Design Decision: User Authentication Considerations

Active Directory Domain Services (AD DS): This service is the traditional on-premises Active Directory infrastructure that supports GPOs, Kerberos authentication, and domain joins. A new AD DS can be created and hosted on virtual machines in the cloud. Alternatively, an existing AD DS infrastructure can become a hybrid model with some controllers in Azure and some on-premises. In both deployment scenarios, the AD DS domain can be synchronized to Azure Active Directory (AAD) using Azure AD Connect.

Azure Active Directory (Azure AD): This service is Azure’s authentication cloud-based identity and mobile device management service that provides user authentication. Azure AD does not support device authentication, domain joins or group policy objects (GPOs). However, Azure AD can be paired with Azure Active Director Domain Services (AAD DS) to provide the minimum level of support needed for Citrix in Azure.

Azure Active Directory Domain Services (Azure AD DS): This service is a managed domain service hosted in the cloud. This service supports GPOs, Kerberos authentication, and domain joins. The difference between Azure AD DS and AD DS is that the AD domain controllers are managed by Microsoft rather than you. Azure AD DS integrates directly with Azure AD and is a great option for cloud-based Citrix deployments.

Here are the questions that you need to answer regarding Active Directory infrastructure:

Should I continue to use only my on-premises Active Directory infrastructure?

Easy to deploy by just installing Cloud Connectors and joining them to the on-premises domain
Citrix Cloud can be configured to use only the on-premises AD Domain
Using or synchronizing to Azure AD is not required, leaving Azure AD to be solely used as identity management for Azure administration
To prevent latency introduced by domain authentication, Citrix recommends placing domain controllers near the Citrix Virtual Delivery Agent (VDA) hosts and the Cloud Connectors
Approval from information security (infosec) may be required to place domain controllers in Azure
Not recommended for deployments that use Microsoft 365 and that have users logging into Azure AD for that service

Should I extend on-premises Active Directory using Hybrid Mode with Azure AD Connect?

Microsoft recommends this design when you have an existing on-premises AD infrastructure and need either of these features:
- schema extensions
- account-based Kerberos constrained delegation
At least one Active Directory domain controller should always be available for the Cloud Connectors and VDAs. This design prevents any authentication bottlenecks or latency during the group policy processing, domain joins, and authentication events
Citrix recommends this model when you have Citrix workloads that are still on-premises
Citrix recommends this model if Citrix Cloud services such as Endpoint Management will be used
Place at least two domain controllers in Azure and use Azure AD Connect to synchronize AAD with AD DS over ExpressRoute or VPN
Using Windows 10 under a Hybrid Use Benefit license requires computer accounts and user accounts be in the same Azure Active Directory
Approval from information security (infosec) may be required to place domain controllers in Azure
If using smart cards, Kerberos must be enabled on a domain controller

Should I establish a new Azure Active Directory(AAD)?

Microsoft recommends this model when you are using a cloud-only deployment or when you do not have an existing on-premises AD infrastructure
Citrix recommends this design when all your Citrix workloads are in Azure and using one of these services:
- Citrix DaaS
Plan to use Azure AD Connect to synchronize Azure AD with Azure AD DS and enable password hash synchronization
If using smart cards, Kerberos must be enabled for Azure AD DS
Using Windows 10 under a Hybrid Use Benefit license requires computer accounts and user accounts be in the same Azure Active Directory
Azure AD DS does not support schema extensions, one-way trusts or account-based constrained delegation for Kerberos
Azure AD DS does not support Domain or Enterprise Admin privileges

Should I use Azure AD as the Citrix Cloud Identity provider?

Citrix Cloud supports both Azure AD and AD DS for authentication
When using Azure AD as the Citrix Cloud Identity provider you maintain control of password policies and can easily disable accounts
Using Azure AD provides multifactor authentication (MFA) to increase the security posture for Citrix Cloud
When Azure AD is branded, Citrix Cloud has a branded sign-in page
Azure AD extends Citrix Cloud to support federated identity options such as Okta, Ping, or ADFS
Requires Global Admin role for consent to allow Citrix Cloud to connect to Azure AD. If access to this role is not available, consider using other identity providers such as on-premises AD or the default Citrix identity provider.

Should I enable Multifactor Authentication (MFA) on the Azure Active Directory Accounts?

Multifactor authentication is always recommended for any resource that is accessed over the internet. Multifactor authentication decreases the available attack vectors and increases the security posture of the system.
Azure AD makes enabling MFA simple and integrates easily with the Citrix Cloud identity provider
If not using Azure AD for MFA, consider other identity providers such as Okta to provide this additional security