Hi John,
This is a huge topic. Yes, in a simple WAN environment you can just create a
trust. If Domain B was not set up as the primary domain in the citrix web
interface then you would need to preface the username with the domain name.
If you were using the ica client it would sign in with Domain B credentials
and these would be accepted by the Domain A citrix service if there was a
trust.
But there are a whole load of complications:
- By hosting, do you mean a dedicated service provided solely for users in
Company B? In this case you would be better off putting a DC at the hosting
premises and just working as one domain.
- If it is a shared service, are you sure you trust all the other users of
the service? You may not want to pass your domain credentials to it.
- Is it over a VPN or a direct WAN connection? In this case you can use the
ica client to achieve single sign on
- Is it over the Internet to secure gateway or access gateway? You can
provide your domain credentials and have them authenticate through the trust
and pass through to the citrix service. But you would still have to find a
way to enable their domain controller(s) to access yours.
There are a lot of permutations depending on circumstances. I would say that
in general there is no reason for a dedicated hosted service to require you
to use different credentials. If it is a shared service, then over a WAN you
would use trusts, and over the Internet you would use Federation Services;
or just use Company B credentials.
One other thing is, you really want to get this sorted out before going too
far down the line in setting up the hosted service.
Hope that helps,
Anthony,
http://www.airdesk.co.uk
"John Felstead" <(E-Mail Removed)> wrote in message
news:A6959A54-1AEC-46DB-A20D-(E-Mail Removed)...
> Hi,
> I am not sure if this qestion should be posted Citrix Metaframe forum or
> here but as it relates to trusts and possibly Terminal Services I am
> hoping
> someone can help me with the following scenario. I Understand the basics
> of
> Active directory and windows authentication but I am no expert so I would
> appreciate your patience.
> Consider the following :-
>
> Company A provides a hosted solution for Customer B at a remote location.
> Customer B accesses the application via Citrix Presentation server on
> Company
> A's site using the web ICA client via Internet Explorer.
> Currently Customer B's users log on to ther own Windows 2000 AD Domain
> using
> Windows account credentials stored in AD. When they access the web portal
> of
> Company A they are prompted for a user name and password (Company A's
> Windows
> 2003 AD domain credentials) they can then access the application.
> Customer B wants its users to be able to access the application using a
> single sign on i.e. once logged on to their own domain they do not need to
> enter further credentials to access Company A's application.
> This is presumably reasonably easy to arrange by creating a Trust between
> the two domains, possibly a one way External Trust??
> Now the question. When a user accesses the web portal where they would
> normally enter their credentials for Company A's domain how does the
> windows
> authentication pass to the other domain? Is this via the citrix traffic or
> by
> some other means and will this work in practice or do the users have to
> directly access Compny A's network other than through secure HTTP traffic?
>
> Any light you could shed on the above would be very much appreciated as
> this
> has been dumped in my lap to test the theory before touching Active
> Directory
> in either domain.
>
> --
> Regards
>
> John Felstead
Similar Threads
Linear Mode
