You must join each Connection Server host to an Active Directory domain. The host must not be a domain controller.

Active Directory also manages the Horizon Agent machines, including single-user machines and RDS hosts, and the users and groups in your Horizon 7 deployment. You can entitle users and groups to remote desktops and applications, and you can select users and groups to be administrators in Horizon Administrator.

You can place Horizon Agent machines, View Composer servers, and users and groups, in the following Active Directory domains:

  • The Connection Server domain
  • A different domain that has a two-way trust relationship with the Connection Server domain
  • A domain in a different forest than the Connection Server domain that is trusted by the Connection Server domain in a one-way external or realm trust relationship
  • A domain in a different forest than the Connection Server domain that is trusted by the Connection Server domain in a one-way or two-way transitive forest trust relationship

Users are authenticated using Active Directory against the Connection Server domain and any additional user domains with which a trust agreement exists.

If your users and groups are in one-way trusted domains, you must provide secondary credentials for the administrator users in Horizon Administrator. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.

Secondary credentials are required only for Horizon Administrator sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.

You can provide secondary credentials by using the vdmadmin -T command.

  • You configure secondary credentials for individual administrator users.
  • For a forest trust, you can configure secondary credentials for the forest root domain. Connection Server can then enumerate the child domains in the forest trust.

For more information, see "Providing Secondary Credentials for Administrators Using the -T Option" in the Horizon 7 Administration document.

Smart card and SAML authentication of users is not supported in one-way trusted domains.

Unauthenticated access is not supported in a one-way trust environment when authenticating a user from a trusted domain. For example, there are two domains, Domain A and Domain B, where Domain B has a one-way outgoing trust to Domain A. When you enable unauthenticated access on the Connection Server in Domain B and add an unauthenticated access user from a user list in Domain A and then entitle the unauthenticated user to a published desktop or application pool, the user cannot log in as an unauthenticated access user from Horizon Client.

Beginning with Horizon 7 version 7.10, the Log in as current user feature in Horizon Client for Windows is supported in one-way trusted domains.

Note: Because security servers do not access any authentication repositories, including Active Directory, they do not need to reside in an Active Directory domain.