As I was discussing with a certain SIer (system integrator) today, it seems that the authentication method using IC cards and fingerprint recognition for the workgroup’s client is quite difficult. Specifically, even if the domain joining is not done, the zero-client can still authenticate using the ID/PASS method, but this is of little use as it does not provide any security benefits.

In my previous post, I had mentioned that I was considering a scenario where the client’s domain participates in the VDI domain, and the user selects the domain when connecting to the View Client. This would allow for the convenience of managing the client’s domain on the administrator’s PC without the user noticing, while also providing security benefits.

However, after discussing with the SIer, it seems that this approach is not feasible due to the one-way trust relationship between the domains. Therefore, even if the administrator adds the client’s domain to the DNS suffix of their PC, the user will still be unable to access the VDI domain.

Furthermore, if there is a time difference between the system clock and the AD-synced time, it will cause issues with the synchronization of the hardware clock, even if the AD-based time synchronization is enabled. This means that the client’s domain cannot be simply added to the DNS suffix without proper consideration of the time difference and other factors.

In conclusion, the authentication method using IC cards and fingerprint recognition for the workgroup’s client is not a feasible solution due to the one-way trust relationship between the domains and other technical limitations. Instead, we need to carefully consider the time difference and other factors when implementing the VDI domain and the client’s domain.

Please feel free to contact me if you have any further questions or concerns. Thank you for reading my blog post!