locked
Outsourcing desktop enviroment (vdi) RRS feed

  • Question

  • We have a W2k8R2 forest. One root, domain 2 child domains.

    About 400 Windows 7 clients. We are outsourcing our desktop enviroment. Other thing is that we going to use Skype for business hosted by also another party.

    I have no ADFS knowledge. Read a few article/documents and will follow a course within 3 months. Meanwhile i have a few questions.

    We will have now 3 forest to consider. Our forest, lets call it local.com. Forest for our vdi desktops,vdi.com, and forest for Skype for business, Skype.com. A VPN connection is already in place between these forests.

    Skype.com is going to be a resource forest. They only need to know where the user accounts reside, to host a synchronized representation of active user objects, but no logon-enabled user accounts. A authentication selective trust between Skype.com and the forest holding the active user accounts will be established

    OK. Now vdi.com. They are going to host the desktop and all the applications on it. They are a little bit vague on how to set this up. They want to use ADFS to setup a Federation trust with us, local.com.

    What i have heard so far, is that they(vdi.com) want to re-create our user accounts in their forest. Like i said i have no ADFS knowledge, yet. But how will that work?

    For example, steve@local.com has permissions on folders on several servers in local.com. Also grouppolicy and connections to a few server application, Exhange, Document management systems, etc. If vdi.com is going to re-create this account to steve@vdi.com, how will ADFS solved those permission, grouppolicy'and server connection issues with local.com.

    And not to forget, Skype.com needs to know which forest to use for account sync.

    As far as i know, ADFS is for authentication, SSO, Authorization is done within the application.

    I think there is a lot more to consider, but don't now exactly what. Hope for some advice

    Thanks

    Tuesday, March 8, 2016 7:38 AM