Each connection broker instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.

For example, if a connection broker instance is a member of Domain A and a trust agreement exists between Domain A and Domain B, users from both Domain A and Domain B can connect to the connection broker instance with Horizon Client.

Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed domain environment, users from the Kerberos realm can select the Kerberos realm name when connecting to the connection broker instance with Horizon Client.

You can place users and groups in the following Active Directory domains:

  • The connection broker domain
  • A different domain that has a two-way trust relationship with the connection broker domain
  • A domain in a different forest than the connection broker domain that is trusted by the connection broker domain in a one-way external or realm trust relationship
  • A domain in a different forest than the connection broker domain that is trusted by the connection broker domain in a one-way or two-way transitive forest trust relationship

The connection broker determines which domains are accessible by traversing trust relationships, starting with the domain in which the host resides. For a small, well-connected set of domains, the connection broker can quickly determine a full list of domains, but the time that it takes increases as the number of domains increases or as the connectivity between the domains decreases. The list might also include domains that you would prefer not to offer to users when they log in to their remote desktops and applications.

Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the domains that a connection broker instance searches and that it displays to users. See the Horizon 8 Administration document for more information.

Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also handled through existing Active Directory operational procedures.