You use these settings to prevent communication of Active Directory domain names to unauthenticated users using the various Horizon clients. These settings govern whether the information about the Active Directory domains that are registered with your Horizon Cloud environment is sent to the Horizon end-user clients and, if sent, how it is displayed in end-user clients' login screens.

Configuring your environment includes registering your environment with your Active Directory domains. When your end users use a Horizon client to access their entitled desktops and remote applications, those domains are associated with their entitled access. Prior to the March 2019 Horizon Cloud release, the system and clients had default behavior with no options to adjust that default behavior. Starting in March 2019, the defaults are changed, and you can optionally use the new Domain Security Settings controls to change from the defaults.

Important: When changing these settings, it can take up to 5 minutes for the update to take effect.

This topic has the following sections.

Domain Security Settings

Combinations of these settings determine whether domain information is sent to the client and whether a domain selection menu is available to the end user in the client.

Caution: These settings change the user experience in the clients. The behavior for end users using versions of Horizon Client prior to version 5.0 is different than for Horizon Client 5.0 and later. Certain combinations can set requirements on how your end users specify their domain information in the client login screen, especially when using older clients, command-line clients, and when your environment is configured with multiple Active Directory domains. How these settings affect the client user experience depends on the client. You might need to balance your desired end-user experience according to your organization's security policies. See sections Single Active Directory Domain Scenarios and User Login Requirements and Multiple Active Directory Domain Scenarios and User Login Requirements.
Table 1. Domain Security Settings on the General Settings Page
Option Description
Show Default Domain Only

This option controls what domain information the system sends to connecting clients prior to user authentication.

  • Yes - The system sends only the literal string value *DefaultDomain*.
  • No - The system sends the list of registered Active Directory domain names to the client.
Hide Domain Field

This option controls the visibility in the client login screen of whatever domain-related information is sent to the client, based on the Show Default Domain Only setting.

  • Yes - Nothing about domains is displayed in the client login screen, regardless of what Show Default Domain Only is set to. Neither the literal string value *DefaultDomain* nor the domain names are displayed in the client login screen.
  • No - The client login screen displays one of the following items, depending on the Show Default Domain Only setting.
    • The literal text *DefaultDomain*, when Show Default Domain Only is Yes. This combination is optimized for user experience in Horizon Clients older than version 5.0, while also providing improved security.
    • The list of domain names in a drop-down menu, when Show Default Domain Only is No.

This Release's Default Behavior Compared with Past Releases

The following table details the previous default behavior, the new default behavior, and the settings you can use to adjust the behavior to meet your organization's needs.

Previous Release Default Behavior This Release Default Behavior Corresponding Domain Security Settings Combination for this Release's Default Behavior

The system sent the names of the registered Active Directory domains to the clients.

The system sends only a literal string value ( *DefaultDomain*) to the clients and not the names of the registered Active Directory domains.
Note: Sending the literal string provides support for older Horizon clients which are implemented to expect a string list of domain names.
Show Default Domain Only

Default setting: Yes

The clients displayed a drop-down menu in the login screen that presents the list of registered Active Directory domain names for the end user to choose their domain prior to logging in.

The clients display that literal string *DefaultDomain*.

Hide Domain Field

Default setting: No

Single Active Directory Domain Scenarios and User Login Requirements

The following table describes the behavior for various setting combinations when your environment has a single Active Directory domain, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.

Table 2. Behavior For Horizon Clients 5.0 and Later Versions and You Have One Active Directory Domain
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Horizon Client 5.0 Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the 5.0 Horizon Client for Windows when the Hide Domain Field is set to Yes

When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
  • username
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the Horizon Client for Windows 5.0 login screen with Show Default Domain Only Yes and Hide Domain Field No

When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
  • username
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client.

Using the command-line client launch and specifying the domain in the command works.

This table describes the behavior when your environment has a single Active Directory domain and your end users use previous versions of the Horizon clients (pre-5.0).

Important: Using the command-line client launch of older (pre-5.0) clients and specifying the domain in the command fails for all of the combinations below. To work around this behavior, either use *DefaultDomain* for the command's domain option or upgrade the client to the 5.0 version. However, when you have more than one Active Directory domain, passing *DefaultDomain* does not work.
Table 3. Behavior For Older Horizon Clients (Before 5.0) and You Have One Active Directory Domain
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Pre-5.0 Horizon Client Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. An end user must include the domain name in the User name text box.
  • domain\username
Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent. An end user must enter username in the User name text box. When the domain name is included, an error message displays that states the specified domain name does not exist in the domain list.
No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client.

Multiple Active Directory Domain Scenarios and User Login Requirements

This table describes the behavior for various setting combinations when your environment has multiple Active Directory domains, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.

Basically, the end user has to include the domain name when they type in their user name, like domain\username, except for the legacy combination where the domain names are sent and are visible in the client.

Table 4. Behavior For Horizon Clients 5.0 and Later Versions and You Have Multiple Active Directory Domains
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Horizon Client 5.0 Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain names are sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the 5.0 Horizon Client for Windows when the Hide Domain Field is set to Yes

An end user must include the domain name in the User name text box.
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain names are sent.

The following screenshot is an example for how the resulting login screen looks like for the Windows client.


Screenshot of the Horizon Client for Windows 5.0 login screen with Show Default Domain Only Yes and Hide Domain Field No

An end user must include the domain name in the User name text box.
  • domain\username

Using the command-line client launch and specifying the domain in the command works.

No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain names to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.

The login screen looks the same as the one in the first row of this table, with no domain field displayed.

An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the list of domain names. The domain names are sent. The end user can specify their user name in the User name text box and select their domain from the list visible in the client.

Using the command-line client launch and specifying the domain in the command works.

This table describes the behavior when your environment has multiple Active Directory domains and your end users use previous versions of the Horizon clients (pre-5.0).

Important:
  • Setting Hide Domain Field to Yes allows end users to enter their domain in the User name text box in these pre-5.0 Horizon clients. When you have multiple domains and you want to support use of pre-5.0 Horizon clients by your end users, you must set Hide Domain Field to Yes so that your end users can include the domain name when they type in their user name.
  • Using the command-line client launch of older (pre-5.0) clients and specifying the domain in the command fails for all of the combinations below. The only work around when you have multiple Active Directory domains and want to use command-line client launch is to upgrade the client to the 5.0 version.
Table 5. Behavior For Older Horizon Clients (Before 5.0) and You Have Multiple Active Directory Domains
Show Default Domain Only (enabled sends *DefaultDomain*) Hide Domain Field Pre-5.0 Horizon Client Login Screen Details How Users Log In
Yes Yes The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. An end user must include the domain name in the User name text box.
  • domain\username
Yes No The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain*. No domain name is sent. This combination is unsupported for environments with multiple Active Directory domains.
No Yes The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.
An end user must include the domain name in the User name text box.
  • domain\username
No No The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. The end user can specify their user name in the User name text box and select their domain from the list visible in the client.

When Your Tenant is Configured with Two-Factor Authentication

When your tenant is configured with RSA SecureID or RADIUS two-factor authentication, end users attempting to authenticate with their Horizon clients first see a screen asking for their two-factor authentication credentials, followed by a login screen asking for their Active Directory domain credentials. When your tenant is configured with two-factor authentication, the system sends the domain list to the clients only after the end user's credentials successfully pass that initial authentication screen. The system sends the domain list regardless of the Show Default Domain Only setting.

When your tenant with two-factor authentication has multiple Active Directory domains, the optimal end-user experience is have Hide Domain Field set to No, and have the domain selector visible on that domain login screen. That configuration allows your end users to select their domain from the drop-down menu in the second login screen, and avoid having to include their domain name when they enter their credentials into the initial authentication screen.

Important: When your tenant's two-factor authentication configuration has Maintain Username configured as Yes, ensure that the Hide Domain Field is set to No. Otherwise, your end users will not be able to provide the required domain information for the system to associate with their login credentials.

For information on using the Administration Console to see your tenant's two-factor authentication settings, see 2 Factor Authentication.

The following table describes the resulting behavior from the Hide Domain Field setting when your tenant is configured to use two-factor authentication.

Table 6. When Your Tenant has Two-Factor Authentication Configured
Domain Security Settings Domain Login Screen Behavior Description Horizon Client Version

Hide Domain Field is No

After the end user authenticates successfully with their two-factor authentication credentials, the domain login screen contains the User name and Password fields and the Domain drop-down menu.

This behavior is the same as the behavior prior to this service release. After the initial two-factor authentication screen, the end user can specify their user name in the User name text box and select their domain from the list visible in the client.

All versions supported for this release.

Hide Domain Field is Yes

After the end user authenticates successfully with their two-factor authentication credentials, the domain login screen contains the User name and Password fields only.

Avoid using this configuration if your tenant's two-factor authentication configuration has Maintain Username configured as Yes.

The end user's steps are:

  • In the initial two-factor authentication screen, the end user must include their domain in the User name text box, domain\username.
  • As appropriate for your tenant's configuration, the end user completes the next two-factor authentication step, such as the domain challenge or passcode.
  • In the domain login screen, the end user provides their user name and password.

All versions supported for this release.