You use these settings to prevent communication of Active Directory domain names to unauthenticated users using the various Horizon clients. These settings govern whether the information about the Active Directory domains that are registered with your Horizon Cloud environment is sent to the Horizon end-user clients and, if sent, how it is displayed in end-user clients' login screens.
Configuring your environment includes registering your environment with your Active Directory domains. When your end users use a Horizon client to access their entitled desktops and remote applications, those domains are associated with their entitled access. Prior to the March 2019 Horizon Cloud release, the system and clients had default behavior with no options to adjust that default behavior. Starting in March 2019, the defaults are changed, and you can optionally use the new Domain Security Settings controls to change from the defaults.
This topic has the following sections.
- Domain Security Settings
- This Release's Default Behavior Compared with Past Releases
- Single Active Directory Domain Scenarios and User Login Requirements
- Multiple Active Directory Domain Scenarios and User Login Requirements
- When Your Tenant is Configured with Two-Factor Authentication
Domain Security Settings
Combinations of these settings determine whether domain information is sent to the client and whether a domain selection menu is available to the end user in the client.
Option | Description |
---|---|
Show Default Domain Only | This option controls what domain information the system sends to connecting clients prior to user authentication.
|
Hide Domain Field | This option controls the visibility in the client login screen of whatever domain-related information is sent to the client, based on the Show Default Domain Only setting.
|
This Release's Default Behavior Compared with Past Releases
The following table details the previous default behavior, the new default behavior, and the settings you can use to adjust the behavior to meet your organization's needs.
Previous Release Default Behavior | This Release Default Behavior | Corresponding Domain Security Settings Combination for this Release's Default Behavior |
---|---|---|
The system sent the names of the registered Active Directory domains to the clients. |
The system sends only a literal string value (
*DefaultDomain* ) to the clients and not the names of the registered Active Directory domains.
Note: Sending the literal string provides support for older Horizon clients which are implemented to expect a string list of domain names.
|
Show Default Domain Only Default setting: Yes |
The clients displayed a drop-down menu in the login screen that presents the list of registered Active Directory domain names for the end user to choose their domain prior to logging in. |
The clients display that literal string |
Hide Domain Field Default setting: No |
Single Active Directory Domain Scenarios and User Login Requirements
The following table describes the behavior for various setting combinations when your environment has a single Active Directory domain, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.
Show Default Domain Only (enabled sends *DefaultDomain* ) |
Hide Domain Field | Horizon Client 5.0 Login Screen Details | How Users Log In |
---|---|---|---|
Yes | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. The following screenshot is an example for how the resulting login screen looks like for the Windows client. |
When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
Using the command-line client launch and specifying the domain in the command works. |
Yes | No | The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain* . No domain name is sent. The following screenshot is an example for how the resulting login screen looks like for the Windows client. |
When there is a single domain, to log in, end users can enter either of the following values in the User name text box. The domain name is not required.
Using the command-line client launch and specifying the domain in the command works. |
No | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.
The login screen looks the same as the one in the first row of this table, with no domain field displayed. |
An end user must include the domain name in the User name text box.
|
No | No | The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. | The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client. Using the command-line client launch and specifying the domain in the command works. |
This table describes the behavior when your environment has a single Active Directory domain and your end users use previous versions of the Horizon clients (pre-5.0).
*DefaultDomain*
for the command's domain option or upgrade the client to the 5.0 version. However, when you have more than one Active Directory domain, passing
*DefaultDomain*
does not work.
Show Default Domain Only (enabled sends *DefaultDomain* ) |
Hide Domain Field | Pre-5.0 Horizon Client Login Screen Details | How Users Log In |
---|---|---|---|
Yes | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. | An end user must include the domain name in the User name text box.
|
Yes | No | The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain* . No domain name is sent. |
An end user must enter username in the User name text box. When the domain name is included, an error message displays that states the specified domain name does not exist in the domain list. |
No | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain name.
The login screen looks the same as the one in the first row of this table, with no domain field displayed. |
An end user must include the domain name in the User name text box.
|
No | No | The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. | The end user can specify their user name in the User name text box and use the single domain that is in the list visible in the client. |
Multiple Active Directory Domain Scenarios and User Login Requirements
This table describes the behavior for various setting combinations when your environment has multiple Active Directory domains, without two-factor authentication, and your end users use the Horizon Clients 5.0 and later versions.
Basically, the end user has to include the domain name when they type in their user name, like domain\username
, except for the legacy combination where the domain names are sent and are visible in the client.
Show Default Domain Only (enabled sends *DefaultDomain* ) |
Hide Domain Field | Horizon Client 5.0 Login Screen Details | How Users Log In |
---|---|---|---|
Yes | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. No domain names are sent. The following screenshot is an example for how the resulting login screen looks like for the Windows client. |
An end user must include the domain name in the User name text box.
Using the command-line client launch and specifying the domain in the command works. |
Yes | No | The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain* . No domain names are sent. The following screenshot is an example for how the resulting login screen looks like for the Windows client. |
An end user must include the domain name in the User name text box.
Using the command-line client launch and specifying the domain in the command works. |
No | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain names to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.
The login screen looks the same as the one in the first row of this table, with no domain field displayed. |
An end user must include the domain name in the User name text box.
|
No | No | The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the list of domain names. The domain names are sent. | The end user can specify their user name in the User name text box and select their domain from the list visible in the client. Using the command-line client launch and specifying the domain in the command works. |
This table describes the behavior when your environment has multiple Active Directory domains and your end users use previous versions of the Horizon clients (pre-5.0).
- Setting Hide Domain Field to Yes allows end users to enter their domain in the User name text box in these pre-5.0 Horizon clients. When you have multiple domains and you want to support use of pre-5.0 Horizon clients by your end users, you must set Hide Domain Field to Yes so that your end users can include the domain name when they type in their user name.
- Using the command-line client launch of older (pre-5.0) clients and specifying the domain in the command fails for all of the combinations below. The only work around when you have multiple Active Directory domains and want to use command-line client launch is to upgrade the client to the 5.0 version.
Show Default Domain Only (enabled sends *DefaultDomain* ) |
Hide Domain Field | Pre-5.0 Horizon Client Login Screen Details | How Users Log In |
---|---|---|---|
Yes | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. No domain name is sent. | An end user must include the domain name in the User name text box.
|
Yes | No | The client's login screen has the standard user name and password fields. The domain field displays *DefaultDomain* . No domain name is sent. |
This combination is unsupported for environments with multiple Active Directory domains. |
No | Yes | The client's login screen has the standard user name and password fields. No domain field is displayed. The system sends the domain name to the client.
Note: This combination is atypical. You would not normally use this combination because it hides the domain field even though the system is sending the domain names.
|
An end user must include the domain name in the User name text box.
|
No | No | The client's login screen has the standard user name and password fields and a standard drop-down domain selector displays the one available domain name. The domain name is sent. | The end user can specify their user name in the User name text box and select their domain from the list visible in the client. |
When Your Tenant is Configured with Two-Factor Authentication
When your tenant is configured with RSA SecureID or RADIUS two-factor authentication, end users attempting to authenticate with their Horizon clients first see a screen asking for their two-factor authentication credentials, followed by a login screen asking for their Active Directory domain credentials. When your tenant is configured with two-factor authentication, the system sends the domain list to the clients only after the end user's credentials successfully pass that initial authentication screen. The system sends the domain list regardless of the Show Default Domain Only setting.
When your tenant with two-factor authentication has multiple Active Directory domains, the optimal end-user experience is have Hide Domain Field set to No, and have the domain selector visible on that domain login screen. That configuration allows your end users to select their domain from the drop-down menu in the second login screen, and avoid having to include their domain name when they enter their credentials into the initial authentication screen.
For information on using the Administration Console to see your tenant's two-factor authentication settings, see 2 Factor Authentication.
The following table describes the resulting behavior from the Hide Domain Field setting when your tenant is configured to use two-factor authentication.
Domain Security Settings | Domain Login Screen Behavior | Description | Horizon Client Version |
---|---|---|---|
Hide Domain Field is No |
After the end user authenticates successfully with their two-factor authentication credentials, the domain login screen contains the User name and Password fields and the Domain drop-down menu. |
This behavior is the same as the behavior prior to this service release. After the initial two-factor authentication screen, the end user can specify their user name in the User name text box and select their domain from the list visible in the client. |
All versions supported for this release. |
Hide Domain Field is Yes |
After the end user authenticates successfully with their two-factor authentication credentials, the domain login screen contains the User name and Password fields only. |
Avoid using this configuration if your tenant's two-factor authentication configuration has Maintain Username configured as Yes. The end user's steps are:
|
All versions supported for this release. |