TSE supports multiple domain setup or multi-tenancy in AD.
An admin can setup TSE to have TSE published apps assigned to users from a different domain. Users from another domain can connect and launch applications on the TSE APP servers.
Login to TSE Management Console and click on Manage - Domains, Under Actions menu click on ADD a new domain.
Note the requirements to be able to successfully add another domain to TSE. This can be a domain in the same AD forest as TSE or a domain from a different AD forest.
TSE Domain - Domain containing TSE servers. (Trusting domain also called the Resource domain)
User Domain - Domain containing User/Group/OU accounts. (Trusted domain as users from this domain will access resource of TSE Domain)
TSE Identity account - TSE Domain user account under which Propalms TSE services are running.
A two way transitive trust should exist between the TSE Domain and User domain. The domains can be in the same AD forest or different AD forest. When a user launches an application, the user must logon to the Application Server that hosts the application. This is a fundamental feature of Windows Terminal Services. For this logon to be successful, the Application Server must verify the user’s name, domain, and password. This verification requires a trust relationship between the domain containing the Application Server (TSE Domain) and the domain containing the user (User domain).
DNS,WINS and Lmhosts file should be used to ensure that the TSE WEB server can resolve the Domain FQDN and DNS names for domain controllers for User domain.
It is essential that the TSE WEB server can resolve the User Domain’s NetBios/short name and DNS names. Eg: CORP will be short name for Corp.TSE.local
So a TSE WEB server should be able to resolve ‘ping> Corp’ as well as ‘ping> corp.TSE.local’
TSE WEB server should also be able to resolve the Domain controller hostnames for the User domains.
For example say DC1.corp.TSE.local is the domain controller for the CORP domain . TSE Web server should be able to resolve ‘Ping> DC1’ and also ‘Ping> DC1.corp.TSE.local
TSE queries for Domain controller information using the NetBios/Short names of Domains and also binds to DC’s using their NetBios name. Hence it is important to check if all NetBios name resolutions work correctly from TSE WEB servers.
TSE identity account should exist as a member of Universal group on the TSE domain so that it has read access to AD objects in the User domain.
All AD look up requests on the User domain are done under the context of the TSE identity account. Hence the TSE identity account should have read access on the User domain which can be achieved by making it a member of a Universal group.
MS TechNet link for setting up Forest level AD trusts.