Integration Details

Active Directory Trusts and Access Flow

One of RemoteAD key strengths is the decoupled authentication model. Unlike traditional setups that require establishing domain trusts, RemoteAD eliminates the need for Thinfinity® Workspace to join an external domain. Instead, identity validation is securely handled by a RemoteAD service operating within the target domain itself, which maintains both isolation and domain integrity.

RemoteAD Deployment and Association

The AD Cache service is included by default when a Primary Broker is installed, and it is responsible for running RemoteAD. However, to integrate an external domain, the AD Cache service must be enabled and configured within the target domain.

Once active, it must be associated with the Gateway. This association allows the AD Cache instance to act as a user and group lookup node.

As part of this process, RemoteAD automatically enables Directory Services if it is not already active, ensuring that identity queries and mappings function correctly.

Access Flow

End users authenticate with their standard credentials for the external domain. These credentials are verified by the Identity Provider and through RemoteAD, and the resulting identity is used by Thinfinity® Workspace to authorize access—either to grant access to published resources.

This architecture significantly simplifies deployment in multi-domain, isolated, or externally managed environments, providing secure authentication without modifying core domain policies or trust settings.

Identity Synchronization

RemoteAD allows administrators to grant general permissions or assign profile access to remote domain users and groups, often using the DOMAIN\username format or user principal names (UPNs).

RemoteAD ensures identity synchronization by exposing only the necessary identity attributes to the Thinfinity Workspace broker (e.g., samAccountName, userPrincipalName).

This allows for a seamless experience, even across networks with mismatched naming conventions or account formats.

Session Handling and Security

Session creation with RemoteAD involves a secure hand-off between the Thinfinity Workspace Broker and the target session host. Here's how security is preserved:

• Encrypted Communication: All communication between Thinfinity Workspace and and the target domain is done over TLS/SSL.

• Credential Isolation: Thinfinity Workspace never stores or transmits plain-text credentials; authentication is delegated to RemoteAD.

• Session Tokens: After successful authentication, users receive a secure session token to access remote apps or desktops.

This approach ensures RemoteAD serves as a secure and scalable identity bridge between users and session hosts, without weakening domain isolation or security policies.