How to configure multi forest user can access the published resource in Citrix Cloud.

Instructions

Users and resources in separate forests (with trust) with a single set of Cloud Connectors

 In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to resources. One set of Cloud Connectors is deployed in a single resource location and joined to the forest1.local domain.

 • Trust relationship: Forest trust
• Domains listed in Identity and Access Management: forest1.local
• User logons to Citrix Workspace: Supported for forest1.local users only
• User logons to an on-premises StoreFront: Supported for all users Note: The trust relationship between the two forests needs to permit the user in the user forest to be able to log on to machines in the resource forest.

 Because Cloud Connectors can’t traverse forest-level trusts, the forest2.local domain is not displayed on the Identity and Access Management page in the Citrix Cloud console.

 This carries the following limitations:
 • Resources can only be published to users and groups located in forest1.local in Citrix Cloud. However, forest2.local users may be nested into forest1.local security groups to mitigate this issue.
 • Citrix Workspace cannot authenticate users from the forest2.local domain. To work around these limitations, deploy the Cloud Connectors as described in Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest.


Users and resources in separate forests (with trust) with a set of Cloud Connectors in each forest

In this scenario, one forest (forest1.local) contains your resource domain and one forest (forest2.local) contains your user domain. A trust exists between these forests that allows users to log on to re sources. One set of Cloud Connectors is deployed within the forest1.local domain and a second set is deployed within the forest2.local domain.

 • Trust relationship: Forest trust
• Domains listed in Identity and Access Management: forest1.local, forest2.local
• User logons to Citrix Workspace: Supported for all users
• User logons to an on-premises StoreFront: Supported for all users

Cloud Connector cannot traverse forest-level trusts if the Security group belongs to forest1.local and user belongs to forest2.local, the enumeration will not work.