Product Documentation

Planning for Accounts and Trust Relationships

Oct 09, 2015

Consider how users will access resources. When multiple servers host the same published application, users could be connected to any of these servers when they access the resource. Therefore, if a user does not have permissions for all servers, the user might not be able to access the resource. To avoid these issues, you might need to establish domain trust relationships between users or servers.

Also, in a farm with multiple, untrusted domains, when servers are load balanced, users can be routed to a server in a domain in which they do not have access permissions. To ensure your users are routed only to servers in domains in which they have access permissions:

  • Publish copies of an application in each domain, and allow users access only to the copy of the application in the domain in which they have access permissions.
  • Create a Worker Group Preference and Failover policy that routes users to servers in domains in which the users have access permissions.

System Account Considerations

Consider the following when deciding how to configure your Citrix administrator accounts:
  • One full authority administrator account must always exist for the server farm. Citrix XenApp prevents you from deleting the last full authority administrator account. However, if no administrator accounts exist in the farm data store database, a local administrator account can log on to the Delivery Services Console to set up Citrix administrator accounts.
  • To create effective Citrix administrator accounts, ensure that all users you are going to add as Citrix administrators are Domain Users for the domain in which your farm resides. Users who are Citrix administrators who take server snapshots must also be authorized Windows Management Instrumentation (WMI) users on each server for which they are taking snapshots.

Including Servers from Other Domains

XenApp supports trust-based routing; servers in domains that do not trust each other can be members of the same farm.

When a server needs to perform one of the following operations on an untrusted domain, the server determines from the data store which servers can perform the operation and routes the request to the most accessible server:
  • Authenticating a Citrix administrator
  • Refreshing the display or launching an application in Web Interface
  • Enumerating users and groups
  • Resolving users or groups when adding users to published application, printer auto-creation lists, or defining new Citrix administrators

Requests to enumerate applications are routed to a server that has the required domain trust relationship if the originating server does not.

Substituting Domain Accounts for User Accounts

By default, XenApp creates local accounts to run the following XenApp services:

XenApp Service Default Local User Account
CPU Utilization Mgmt/CPU Rebalancer ctx_cpuuser
Configuration Manager for the Web Interface Service Ctx_ConfigMgr

Citrix strongly recommends that if you want to change local accounts to domain accounts, you do so before installing XenApp. Changing service accounts after installation is not supported.

Install XenApp as a domain administrator to ensure the accounts are created correctly. If you are changing the accounts for services and your farm has servers in multiple domains, the domains must have trust relationships with each other.