wondering what the best way to provide user identity with Active directory is in Horizon Cloud Service.
i was thinking that utilizing my existing on premise Active Directory , across a VPN might be best, but can you offer any guidance?
thanks, sophia
Hi Sophie
cool, thanks for the info.
So; you are in part right. Horizon Cloud Service on Microsoft Azure does not natively support Azure Active Directory (AAD). ie, it cannot directly use AAD for everything that Horizon Cloud Service needs. Specifically, when creating Farms for desktops/apps then we need to register machines in a domain.
AAD provides an identity only. Also, our servers and agents talk LDAP rather than the RestAPI that AAD requires.
HOWEVER, (and my white paper covers this in more detail), you can if appropriate make use of Azure Active Directory Domain Services (AAD-DS).
This is something that acts as a managed AD service and runs in Azure (Microsoft take care of operating it, including patching etc), and it sync's its identity from AAD. There are some things to take note of here though; must have password hashing enabled in a specific way; if not, you will need all users to reset their passwords for the hashes to be regenerated for use with AAD-DS. Also, AAD-DS provides a flat hierarchy, and I do not believe it replicates any OU structure from on-premises. ie Azure then becomes like an island domain. This isnt specific to Horizon Cloud Service, and Im by no means an expert on all the options available here. But, certainly connecting
What I would reccomend you investigate is configuring like this:
https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-overview is a really good overview to the AAD-DS feature of Azure.
as mentioned though, this isn't the only way for AD to be connected into the system. Hosting it locally, or connecting to on prem via VPN are viable options too.
I will share the white paper link when it is published later this week,
hope this helps,
cheers
peterb
Hi Sophia,
Good question - and actually this was a topic I have been giving a lot of thought to myself! I've written a white paper which should be published in the next few days which covers this in a lot more details than I can do on a community forum. So, I do recommend reading the paper when its released.
As a summary though, the white paper presents 6 different ways that can be used to connect AD to Horizon Cloud Service on Microsoft Azure;
there are definite pro's and con's of each but all are valid and supported configurations; some are easier and quicker to set up; some require less ongoing management, and some provide access back to on-premises environments so end users can access on-premise systems and data. So it really comes down to understanding your organization's requirements.
Can you share with me whether you have a VPN link already established, and whether your organization is using Azure Active Directory already (eg as part of Office365 integration for identity?)
I will definitely post back with information on the white paper when it is published,
cheers
peterb
thanks peter.
actually, we already have a VPN connection via ExpressRoute to Azure, so we would be looking to leverage that for user data/on-prem systems.
We do also use office365 and have our identity sync'd to that using AD Connect already, but i didnt think that Horizon Cloud Service could use Azure Active Directory.... let me know if thats not accurate!
thanks!
sophia
Hi Sophie
cool, thanks for the info.
So; you are in part right. Horizon Cloud Service on Microsoft Azure does not natively support Azure Active Directory (AAD). ie, it cannot directly use AAD for everything that Horizon Cloud Service needs. Specifically, when creating Farms for desktops/apps then we need to register machines in a domain.
AAD provides an identity only. Also, our servers and agents talk LDAP rather than the RestAPI that AAD requires.
HOWEVER, (and my white paper covers this in more detail), you can if appropriate make use of Azure Active Directory Domain Services (AAD-DS).
This is something that acts as a managed AD service and runs in Azure (Microsoft take care of operating it, including patching etc), and it sync's its identity from AAD. There are some things to take note of here though; must have password hashing enabled in a specific way; if not, you will need all users to reset their passwords for the hashes to be regenerated for use with AAD-DS. Also, AAD-DS provides a flat hierarchy, and I do not believe it replicates any OU structure from on-premises. ie Azure then becomes like an island domain. This isnt specific to Horizon Cloud Service, and Im by no means an expert on all the options available here. But, certainly connecting
What I would reccomend you investigate is configuring like this:
https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-overview is a really good overview to the AAD-DS feature of Azure.
as mentioned though, this isn't the only way for AD to be connected into the system. Hosting it locally, or connecting to on prem via VPN are viable options too.
I will share the white paper link when it is published later this week,
hope this helps,
cheers
peterb
wow, thats super helpful!
i look forward to the white paper. please share the link when you have it.
for now, i have some reading of my own to do!
thanks!
hi sophia
finally the white paper has been published; Networking and Active Directory Considerations on Microsoft Azure for use with VMWare Horizon Cloud ...
hope this helps!
cheers
peterb
thanks - this looks helpful. i will read it tomorrow; looks like i need a big cup of coffee for this one!
thanks again