VMware Horizon Community
SophiaBonham
Contributor
Contributor
Jump to solution

what's the best way to provide Active Directory in the environment?

wondering what the best way to provide user identity with Active directory is in Horizon Cloud Service.

i was thinking that utilizing my existing on premise Active Directory , across a VPN might be best, but can you offer any guidance?

thanks, sophia

Labels (3)
Tags (1)
1 Solution

Accepted Solutions
peterbrown05
VMware Employee
VMware Employee
Jump to solution

Hi Sophie

cool, thanks for the info.

So; you are in part right. Horizon Cloud Service on Microsoft Azure does not natively support Azure Active Directory (AAD). ie, it cannot directly use AAD for everything that Horizon Cloud Service needs. Specifically, when creating Farms for desktops/apps then we need to register machines in a domain.

AAD provides an identity only. Also, our servers and agents talk LDAP rather than the RestAPI that AAD requires.

HOWEVER, (and my white paper covers this in more detail), you can if appropriate make use of Azure Active Directory Domain Services (AAD-DS).

This is something that acts as a managed AD service and runs in Azure (Microsoft take care of operating it, including patching etc), and it sync's its identity from AAD. There are some things to take note of here though; must have password hashing enabled in a specific way; if not, you will need all users to reset their passwords for the hashes to be regenerated for use with AAD-DS. Also, AAD-DS provides a flat hierarchy, and I do not believe it replicates any OU structure from on-premises. ie Azure then becomes like an island domain. This isnt specific to Horizon Cloud Service, and Im by no means an expert on all the options available here. But, certainly connecting

What I would reccomend you investigate is configuring like this:

  • Install AAD-Connect on premise - this will replicate your user identities to AAD (without the dependency on the VPN)
  • Use AAD to provide common cloud identity
  • Make use of AAD-DS to replicate that identity and allow that to be used by Horizon Cloud Service on Azure
  • Make use of the VPN only for end user connections back to base - for data and/or any on premises hosted services/backends.

https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-overview is a really good overview to the AAD-DS feature of Azure.

as mentioned though, this isn't the only way for AD to be connected into the system. Hosting it locally, or connecting to on prem via VPN are viable options too.

I will share the white paper link when it is published later this week,

hope this helps,

cheers

peterb

View solution in original post

6 Replies
peterbrown05
VMware Employee
VMware Employee
Jump to solution

Hi Sophia,


Good question - and actually this was a topic I have been giving a lot of thought to myself! I've written a white paper which should be published in the next few days which covers this in a lot more details than I can do on a community forum. So, I do recommend reading the paper when its released.

As a summary though, the white paper presents 6 different ways that can be used to connect AD to Horizon Cloud Service on Microsoft Azure;

  1. Site to Site link, utilizing on-premises AD only
  2. No Site to Site link, AD on Azure provisioned virtual machine
  3. Active Directory Replica Controllers on Azure provisioned virtual machine (Identity synchronized from on-premises)
  4. No Site to Site link, using Azure Active Directory only sync to Active Directory Domain Services.
  5. No Site to Site link, on-premises sync of AD to Azure Active Directory via Active Directory Connect
  6. Site to Site link, on-premises sync to Azure AD via AD Connect

there are definite pro's and con's of each but all are valid and supported configurations; some are easier and quicker to set up; some require less ongoing management, and some provide access back to on-premises environments so end users can access on-premise systems and data. So it really comes down to understanding your organization's requirements.

Can you share with me whether you have a VPN link already established, and whether your organization is using Azure Active Directory already (eg as part of Office365 integration for identity?)

I will definitely post back with information on the white paper when it is published,

cheers

peterb

Reply
0 Kudos
SophiaBonham
Contributor
Contributor
Jump to solution

thanks peter.

actually, we already have a VPN connection via ExpressRoute to Azure, so we would be looking to leverage that for user data/on-prem systems.

We do also use office365 and have our identity sync'd to that using AD Connect already, but i didnt think that Horizon Cloud Service could use Azure Active Directory.... let me know if thats not accurate!

thanks!

sophia

Reply
0 Kudos
peterbrown05
VMware Employee
VMware Employee
Jump to solution

Hi Sophie

cool, thanks for the info.

So; you are in part right. Horizon Cloud Service on Microsoft Azure does not natively support Azure Active Directory (AAD). ie, it cannot directly use AAD for everything that Horizon Cloud Service needs. Specifically, when creating Farms for desktops/apps then we need to register machines in a domain.

AAD provides an identity only. Also, our servers and agents talk LDAP rather than the RestAPI that AAD requires.

HOWEVER, (and my white paper covers this in more detail), you can if appropriate make use of Azure Active Directory Domain Services (AAD-DS).

This is something that acts as a managed AD service and runs in Azure (Microsoft take care of operating it, including patching etc), and it sync's its identity from AAD. There are some things to take note of here though; must have password hashing enabled in a specific way; if not, you will need all users to reset their passwords for the hashes to be regenerated for use with AAD-DS. Also, AAD-DS provides a flat hierarchy, and I do not believe it replicates any OU structure from on-premises. ie Azure then becomes like an island domain. This isnt specific to Horizon Cloud Service, and Im by no means an expert on all the options available here. But, certainly connecting

What I would reccomend you investigate is configuring like this:

  • Install AAD-Connect on premise - this will replicate your user identities to AAD (without the dependency on the VPN)
  • Use AAD to provide common cloud identity
  • Make use of AAD-DS to replicate that identity and allow that to be used by Horizon Cloud Service on Azure
  • Make use of the VPN only for end user connections back to base - for data and/or any on premises hosted services/backends.

https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-overview is a really good overview to the AAD-DS feature of Azure.

as mentioned though, this isn't the only way for AD to be connected into the system. Hosting it locally, or connecting to on prem via VPN are viable options too.

I will share the white paper link when it is published later this week,

hope this helps,

cheers

peterb

SophiaBonham
Contributor
Contributor
Jump to solution

wow, thats super helpful!

i look forward to the white paper. please share the link when you have it.

for now, i have some reading of my own to do!

thanks!

Reply
0 Kudos
peterbrown05
VMware Employee
VMware Employee
Jump to solution

hi sophia

finally the white paper has been published; Networking and Active Directory Considerations on Microsoft Azure for use with VMWare Horizon Cloud ...

hope this helps!

cheers

peterb

SophiaBonham
Contributor
Contributor
Jump to solution

thanks - this looks helpful. i will read it tomorrow; looks like i need a big cup of coffee for this one!

thanks again

Reply
0 Kudos