You can add user domains that do not have a formal trust relationship with the Connection Server domain. Setting up a one-way or two-way trust relationship between the Connection Server domain and the user's domain is often times an intrusive activity into the user's Active Directory (AD) infrastructure. Instead, you can deploy VMware Horizon in a separate domain and set up communication with the user domain by configuring it as an untrusted domain.
Establishing an untrusted relationship can be an easier set up to manage in some scenarios such as when you have a cloud-hosted Connection Server domain communicating with an on-premises user domain.
You can create a primary domain bind account to set up the untrusted relationship between the Connection Server domain and another domain. Horizon uses the domain bind account to query and perform lookups in Active Directory. You can also add multiple auxiliary accounts in case the primary domain bind account becomes inaccessible or locked out.
When configured, Horizon uses the auxiliary domain bind account to query and perform lookups in Active Directory.
In Horizon Console, you can view the configured untrusted domains on the Domain Bind tab and information and trust relationships for Connection Server domains on the Connection Server tab by navigating to .
When an untrusted domain is configured successfully and later on an administrator establishes a formal trust relationship (one-way or two-way) of the untrusted domain with a Connection Server domain, the untrusted domain will be treated as a Connection Server domain. The untrusted domain will no longer appear in
tab and will appear in tab.Users belonging to an untrusted domain can use SAML authentication and smart card authentication. To use SAML authentication, see Using SAML Authentication. Users belonging to an untrusted domain can also use True SSO with SAML authentication. To use smart card authentication, see Setting Up Smart Card Authentication.