FAS configuration in multi-forest PKI set up in separate forest than users

[John Montgomery1709157918]

Good morning everyone I have a #FAS question for Citrix Cloud.  I have a customer with (2) Forests: forest1.local and forest2.org with a one-way trust.  We installed PKI in the forest2.org, but all the users and VDA's live in forest1.local.  I have deployed a set of Cloud Connectors in both forests, so we can launch a session using just AD creds today.  But we are changing to SAML so FAS is now required.  Everything that I read states that you have to have a 2-way trust for this to work.  So I see two options: rebuild PKI in the forest1.local where the user and VDA domains live or two ask the customer to configure a two-way trust.  Option #3 is it possible to use the Cloud Connectors with the Citrix Connector Appliance to bridge the gap between the two forests and allow FAS to work? https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/connector-appliance/active-directory

[James Kindon]

The Cloud Connector appliance doesn't help in your scenario - you already have achieved what it would achieve via Cloud Connectors in each forest

 

Your easiest path is to put the PKI into the same domain as they users and VDA's, it's likely a far smaller ask to do that, than change the Trust Levels

 

It's really a PKI architecture challenge at the end of the day. I have done cross forest deployments with PKI and FAS, and as long as the trusts and Domain Controller certs etc are all trusted across forests, it was fine - but quite a few moving parts on the PKI front vs colocation. Might be a nice time for a dedicated FAS only CA local to the users/VDA