Resources are not enumerated for users in trusted domain when assigned by security group
Article ID: CTX463551
Updated On:
Description
Two domains that are both sub-domains of the same root.
- prod.controso.com
- extranet.contoso.com
There is a two-way trust between the two domains, prod.contoso.com and extranet.contoso.com.
Applications are assigned by adding extranet.contoso.com universal security groups to security groups in prod.contoso.com. See illustration.
OR this also is a non-working configuration:
Problem: Users in extranet.contoso.com are not getting their applications enumerated.
Inspecting the get-brokeruser results for extranet.contoso.com, we see that the users and groups in Active Directory were missing or had mismatched SID's.
Configuration notes:
Identity provider is Onprem Citrix Gateway
Resolution
Recommended solution: Configure Azure AD Authentication
Workaround solution is two parts:
Another possible solution is to create a resource location for "contoso.com", the root domain.
Workaround solution is two parts:
- First is to add a resource location and cloud connectors for extranet.contoso.com
- Create security groups in extranet.contoso.com and assign resources directly to the security groups from each domain. See configuration.
Another possible solution is to create a resource location for "contoso.com", the root domain.
Problem Cause
Without Azure AD Authentication, there is no way for the cloud connector in prod.contoso.com to parse the members of a security group in extranet.contoso.com.
Was this article helpful?
Yes
No
Powered by
