You must join each Connection Server host to an Active Directory domain. The host must not be a domain controller.
Active Directory also manages the Horizon Agent machines, including single-user machines and RDS hosts, and the users and groups in your VMware Horizon 8 deployment. You can entitle users and groups to remote desktops and applications, and you can select users and groups to be administrators in VMware Horizon 8.
You can place Horizon Agent machines and users and groups, in the following Active Directory domains:
- The Connection Server domain
- A different domain that has a two-way trust relationship with the Connection Server domain
- A domain in a different forest than the Connection Server domain that is trusted by the Connection Server domain in a one-way external or realm trust relationship
- A domain in a different forest than the Connection Server domain that is trusted by the Connection Server domain in a one-way or two-way transitive forest trust relationship
- Untrusted domains
Users are authenticated using Active Directory against the Connection Server domain, any additional user domains with which a trust agreement exists, and untrusted domains.
If your users and groups are in one-way trusted domains, you must provide secondary credentials for the administrator users in Horizon Console. Administrators must have secondary credentials to give them access to the one-way trusted domains. A one-way trusted domain can be an external domain or a domain in a transitive forest trust.
Secondary credentials are required only for Horizon Console sessions, not for end users' desktop or application sessions. Only administrator users require secondary credentials.
You can provide secondary credentials by using the vdmadmin -T command.
- You configure secondary credentials for individual administrator users.
- For a forest trust, you can configure secondary credentials for the forest root domain. Connection Server can then enumerate the child domains in the forest trust.
For more information, see "Providing Secondary Credentials for Administrators Using the -T Option" in the Horizon Administration document.
Smart card and SAML authentication of users is not supported in one-way trusted domains.
Unauthenticated access is not supported in a one-way trust environment when authenticating a user from a trusted domain. For example, there are two domains, Domain A and Domain B, where Domain B has a one-way outgoing trust to Domain A. When you enable unauthenticated access on the Connection Server in Domain B and add an unauthenticated access user from a user list in Domain A and then entitle the unauthenticated user to a published desktop or application pool, the user cannot log in as an unauthenticated access user from Horizon Client.
The Logon as current user feature in Horizon Client for Windows is supported in one-way trusted domains.
A domain in a different forest than the Connection Server domain that does not have any formal trust with the Connection Server domain is an untrusted domain relationship. For an untrusted domain relationship, users are authenticated using the primary domain bind account credentials. Users can be authenticated with auxiliary domain bind accounts only if the primary domain bind account is inaccessible. For more information about configuring untrusted domains, see "Configuring Untrusted Domains" in the Horizon Administration document.
- Logon as current user
- vdmadmin commands
- Adding an administrator user for an untrusted domain
- Identify an AD User That Does Not Have an AD UPN