Microsoft Active Directory (AD) trusts enable one AD domain to be granted access to the resources (users, groups and computers) in another AD domain.
In itopia CAS, AD trusts are set up to enable users in an existing AD forest to quickly and easily access their Cloud Desktops with their existing corporate credentials (username + password).
Using the AD trust model, the Cloud Desktop environment can be deployed in a separate environment with minimal impact to your existing infrastructure, but users can access their resources (such as file and application servers) using the same credentials that they use for other resources.
AD trusts enable customers to leverage important CAS features such as autoscaling. For end-users, myrdp.download is a custom portal that allows users to download their customized RDP file just by entering their username. The myrdp.download portal provides intelligent geo-routing for users that are assigned to a multi-region Collection Pool and is the recommended method for users to access their remote desktop environment.
AD Trust Model Overview
CAS support for AD trusts allows administrators to create a new CAS deployment using a standalone AD domain, using either Google Managed Service for Microsoft Active Directory or a traditional Windows Active Directory. After the initial deployment is created, the administrator will establish connectivity to their existing Active Directory domain and will build a standard Active Directory trust. We recommend a two-way non-transitive trust, but one-way trusts are supported as well (configured as an outgoing trust from the new Cloud Desktop domain).
Once the trust is established, you can import existing user accounts into CAS; CAS does not store any sensitive information about the accounts such as passwords or AD attributes. These imported users can then be managed through CAS and assigned to Collection Pools to access Cloud Desktop resources.
Considerations for AD Trust Model
In discussing this model we will use the standard terms to reference each domain:
- Resource Domain - This is the new AD domain that will contain the Cloud Desktop servers
- Accounts Domain - This is your existing AD domain that contains the user accounts that will authenticate to Cloud Desktop
When creating a new deployment with an AD trust, it is important to consider the following:
- The new Cloud Desktop domain parameters must be unique - the domain name and UPN suffix you provide for the resource domain must not conflict with your account domain, or with any other domains with which your account domain has a trust.
- Resources in the accounts domain are not modified - CAS does not perform any "write" operations in the accounts domain. Users and groups are read into the CAS database and then they are added to a Collection Pool, their corresponding shadow principal in the resource domain is added to the appropriate AD groups in the resource domain. Therefore, trusted user information cannot be modified in the CAS console, and deleting users in the CAS console does not affect the user account in the accounts domain
AD Trusts Configuration
During the initial deployment creation, the customer selects one of these two Active Directory options:
- Create New Active Directory Domain
- New Google Managed Service for Microsoft Active Directory instance
The remainder of the CAS deployment is configured as normal.
Once the deployment is finished provisioning, the customer establishes network connectivity from the new Cloud Desktop environment in GCP with their existing domain. Cloud Desktop resources are deployed into a unique VPC network within the GCP project; connectivity to the existing domain may require VPC peering (if the AD domain controllers are in Google Cloud) or a VPN tunnel (if the AD domain controllers are on-premises). For resiliency, we recommend using domain controllers located in GCP.
Next, firewalls must be configured to permit the necessary traffic between the domains. Refer to this Microsoft article for guidance on the necessary connectivity to support AD trusts.
With network connectivity established, the administrator then configures an Active Directory trust between the Cloud Desktop domain (resource domain) and their existing AD domain (accounts domain). For most scenarios, a two-way forest trust is the preferred configuration method; however, if a one-way trust must be used for security reasons, configure an outbound trust from the resource domain to the accounts domain.
Next, the AD trust information must be populated into itopia CAS. Simply submit a support request (by submitting an email to email@example.com) with the following information:
- The fully qualified domain name (FQDN) of the trusted domain (e.g., contoso.com)
- The FQDN of the preferred Domain Controller for read operations (e.g. srv-gcp-dc01.contoso.com)
- Service account credentials (username and a strong password) for a read-only user account in the accounts domain. This user is used in one-way trusts to perform read operations in the accounts domain.
- The distinguished name of the OU or container in the accounts domain for querying users (e.g. OU=users,OU=corporate,DC=contoso,DC=com). If you have users in multiple OU structures, you can specify the root of the domain (e.g. DC=contoso,DC=com)
- The distinguished name of the OU or container in the accounts domain for querying groups (e.g. OU=groups,OU=corporate,DC=contoso,DC=com). If you have groups in multiple OU structures, you can specify the root of the domain (e.g. DC=contoso,DC=com)
- The UPN suffixes used by user accounts in the accounts domain. CAS uses UPN suffixes to identify the correct deployment for users when they access myrdp.download. Thus, any UPNs that your users will have must be associated with your specific CAS deployment
Import of Users & Groups in CAS from Trust AD
Users and Groups can still be created in the itopia CAS domain (i.e., the resource domain). Aside from the imported user and groups from the trusted domain, new users and groups can be created in the CAS Portal. These users and groups can coexist side-by-side with the imported users and groups.
In the User Module for itopia CAS, there’s not yet a visual indicator of whether a user is imported from a trusted AD or they are a new user added in the CAS Portal. However, CAS cannot modify users and groups in the trusted domain; therefore, when attempting to edit a user from a trusted domain, all fields will be disabled.
AD Trusts enable a deployment to have more than one UPN suffix. The deployment will support UPNs from the trusted domain as well as any users created directly in the CAS Portal.
In the near future, itopia CAS will gain support for auto-importing users from Active Directory on a scheduled basis. Administrators will be able to specify one or more AD groups, and the groups' members will be periodically imported into CAS and assigned to their corresponding Collection Pools. This feature will support AD trusts as well as standard deployments.
CAS will also be updated to allow configuration of AD trusts during the initial deployment or post-deployment by the administrator, both through the CAS console interface. Additionally, the CAS Users Module will include a new column for "User Type": Normal, Auto-Imported, or Trusted.