- Configuring App Controller for the First Time
- Adding Active Directory Domains to App Controller
App Controller uses Active Directory groups and users. You configure Active Directory in two ways:
With Active Directory, you can:
When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App Controller or if you manually synchronize with Active Directory, the length of time it takes to synchronize depends on the size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active Directory, the synchronization occurs more quickly. For example, you enter cn=Users,dc=servername,dc=net, where cn=users is the group base DN and servername is the name of the Active Directory server. When the initial synchronization is finished, App Controller logs off from the management console and returns to the management console logon page.
After you configure one Active Directory domain by using the Configure wizard, you can add additional Active Directory domains on thetab in the App Controller management console.
When you configure Active Directory domains, you provide the server information including:
You can configure Active Directory domains in the following ways:
For each domain, the service account you specify must be able to access the base DN for each domain. App Controller does not maintain any internal relationship between managed domains. You can manage multiple Active Directory domains as separate instances. When you configure multiple Active Directory domains, Citrix recommends that you use the User Principal Name (UPN) so you can include the domain name.
If you configure multiple domains, keep the following in mind:
If StoreFront is used as the authentication server, the domain information must be included in the token validation response from StoreFront. You can use sAMAccount (domain\user name) or UPN (user@domain) for user logon.
You can modify and delete Active Directory domains in App Controller. App Controller retrieves users and groups when you add each domain. If you modify a domain, if you change the user or group base DN, App Controller synchronizes with Active Directory.
You can delete one domain at a time and you cannot delete the default domain. When you delete a domain, App Controller marks all of the users in the domain as terminated users. These users lose access to role-based apps. App Controller also deletes pending workflows and provisioning requests. User accounts reconciled to terminated users are processed according to the app configuration (ignore, disable, or delete).
You can add multiple Active Directory domains to App Controller. After you add a domain, click the Sync icon to retrieve users and groups from the Active Directory domain.
A warning appears if the base DN is a top-level domain.
To remove the warning message, configure a subdomain as part of the base DN. For example, enter cn=Users, dc=mycompany,dc=net.
App Controller supports the following three types of Active Directory synchronization: