There comes a point in every Horizon administrator’s life where they stare into the fluorescent glow of a Windows Domain Controller Server console at 2:13 AM and whisper:

“Why are you still here?”

Not to a user.Not to a manager.To a domain controller.

For years, virtual desktop infrastructure has carried around a strange emotional support animal known as “legacy Active Directory dependencies.” Entire architectures were lovingly assembled from LDAP binds, Kerberos tickets, Enrollment Servers, Certificate Authorities, trusts, sync connectors, and enough DNS conditional forwarders to summon an ancient spirit from the Windows 2003 era.

But today… something changed.

Omnissa quietly dropped a feature that made a lot of Horizon architects spit coffee onto their keyboards:

“Wait… Can Horizon authenticate users with Entra ID directly now and provide SSO functionality?”

Yes. Yes, it can.

The new feature is documented in:Add SSO Config for Entra ID SSO- https://docs.omnissa.com/bundle/GetStartedHorizonCloud/page/HorizonCloudTrueSSORequirementsforMicrosoftEnterpriseCertificateAuthorityandRequiredCertificateTemplates.html

…signals something much bigger than just “another authentication option.”

It signals the beginning of the:

“Maybe We Don’t Need All This AD Stuff”

The Ancient Ritual of Traditional Horizon Authentication

Historically, standing up Horizon with modern SSO often looked something like this:

1. Deploy Horizon

2. Deploy UAG

3. Deploy Workspace ONE Access

4. Deploy Enrollment Servers

5. Deploy Enterprise CA

6. Configure True SSO

7. Sacrifice three weekends to certificate templates

8. Explain to security why LDAP over SSL still somehow matters

9. Reboot a domain controller because “maybe replication is stuck.”

10. Pretend this is normal

Traditional Horizon True SSO environments still rely heavily on Active Directory services, Enterprise Certificate Authorities, and Kerberos flows.  

The architecture diagrams often looked less like “modern cloud identity” and more like:

“What if Microsoft Visio became emotionally unstable?”

Enter Entra ID SSO

Now Omnissa Horizon Cloud is moving toward something administrators have wanted for years:

• Native cloud identity integration

• Entra ID-based authentication

• Reduced dependency on traditional domain-centric identity flows

• Less infrastructure

• Fewer Windows servers whose only job is “existing aggressively.”

• 
  

And let’s be honest:

If your newest employee has never seen dsa.msc, that’s probably not a bad thing.

Omnissa has already been evolving Horizon Cloud and Omnissa Identity Services toward cloud-native identity patterns using Microsoft Entra ID and modern IdPs.  

This newest SSO capability feels like another large step toward:

“Virtual Desktops and Apps with SSO without dragging a 20-year-old domain behind it.”

What This Means

Today

Before someone throws their domain controller into a wood chipper:

No — Active Directory is not completely dead in every Horizon deployment.

Let’s remain calm.

Today, there are still scenarios where:

• AD is required

• Kerberos still matters

• Traditional True SSO flows are still used

• Machine identity and certificate workflows still rely on the Microsoft PKI infrastructure  

• 
  

But the direction is becoming increasingly obvious.

The industry is shifting from:

“The domain is the center of identity.”

To:

“Identity is a cloud service.”

And Horizon is adapting accordingly.

The Real Story Here

This isn’t really about “removing domain controllers.”

It’s about removing dependency gravity.

For years, VDI projects have inherited:

• legacy identity models

• inherited trust relationships

• old authentication assumptions

• “We’ve always done it this way,” architecture

Now?Administrators can increasingly think in terms of:

• conditional access

• modern identity providers

• cloud-native authentication

• device posture

• Zero Trust

• federation-first access models

That is a massive architectural shift.

Somewhere… a Domain Controller Felt a Disturbance in the Force

Right now, somewhere in a datacenter:

A lonely domain controller is humming softly beside an aging file server.

It hears whispers.

“Entra ID…”

“Cloud-native…”

“Passwordless…”

It becomes afraid.

Its CPU spikes slightly.

An old Group Policy Object flutters in the wind.

The Bigger Picture for Horizon

What makes this especially interesting is that Omnissa is not simply “adding Entra ID.”

They’re steadily reshaping Horizon into something that looks increasingly platform-native for modern enterprise identity.

That means:

• less friction for cloud-first organizations

• simpler onboarding

• Reduced infrastructure overhead

• fewer supporting identity servers

• more alignment with Zero Trust initiatives

• cleaner authentication experiences

And perhaps most importantly:

Fewer meetings where someone says:

“Can we check if the LDAP bind account password has expired?”

Final Thoughts

No, domain controllers are not disappearing tomorrow.

But for the first time in a long time, Horizon admins can see a future where:

• identity is cloud-native

• authentication is modern

• SSO is cleaner

• and deploying six extra Windows servers isn’t considered “minimal architecture.”

Honestly?

That future sounds pretty good.

Even if the domain controller disagrees.

References

• Omnissa Horizon Cloud Documentation – Add SSO Config for Entra ID SSO - https://docs.omnissa.com/bundle/GetStartedHorizonCloud/page/HorizonCloudTrueSSORequirementsforMicrosoftEnterpriseCertificateAuthorityandRequiredCertificateTemplates.html

• Using Omnissa Identity Service with Horizon Cloud - https://docs.omnissa.com/bundle/IdentityServices/page/HorizonCloudServiceWithOIS.html?utm_source

• Horizon Cloud Configuration – Tech Zone - https://techzone.omnissa.com/resource/horizon-cloud-configuration