Design Decision: User Authentication Considerations

Active Directory Domain Services (AD DS): This service is the traditional on-premises Active Directory infrastructure that supports GPOs, Kerberos authentication, and domain joins. A new AD DS can be created and hosted on virtual machines in the cloud. Alternatively, an existing AD DS infrastructure can become a hybrid model with some controllers in Azure and some on-premises. In both deployment scenarios, the AD DS domain can be synchronized to Azure Active Directory (AAD) using Azure AD Connect.

Azure Active Directory (Azure AD): This service is Azure’s authentication cloud-based identity and mobile device management service that provides user authentication. Azure AD does not support device authentication, domain joins or group policy objects (GPOs). However, Azure AD can be paired with Azure Active Director Domain Services (AAD DS) to provide the minimum level of support needed for Citrix in Azure.

Azure Active Directory Domain Services (Azure AD DS): This service is a managed domain service hosted in the cloud. This service supports GPOs, Kerberos authentication, and domain joins. The difference between Azure AD DS and AD DS is that the AD domain controllers are managed by Microsoft rather than you. Azure AD DS integrates directly with Azure AD and is a great option for cloud-based Citrix deployments.

Here are the questions you need to answer regarding Active Directory infrastructure:

Should I continue to use only my on-premises Active Directory infrastructure?

  • Easy to deploy by just installing Cloud Connectors and joining them to the on-premises domain

  • Citrix Cloud can be configured to use only the on-premises AD Domain

  • Using or synchronizing to Azure AD is not required, leaving Azure AD to be solely used as identity management for Azure administration

  • To prevent latency introduced by domain authentication, Citrix recommends placing domain controllers near the Citrix Virtual Delivery Agent (VDA) hosts and the Cloud Connectors

  • Approval from information security (infosec) may be required to place domain controllers in Azure

  • Not recommended for deployments that use Microsoft 365 and that have users logging into Azure AD for that service

Should I extend on-premises Active Directory using Hybrid Mode with Azure AD Connect?

  • Microsoft recommends this design when you have an existing on-premises AD infrastructure and need either of these features:
    • schema extensions
    • account-based Kerberos constrained delegation
  • At least one Active Directory domain controller should always be available for the Cloud Connectors and VDAs. This design prevents any authentication bottlenecks or latency during the group policy processing, domain joins, and authentication events

  • Citrix recommends this model when you have Citrix workloads that are still on-premises

  • Citrix recommends this model if Citrix Cloud services such as Endpoint Management will be used

  • Place at least two domain controllers in Azure and use Azure AD Connect to synchronize AAD with AD DS over ExpressRoute or VPN

  • Using Windows 10 under a Hybrid Use Benefit license requires computer accounts and user accounts be in the same Azure Active Directory

  • Approval from information security (infosec) may be required to place domain controllers in Azure

  • If using smart cards, Kerberos must be enabled on a domain controller

Should I establish a new Azure Active Directory(AAD)?

  • Microsoft recommends this model when you are using a cloud-only deployment or when you do not have an existing on-premises AD infrastructure

  • Citrix recommends this design when all your Citrix workloads are in Azure and using one of these services:
    • Citrix Virtual Apps and Desktops Service (Citrix DaaS)
    • Citrix Virtual Apps Service (CVAS)
    • Citrix Virtual Desktops Service (CVDS)
  • Plan to use Azure AD Connect to synchronize Azure AD with Azure AD DS and enable password hash synchronization

  • If using smart cards, Kerberos must be enabled for Azure AD DS

  • Using Windows 10 under a Hybrid Use Benefit license requires computer accounts and user accounts be in the same Azure Active Directory

  • Azure AD DS does not support schema extensions, one-way trusts or account-based constrained delegation for Kerberos

  • Azure AD DS does not support Domain or Enterprise Admin privileges

Should I use Azure AD as the Citrix Cloud Identity provider?

  • Citrix Cloud supports both Azure AD and AD DS for authentication

  • When using Azure AD as the Citrix Cloud Identity provider you maintain control of password policies and can easily disable accounts

  • Using Azure AD provides multifactor authentication (MFA) to increase the security posture for Citrix Cloud

  • When Azure AD is branded, Citrix Cloud has a branded sign-in page

  • Azure AD extends Citrix Cloud to support federated identity options such as Okta, Ping or ADFS

  • Requires Global Admin role for consent to allow Citrix Cloud to connect to Azure AD. If access to this role is not available, consider using other identity providers such as on-premises AD or the default Citrix identity provider.

Should I enable Multifactor Authentication (MFA) on the Azure Active Directory Accounts?

  • Multifactor authentication is always recommended for any resource that is accessed over the internet. Multifactor authentication decreases the available attack vectors and increases the security posture of the system.

  • Azure AD makes enabling MFA simple and integrates easily with the Citrix Cloud identity provider

  • If not using Azure AD for MFA, consider other identity providers such as Okta to provide this additional security

Azure Active Directory and Citrix XenApp and XenDesktop

Azure Active Directory Hybrid Identity Design Considerations

Citrix Cloud identity and access management

Citrix TIPs: Citrix Tips on Azure Enterprise-Scale Landing Zones - Part 2

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services

What is hybrid identity with Azure Active Directory?

XenApp - XenDesktop Services Support Azure AD Domain Services

Design Decision: User Authentication Considerations

In this article