5.1.2.1.3 Integration Details

Active Directory Trusts and Access Flow

One of Remote AD key strengths is the decoupled authentication model. Unlike traditional setups that require establishing domain trusts, Remote AD eliminates the need for Thinfinity Workspace to join an external domain. Instead, identity validation is securely handled by a Remote AD service operating within the target domain itself, which maintains both isolation and domain integrity.

Remote AD Deployment and Association

The Remote AD service is included by default whenever a Primary Broker is installed. However, to integrate an external domain, the Remote AD service should be installed inside the target domain using the standalone Remote AD installer. Once deployed, it must be associated with the Gateway. This association allows the Remote AD instance to act as a user and group lookup node. Click here to see more about the Installation and Configuration process.

As part of this process, Remote AD automatically enables Directory Services if it is not already active, ensuring that identity queries and mappings function correctly.

Access Flow

End users authenticate with their standard credentials for the external domain. These credentials are verified by the Identity Provider and through Remote AD, and the resulting identity is used by Workspace to authorize access—either to grant access to published resources.

This architecture significantly simplifies deployment in multi-domain, isolated, or externally managed environments, providing secure authentication without modifying core domain policies or trust settings.

Identity Synchronization

Remote AD allows administrators to grant general permissions or assign profile access to remote domain users and groups, often using the DOMAIN\username format or user principal names (UPNs).

Remote AD ensures identity synchronization by exposing only the necessary identity attributes to the Thinfinity Workspace broker (e.g., samAccountName, userPrincipalName).

This allows for a seamless experience, even across networks with mismatched naming conventions or account formats.

Session Handling and Security

Session creation with Remote AD involves a secure hand-off between the Thinfinity Workspace broker and the target session host. Here's how security is preserved:

• Encrypted Communication: All communication between Thinfinity Workspace and and the target domain is done over TLS/SSL.

• Credential Isolation: Thinfinity Workspace never stores or transmits plain-text credentials; authentication is delegated to Remote AD.

• Session Tokens: After successful authentication, users receive a secure session token to access remote apps or desktops.

This approach ensures Remote AD serves as a secure and scalable identity bridge between users and session hosts, without weakening domain isolation or security policies.