You use these settings to prevent communication of Active Directory domain names to unauthenticated users using the various Horizon clients. These settings govern whether the information about the Active Directory domains that are registered with your Horizon Cloud environment is sent to the Horizon end-user clients and, if sent, how it is displayed in end-user clients' login screens.

Configuring your environment includes registering your environment with your Active Directory domains. When your end users use a Horizon client to access their entitled desktops and remote applications, those domains are associated with their entitled access. Prior to the March 2019 quarterly service release, the system and clients had default behavior with no options to adjust that default behavior. Starting in March 2019, the defaults are changed, and you can optionally use the new Domain Security Settings controls to change from the defaults.

Important: When changing these settings, it can take up to 5 minutes for the update to take effect.

This topic has the following sections.

Domain Security Settings

Combinations of these settings determine whether domain information is sent to the client and whether a domain selection menu is available to the end user in the client.

Important: These settings apply to all of your Horizon Cloud pods in Microsoft Azure that are within the same Horizon Cloud environment. All such pods that are deployed in Microsoft Azure using the same Horizon Cloud customer account (tenant) get the same combination. All of the end users connecting to your pods will receive the behavior according to these settings, regardless of which pod is provisioning their virtual desktops and remote applications.
Caution: These settings change the user experience in the clients. The behavior for end users using versions of Horizon Client prior to version 5.0 is different than for Horizon Client 5.0 and later. Certain combinations can set requirements on how your end users specify their domain information in the client login screen, especially when using older clients, command-line clients, and when your environment is configured with multiple Active Directory domains. How these settings affect the client user experience depends on the client. You might need to balance your desired end-user experience according to your organization's security policies. See sections Single Active Directory Domain Scenarios and User Login Requirements and Multiple Active Directory Domain Scenarios and User Login Requirements.
Table 1. Domain Security Settings on the General Settings Page
Option Description
Show Default Domain Only

This option controls what domain information the system sends to connecting clients prior to user authentication.

  • Yes - The system sends only the literal string value *DefaultDomain*.
  • No - The system sends the list of registered Active Directory domain names to the client.
Hide Domain Field

This option controls the visibility in the client login screen of whatever domain-related information is sent to the client, based on the Show Default Domain Only setting.

  • Yes - Nothing about domains is displayed in the client login screen, regardless of what Show Default Domain Only is set to. Neither the literal string value *DefaultDomain* nor the domain names are displayed in the client login screen.
  • No - The client login screen displays one of the following items, depending on the Show Default Domain Only setting.
    • The literal text *DefaultDomain*, when Show Default Domain Only is Yes. This combination is optimized for user experience in Horizon Clients older than version 5.0, while also providing improved security.
    • The list of domain names in a drop-down menu, when Show Default Domain Only is No.

This Release's Default Behavior Compared with Past Releases

The following table details the previous default behavior, the new default behavior, and the settings you can use to adjust the behavior to meet your organization's needs.

Previous Release Default Behavior This Release Default Behavior Corresponding Domain Security Settings Combination for this Release's Default Behavior

The system sent the names of the registered Active Directory domains to the clients.

The system sends only a literal string value ( *DefaultDomain*) to the clients and not the names of the registered Active Directory domains.
Note: Sending the literal string provides support for older Horizon clients which are implemented to expect a string list of domain names.
Show Default Domain Only

Default setting: Yes

The clients displayed a drop-down menu in the login screen that presents the list of registered Active Directory domain names for the end user to choose their domain prior to logging in.

The clients display that literal string *DefaultDomain*.

Hide Domain Field

Default setting: No

Relationship to Your Pods' Manifest Levels

When you are an existing customer with pods created in an earlier service release, until all of your pods in Microsoft Azure are updated to the manifest level for this Horizon Cloud release, your environment is configured by default to provide the same behavior as it had in the previous Horizon Cloud release. That legacy behavior is:

  • The system sends the Active Directory domain names to the client (Show Default Domain Only is set to No).
  • The clients have a drop-down menu that displays the list of domain names to the end user prior to logging in (Hide Domain Field is set to No).

Also, until all of your pods are at this service release level, the General Settings page does not display the Domain Security Settings controls. If you have a mixed environment with existing non-updated pods and newly deployed pods at this release level, the new controls are not available. As a result, you cannot change from the legacy behavior until all of your pods are at this service release level.

When all of your environment's pods are updated, the settings are available in the Horizon Cloud administrative console. The post-update defaults are set to the pre-update behavior (Show Default Domain Only is No and Hide Domain Field is No). The post-update default settings are different than the new-customer defaults. These settings are applied so that the pre-update legacy behavior continues for your end users after the update, until you choose to change the settings to meet your organization's security needs.

Single Active Directory Domain Scenarios and User Login Requirements

The following table describes the behavior for various setting combinations when your environment has a single Active Directory domain, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.

Table 2. Behavior For Horizon Clients 5.0 and Later Versions and You Have One Active Directory Domain
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Horizon Client 5.0 Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the 5.0 Horizon Client for Windows when the Hide Domain Field is set to Yes

When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
  • username
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the Horizon Client for Windows 5.0 login screen with Show Default Domain Only Yes and Hide Domain Field No

When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
  • username
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client.

Using the command-line client launch and specifying the domain in the command works.

This table describes the behavior when your environment has a single Active Directory domain and your end users use previous versions of the Horizon clients (pre-5.0).

Important: Using the command-line client launch of older (pre-5.0) clients and specifying the domain in the command fails for all of the combinations below. To work around this behavior, either use *DefaultDomain* for the command's domain option or update the client to the 5.0 version. However, when you have more than one Active Directory domain, passing *DefaultDomain* does not work.
Table 3. Behavior For Older Horizon Clients (Before 5.0) and You Have One Active Directory Domain
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Pre-5.0 Horizon Client Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. An end user must include the domain name in the User name text box.
  • domain\username
Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent. An end user must enter username in the User name text box. When the domain name is included, an error message displays that states the specified domain name does not exist in the domain list.
No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client.

Multiple Active Directory Domain Scenarios and User Login Requirements

This table describes the behavior for various setting combinations when your environment has multiple Active Directory domains, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.

Basically, the end user has to include the domain name when they type in their user name, like domain\username, except for the legacy combination where the domain names are sent and are visible in the client.

Table 4. Behavior For Horizon Clients 5.0 and Later Versions and You Have Multiple Active Directory Domains
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Horizon Client 5.0 Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain names are sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the 5.0 Horizon Client for Windows when the Hide Domain Field is set to Yes

An end user must include the domain name in the User name text box.
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain names are sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the Horizon Client for Windows 5.0 login screen with Show Default Domain Only Yes and Hide Domain Field No

An end user must include the domain name in the User name text box.
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain names to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the list of domain names. The domain names are sent. The end user can specify their user name in the User name text box and select their domain from the list visible in the client.

Using the command-line client launch and specifying the domain in the command works.

This table describes the behavior when your environment has multiple Active Directory domains and your end users use previous versions of the Horizon clients (pre-5.0).

Important:
  • Setting Hide Domain Field to Yes allows end users to enter their domain in the User name text box in these pre-5.0 Horizon clients. When you have multiple domains and you want to support use of pre-5.0 Horizon clients by your end users, you must set Hide Domain Field to Yes so that your end users can include the domain name when they type in their user name.
  • Using the command-line client launch of older (pre-5.0) clients and specifying the domain in the command fails for all of the combinations below. The only work around when you have multiple Active Directory domains and want to use command-line client launch is to update the client to the 5.0 version.
Table 5. Behavior For Older Horizon Clients (Before 5.0) and You Have Multiple Active Directory Domains
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Pre-5.0 Horizon Client Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. An end user must include the domain name in the User name text box.
  • domain\username
Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent. This combination is unsupported for environments with multiple Active Directory domains.
No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.
An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and select their domain from the list visible in the client.

About Pods in Microsoft Azure with Unified Access Gateway Instances Configured with Two-Factor Authentication

As described in Specify Two-Factor Authentication Capability for the Pod, when you deploy a pod into Microsoft Azure, you have the option of deploying it with two-factor authentication configured on its Unified Access Gateway instances.

When a pod in Microsoft Azure has its Unified Access Gateway configured with two-factor authentication, end users attempting to authenticate with their Horizon clients first see a screen asking for their two-factor authentication credentials, followed by a login screen asking for their Active Directory domain credentials. In this case, the system sends the domain list to the clients only after the end user's credentials successfully pass that initial authentication screen.

Generally speaking, if all of your pods have two-factor authentication configured on their Unified Access Gateway instances, you might consider having the system send the domain list to the clients and have the clients display the domain drop-down menu. That configuration provides the same legacy end-user experience for all of your end users, regardless of which Horizon client version they are using or how many Active Directory domains you have. After the end user successfully completes the two-factor authentication passcode step, they can then select their domain from the drop-down menu in the second login screen. They can avoid having to include their domain name when they enter their credentials into the initial authentication screen.

However, because the Domain Security Settings are applied at the Horizon Cloud customer account (tenant) level, if some of your pods do not have two-factor authentication configured, you might want to avoid sending the domain list, because those pods will send the domain names to the clients connecting to them prior to the end users logging in.

Important: When a pod's two-factor authentication configuration has Maintain Username configured as Yes, ensure that the Hide Domain Field is set to No. Otherwise, your end users will not be able to provide the required domain information for the system to associate with their login credentials.

The end-user login requirements by Horizon client follow the same patterns that are described in Single Active Directory Domain Scenarios and User Login Requirements and Multiple Active Directory Domain Scenarios and User Login Requirements. When connecting to a pod that has two-factor authentication configured and you have multiple Active Directory domains, the end user must provide their domain name as domain\username if Hide Domain Field is set to Yes.