- Introduction
- Identity management – “hybrid” or “born in the cloud”
- Implementing Active Directory with Azure Active Directory
- In cloud user accounts
- In Cloud with one Azure Active Directory
- In Cloud with more than one Azure Active Directory
- Synced with Active Directory user accounts
- Hybrid with one Azure Active Directory
- Hybrid with more than one Azure Active Directory
- Tips for success
- Additional learning
Introduction
Citrix XenApp and XenDesktop have traditionally used Windows Server Active Directory domains to manage end user access and administrator roles. With the move to the cloud, the use of an Active Directory domain continues to remain a requirement.
When using Azure as a Resource Location, Azure Active Directory also has a role to play:
-
Azure Active Directory must always be configured as the holder of an application service account for the Citrix service. This account is used by Citrix Cloud or Studio to perform machine lifecycle events within the Azure Tenant.
-
Azure Active Directory can be used as a more general repository of accounts for administrators and users. Depending on the configuration and type of service, using Azure Active Directory for this role may be optional.
The remainder of this document is focused on the various Azure Active Directory configurations that customers are likely to have, how each of those configurations can be used as repositories of accounts, and the recommended way to associate a Windows Server Active Directory domain controller to manage your Citrix XenApp and XenDesktop environment.
Note: Customers using Windows 10 CBB under a Hybrid Use Benefit license are required to associate an Azure Active Directory instance with their deployment. For other service scenarios, use of Azure Active Directory as a repository is optional and will depend on the customer’s choice of architecture.
Identity management – “hybrid” or “born in the cloud”
Companies that were “born in the cloud” most likely began with an Azure Active Directory linked to some service. This is often the Azure Active Directory associated with an Office 365 Tenant.
Companies that were born in a datacenter typically adopt a hybrid model with some assets in Azure and others remaining in the datacenter. These customers often add Azure Active Directory to an existing Windows Server Active Directory to support authentication with some external service.
The key difference between the two origins is whether there was an existing Windows Server Active Directory that needs to be synchronized with Azure Active Directory (aka ‘Synced with Active Directory’), or if the user accounts are only in Azure Active Directory (aka ‘In cloud’).
Citrix machines (XenApp and XenDesktop workers and supporting infrastructure machines) have a requirement to be joined to an Active Directory domain. This is required for domain computer accounts, new machine provisioning (creation of machine accounts), user association, and pass-through / Kerberos authentication to resources. It is because of these requirements that Azure Active Directory cannot be used alone.
When Azure Active Directory is used with the Windows 10 CBB under a Hybrid Use Benefit license computer accounts and user accounts must be in the same Azure Active Directory. Documentation related to this requirement and its configuration would be available soon.
Implementing Active Directory with Azure Active Directory
As mentioned earlier there are two Azure Active Directory origins for customers; they are born in the cloud or they are hybrid. And there are two Azure Active Directory to Azure Tenant associations; the Azure Active Directory is native to the Azure Tenant or it is not. These combinations impact the Active Directory options that a customer must consider.
-
Customers that only have ‘In cloud’ users can take advantage of Azure Active Directory Domain Services.
-
Hybrid customers with a VPN (such as ExpressRoute) should deploy replica Domain Controllers in Azure.
It was previously described that many customers will have multiple Azure Active Directories. The key take away that affects any implementation is that the Azure Active Directory used for the application service account, can be different from the Azure Active Directory where user accounts reside.
The important design point is that the Domain Services are linked to the Azure Active Directory where user accounts reside. This is important all the time, but critical using Windows 10 CBB under a Hybrid Use Benefit license.
The following sections describe the primary scenarios through the use of diagrams to give an understanding of the topology and the relationship of the accounts and Active Directory components.
In cloud user accounts
In this scenario, the user accounts are ‘In cloud’. Therefore, Azure Active Directory Domain Services can be used to provide the necessary Domain Controller services required.
Useful links:
Some possible models with Azure Active Directory are:
In Cloud with one Azure Active Directory
The customer has one Azure Active Directory domain, which is also the same Azure Active Directory associated with the customer Azure Tenant.
Figure 1- In Cloud customer with a single Azure AD
In Cloud with more than one Azure Active Directory
The customer could also have two (or more) Azure Active Directories. In the example below, the customer’s user accounts are being synchronized with an Azure Active Directory associated with an Office365 subscription. And the Azure Tenant account has its default Azure Active Directory which is separate.
Azure Role Based Access Control is used to grant access to user accounts from the Office365 Azure AD to the Azure Tenant, however the application service account used by Citrix must be an account native to the Azure Tenant.
Figure 2- in cloud customer with a separate user Azure AD
Synced with Active Directory user accounts
In this scenario, the user accounts are ‘Synced with Active Directory’. Therefore Domain Controller IaaS VMs need to be deployed into the Azure subscription. These can be a replica domain controller if this is a hybrid deployment.
Useful links:
As with the ‘In cloud’ options above, similar topologies exist for customers that have a hybrid networking scenario. In the hybrid scenarios, there is some resource or application that must be accessed from a remote datacenter through a VPN, and Windows pass-through / Kerberos authentication is used by that resource or application.
Hybrid with one Azure Active Directory
Figure 3- Hybrid network with a single Azure AD
Hybrid with more than one Azure Active Directory
Figure 4- Hybrid network with a separate user Azure AD
Tips for success:
The application service account must be created in the Azure Active Directory instance associated with the Azure Tenant where Citrix resources will be deployed.
When creating the application service account from the Citrix Cloud portal or Studio using the “Create New” option, the Azure user account used to create the application service account must be a member of the Azure Tenant Azure Active Directory.
Guest identities such as a Microsoft ID or invited from another Azure Active Directory cannot be used. Enable the “user type” column to discover this in the Azure Active Directory portal.
See Citrix documentation; Microsoft Azure Resource Manager for additional details.
When using the “Use existing” option in the Citrix Cloud portal or Studio delegated users can manually create the application service account through the Azure Portal.Refer to Manually Granting Citrix Cloud Access to Your Azure Subscription for more information.
Additional learning:
-
Administer your (Azure) directory: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administer
-
Multiple directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-directory-independence
-
O365 directories: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-o365-subscription
