Domain External Trust - Network credentials passed via Citrix traf

Discussion in 'Server Networking' started by John Felstead, Oct 16, 2007.

  1. Hi,
    I am not sure if this qestion should be posted Citrix Metaframe forum or
    here but as it relates to trusts and possibly Terminal Services I am hoping
    someone can help me with the following scenario. I Understand the basics of
    Active directory and windows authentication but I am no expert so I would
    appreciate your patience.
    Consider the following :-

    Company A provides a hosted solution for Customer B at a remote location.
    Customer B accesses the application via Citrix Presentation server on Company
    A's site using the web ICA client via Internet Explorer.
    Currently Customer B's users log on to ther own Windows 2000 AD Domain using
    Windows account credentials stored in AD. When they access the web portal of
    Company A they are prompted for a user name and password (Company A's Windows
    2003 AD domain credentials) they can then access the application.
    Customer B wants its users to be able to access the application using a
    single sign on i.e. once logged on to their own domain they do not need to
    enter further credentials to access Company A's application.
    This is presumably reasonably easy to arrange by creating a Trust between
    the two domains, possibly a one way External Trust??
    Now the question. When a user accesses the web portal where they would
    normally enter their credentials for Company A's domain how does the windows
    authentication pass to the other domain? Is this via the citrix traffic or by
    some other means and will this work in practice or do the users have to
    directly access Compny A's network other than through secure HTTP traffic?

    Any light you could shed on the above would be very much appreciated as this
    has been dumped in my lap to test the theory before touching Active Directory
    in either domain.
     
    John Felstead, Oct 16, 2007
    #1
    1. Advertisements

  2. John Felstead

    Anthony Guest

    Hi John,
    This is a huge topic. Yes, in a simple WAN environment you can just create a
    trust. If Domain B was not set up as the primary domain in the citrix web
    interface then you would need to preface the username with the domain name.
    If you were using the ica client it would sign in with Domain B credentials
    and these would be accepted by the Domain A citrix service if there was a
    trust.
    But there are a whole load of complications:
    - By hosting, do you mean a dedicated service provided solely for users in
    Company B? In this case you would be better off putting a DC at the hosting
    premises and just working as one domain.
    - If it is a shared service, are you sure you trust all the other users of
    the service? You may not want to pass your domain credentials to it.
    - Is it over a VPN or a direct WAN connection? In this case you can use the
    ica client to achieve single sign on
    - Is it over the Internet to secure gateway or access gateway? You can
    provide your domain credentials and have them authenticate through the trust
    and pass through to the citrix service. But you would still have to find a
    way to enable their domain controller(s) to access yours.
    There are a lot of permutations depending on circumstances. I would say that
    in general there is no reason for a dedicated hosted service to require you
    to use different credentials. If it is a shared service, then over a WAN you
    would use trusts, and over the Internet you would use Federation Services;
    or just use Company B credentials.
    One other thing is, you really want to get this sorted out before going too
    far down the line in setting up the hosted service.
    Hope that helps,
    Anthony, http://www.airdesk.co.uk
     
    Anthony, Oct 16, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.