In Horizon 2106 a new functionality called Untrusted Domains was introduced. It allows administrators to entitle and authenticate users from directories that do not have any trust relationship with the domain that Connection Servers belong to. Although it is very easy to add an Untrusted Domain in the console, it might be not so obvious that we still need proper DNS resolution working for that domain from the Connection Servers. And this is not only about simple A records for domain controllers but full resolution of specific AD SRV records. The easiest way to achieve that is to create so called “Conditional Forwarders” on DNS servers in main domain that will pass all the queries for Untrusted Domain to it’s respective DNS Server/s.
Without proper DNS resolution you will most likely receive below error when trying to add an Untrusted Domain:
“Could not add untrusted domain. This could be due to one or more of the following:
- Invalid untrusted domain configuration field values.
- Domain controller is not reachable from connection server. Check your DNS infrastructure.
- Time difference between the connection server and domain controller is too large.”
If you go past that and add your Untrusted Domain, you can search for users and groups coming from this domain when adding an entitlement for the Pools or Apps:
Be aware that currently you CANNOT use accounts from Untrusted Domain for Administrative RBAC in Horizon. If that is something of value for you, vote for this Feature Request:
For more information on Untrusted Domains take look into official documentation: