An enterprise environment can contain multiple forests and the users can be distributed on different forests. The admins create domain local groups in their base forest and tend to add the users they want from different forests as members to the domain local group. While assigning the users from other forests to a delivery group, the domain local group is used.
The Domain Local Group support is available with Citrix Director 7.16. For more details, refer to the blog Citrix Director 7.16 supports Domain Local Groups.
Director version lower than 7.16 cannot query the details of sessions from users added to a domain local group. Upon searching for such a user from different forest and landing on activity manager page, a message is shown that the user is not assigned any resources.
This limitation can be overcome by using one of the following workarounds:
- You can avoid using Domain Local Groups if your multi forest environment uses Two-way Forest Trust or Two-way External Trust with domain wide authentication. With this configuration, you can add the user groups on the second forest directly to the delivery group.
- Configure an account from the second forest in Director’s web.config. This account must have appropriate privileges to query second forest AD (Global Catalog).
Here’s what you need to add to web.config:
<add key=”Connector.ActiveDirectory.Identity” value=”Explicit”/>
<add key=”Connector.ActiveDirectory.Username” value=”Domain\Username”/>
<add key=”Connector.ActiveDirectory.Password” value=”P@ssw0rd”/>
Since the credentials are stored in plain text in web.config, use caution while adopting this workaround.
- Workaround 2 might pose a security threat, as the credentials are stored in plain text. Hence, it is recommended that you use workaround 1.
- It is recommended to have a two-way forest level trust between the forests. In a complex forest setup, having a two-way forest level trust would prevent user search failure on director due to trust issues.