Jump to content
Welcome to our new Citrix community!
  • 0

FAS configuration in multi-forest PKI set up in separate forest than users


Good morning everyone I have a #FAS question for Citrix Cloud.  I have a customer with (2) Forests: forest1.local and forest2.org with a one-way trust.  We installed PKI in the forest2.org, but all the users and VDA's live in forest1.local.  I have deployed a set of Cloud Connectors in both forests, so we can launch a session using just AD creds today.  But we are changing to SAML so FAS is now required.  Everything that I read states that you have to have a 2-way trust for this to work.  So I see two options: rebuild PKI in the forest1.local where the user and VDA domains live or two ask the customer to configure a two-way trust.  Option #3 is it possible to use the Cloud Connectors with the Citrix Connector Appliance to bridge the gap between the two forests and allow FAS to work? https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance/active-directory

Link to comment

1 answer to this question

Recommended Posts

  • 0

The Cloud Connector appliance doesn't help in your scenario - you already have achieved what it would achieve via Cloud Connectors in each forest


Your easiest path is to put the PKI into the same domain as they users and VDA's, it's likely a far smaller ask to do that, than change the Trust Levels


It's really a PKI architecture challenge at the end of the day. I have done cross forest deployments with PKI and FAS, and as long as the trusts and Domain Controller certs etc are all trusted across forests, it was fine - but quite a few moving parts on the PKI front vs colocation. Might be a nice time for a dedicated FAS only CA local to the users/VDA

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...