Horizon VIEW One Way Trust Step by Step
Horizon One-Way Trust Setup Procedure
As of the original state, there are two separate domains named CX.lab and VMware.lab correspondingly which there are no trust in-between. While a Horizon Environment is setup on the CX.lab domain, the domain user can connect remote hosted application. And the objective of the work is to enable the VMware.lab domain user to use the Horizon environment from the CX.lab.
As from the original state, I set up a Horizon 6.2 environment which is the first version we support the One-Way-Trust among domains. And originally, only CX.lab user can be found and entitled from the Horizon View Connection Server.
And Of course, only User from CX domain can login the Horizon View Client
And use the application available and entitled from the Horizon View
In order to let the VMware.lab user to use the CX.lab Horizon Provisioned Virtual Desktop or Hosted Application, we have to setup the One Way Trust from CX.lab to VMware.lab.
Do this DNS Configuration from the CX.lab Domain Controller
Firstly, you have to configure the DNS for the Zone Transfers to let CX.lab resolving Domain.lab environment and actually we need to do this in opposite bit later. I added the DC from the VMware.lab domain under the Zone Transfers to allow the Zone Transfer. No worry that you see a Red Cross as it is expected when no permission is granted yet.
Create a New Zone from the CX.lab
Click Next to proceed the Setup of the New Zone
Choose a Secondary Zone for the VMware.lab
Of couse, input the VMware.lab
Input the DC of the VMware.lab
Confirm the setup
Do this DNS Configuration from the VMware.lab Domain Controller
Create a New Zone from the VMware.lab to connect to the CX.lab DNS Server in opposite
Click Next to proceed the Wizard
Choose a Secondary Zone for connecting to the CX.lab Domain
Type the CX.lab Domain to connect to
And provide a domain controller IP from CX.lab domain to connect to
Press Finished to confirm the setup
If the Setup is correctly done, you can double check the Zone Transfer status and it should be green now.
Do this AD Configuration from the CX.lab Domain Controller
Then we need to configure the AD Trust to establish the one way trust from the CX.lab to VMware.lab
You have to open the “Active Directory Domains and Trusts” and edit the domain trust from the property of the domain object which is the CX.lab.
Click the “Trusts” tab
Click The “New Trust” to establish new trust
Press Next to proceed the Setup
Input VMware.lab as you need CX.lab trust VMware.lab
You can either choose “Forest Trust” or “External Trust”, this depends on the security level you can accept. But I use “External Trust” to making the security control more straighten.
Choose “One-way: Outgoing”
Choose “Both this domain and the specified domain”
Provide the domain admin user credential to establish the trust from CX.lab to VMware.lab
Select “Domain-wide Authentication”
Press Next to confirm the setup
STOP Right HERE
Do this AD Configuration from the VMware.lab Domain Controller
Go back to the Active Directory Domains and Trusts and you can see a new “incoming trust” from the “Trust” tab. Click the item and select the “Properties”.
Click the “Validate” button to confirm the One-way-trust request
Input the domain admin username and password to validate
You can see the following message when the validation is successful
Go back to CX.lab Domain Controller to proceed the setup
Confirming the trust
Press Finished to complete the setup
Press OK to confirm the message
As an end result, you can see the VMware.lab Domain from the CX.lab Domain
So we can now start entitling the VMware.lab user into the CX.lab Domain
Entitling VMware.lab user into Horizon View
So after the one way trust setup, you need to configure the Horizon View Connection Server futher thru’ View PowerCLI
You need to use the following command to enabling the one-way-trust credential in the Connection Server.
“vdmadmin –T domainauth –add –owner <View Admin> -user <Remote-Domain-Admin> -password <Remote-Domain-Admin Password>”
Restart the Connection Server Services
On logging into the view admin page again, you can see the second domain already.
And you can entitle application to the User is the VMware.lab Domain now.
You can login the Horizon View with the VMware.lab domain
But you will find warning as the Hosted Application Does not allow the VMware.lab domain to login yet
This is why you have to add the VMware.lab domain users into the RDS Hosts
Afterwards, you would able to launch your app successfully