix Cloud, it’s very easy 


You put cloud connectors in each domain where you need machines to register against. So if you have machines in domain A and domain B, you will need cloud connectors in both 


For user lookups, if you have domains that “just” have users, then you can use a cloud connector appliance to retrieve users from that domain, but if you have machines, then you will need the full cloud connector (windows)


Citrix Cloud enumerates all domains and users from all domains can login with their domain creds via workspace. You can do more funky stuff with storefront and netscaler if you need 


For Azure AD things can get a little hairy in multi domain environments, you will need to look at FAS architecture to provide SSO if you decide to go that path (also doable) 

  • Like 1
Link to comment
  • 0
4 hours ago, Cory Zaner said:

@James Kindoni am trying this with Citrix cloud and FAS, I have it working on the first domain, but when I add another domain I get a SID mismatch error, yes I already removed the SID required and have matching UPNs. Its like we need a trust between the domains :(. Any ideas?

I've got nothing on that one - multi-forest and SAML stuff -> an area I haven't had to think about for a while now. Wonder if you need to maybe look at the Adaptive Authentication piece

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...