Finally, the much awaited support of Citrix Director for multi-forest infrastructures with a one way trust that uses domain local groups to hold users and user-groups is out. This facilitates CSP administrators to troubleshoot users belonging to a tenant forest while still using domain local groups to hold the tenant user or user-group records.

Infrastructure:

The typical setup of a multi-forest XenApp and XenDesktop Site infrastructure would be as shown below:

  • The Desktop Delivery Controller (DDC), Director and VDAs are all located in one forest/domain which can be termed as Infrastructure Forest.
  • The users and user-groups accessing the XenApp and XenDesktop resources are located in another forest/domain which can be termed as Customer Forest.
  • An outgoing trust exists from the Infrastructure Forest to the Customer Forest i.e. Users belonging to the Customer Forest are trusted within the Infrastructure Forest.
  • Users and user-groups are added to a Domain Local Group residing in Infrastructure Forest. This domain local group is used for user assignment while assigning users or user-groups to Delivery Groups in Citrix Studio.

Administrators in either the Customer Forest or the Infrastructure Forest can monitor the Site using Director. Typically, initial troubleshooting is done by an administrator in the Customer Forest. If the issue is not resolved, it would be escalated to an administrator in the Infrastructure forest.

Earlier Limitation:

Since users or user-groups are added to domain local groups from where users are assigned in Citrix Studio, Director was unable to list resources of such users. The following message was shown after searching for a user (from the Customer forest) having an active session:

The workaround for the above limitation was to directly add the users/user groups from the Customer forest to the Delivery Groups in Citrix Studio.

Solution:

With Citrix Director in XenApp and XenDesktop 7.16, domain local groups are supported. Adding the following details in the director web.config file should be sufficient to avail this functionality:

The Director web.config file is located at C:\inetpub\wwwroot\Director\web.config

Add the following keys to web.config file in the appsettings section if they dont exist.

<appSettings>

<add key=”Connector.ActiveDirectory.DomainLocalGroupSearch” value=”true”/>

<add key=”Connector.ActiveDirectory.DomainLocalGroupSearchDomains” value=”DOMAIN_NAME”/>

</appSettings>

Eg: If the Infrastructure Forest where domain local group exists is ‘infra.com’,

<add key=”Connector.ActiveDirectory.DomainLocalGroupSearchDomains” value=”infra.com”/>

Restart the IIS after the above changes in web.config file and login to Director again to get the domain local group solution working. The Director login should be from an administrator user belonging to customer forest who is also added as an administrator for XenDesktop site with appropriate delegated admin privileges. With this solution, the Director admin can perform user search and select the user from the results to view the assigned resources even if the selected user is part of a domain local group.

Note: The above configuration changes can be done using Internet Information Services(IIS) Manager as well. Open the IIS console present on the Director Server and navigate to Sites → Default Web Site → Director -> Application Settings and add the keys by clicking on Add action as shown below: