Setup Kerberos Authentication Adapter

PREREQUISITES:

This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.

1. Enable the Kerberos Authentication Adapter on the Connector

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click the Lab worker link.
  1. Click the Auth Adapters tab.
  2. Click KerberosIdpAdapter.

NOTE - The page may take several seconds to load after clicking the KerberosIdpAdapter link.  Please be patient while it loads!

1.2. Configure KerberosIdpAdapter Authentication Adapter

  1. Enter sAMAccountName for the Directory UID Attribute
  2. Check Enable Windows Authentication
  3. Check Enable Redirect
  4. Enter vescsrv-01a.corp.local for the Redirect Host Name
  5. Click Save

1.2.1. Run the Kerberos Initialization Script (IF NEEDED)

If the adapter configuration fails to set, we will need to run the Kerberos Initialization script detailed in the KB article: https://kb.vmware.com/s/article/2149753.

1.2.2. Connect to the VESC Server (IF NEEDED)

The setupKerberos.bat file that needs to be run is on the server where the VMware Identity Manager Connector service was installed, the VESC Server at vescsrv-01a.corp.local.

Double-click the VESC Server.rdp link on the Desktop to connect to the VESC Server.

1.2.3. Run the setupKerberos.bat file (IF NEEDED)

  1. Click the File Explorer icon from the task bar.
  2. Click Local Disk (C:).
  3. Click VMware.
  4. Click IDMConnector.
  5. Click usr.
  6. Click local.
  7. Click horizon.
  8. Click scripts.
  9. Right-click the setupKerberos.bat file.
  10. Click Run as Administrator.

1.2.4. Enter the User Credentials (IF NEEDED)

  1. Enter "corp\administrator" for the Username.
  2. Enter "VMware1!" for the Password.
  3. After the PowerShell window closes and the process finishes, press any key to contiue.

1.2.5. Return to the Main Console

After the setupKerberos.bat file has completed running, return to the Main Console in order to save the KerberosIdpAdapter.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

1.2.6. Save the Authentication Adapter after running setupKerberos.bat (IF NEEDED)

Click Save.  The Kerberos Authentication Adapter should now save and enable as expected.

1.3. Confirm the KerberosIdpAdapter is Enabled

  1. The KerberosIdpAdapter should now show as Enabled.
  2. Click Admin Console to return.

2. Update the Policy Rules

  1. Click Identity & Access Management.
  2. Click Manage.
  3. Click Policies.
  4. Click Edit Default Policy.

2.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the Network Range.
  2. Select Windows 10 for the Device Type.

2.3. Configure Policy Rule Authentication

  1. Scroll down to the bottom.
  2. Select Authenticate using... for the action.
  3. Select Kerberos for the authentication action.
  4. Select Password (cloud deployment) for the fallback authentication action.
  5. Click Save.

2.4. Update the Policy Rule Order

  1. Click and drag the created Windows 10 policy rule to the top of the list.
  2. Click Next.

2.5. Review and Save the Policy Rule Changes

Review the configuration as desired and click Save.

You have now configured your Policies to authenticate all Windows 10 Devices using Kerberos and failover to Password (cloud deployment) if Kerberos isn't applicable or fails.

3. Install the Certificates on the Windows 10 Device

Since we did not use a custom certificate that is already trusted by our domain, we will need to add the certificates generated by our Connector to our Windows 10 device before our Kerberos authentication will work.

Double-click the VESC Server.rdp link on the Desktop to connect to the VESC Server.

3.1. Select the Connector Certificate Files

  1. Click the File Explorer icon on the task bar.
  2. Click Local Disk (C:).
  3. Click VMware.
  4. Click IDMConnector.
  5. Click usr.
  6. Click local.
  7. Click horizon.
  8. Click conf.
  9. Ctrl+click the root_ca.cer file to select it.
  10. Ctrl+click the vescsrv-01a.corp.local.cer to add it to the selection.
  11. Right-click and click Copy.

3.2. Minimize the VESC Server Connection

Click the Minimize (_) button on the Remote Desktop Connection bar to minimize the VESC Server connection.  We don't want to close the connection since we need to paste the copied certificate files to our Windows 10 VM in the next step.

3.3. Connect to the Windows 10 VM

From the Desktop, double-click the Win-10.rdp shortcut.

3.4. Paste the Certificates on the Windows 10 Desktop

  1. Right-click on the Desktop and click Paste.
  2. Confirm that the root_ca.cer and vescsrv-01a.corp.local.cer files appear on the Desktop.
  3. Double-click the root_ca.cer file.

3.5. Install the root_ca.cer

Click Install Certificate...

3.5.1. Select Local Machine for the Store Location

  1. Select Local Machine for the Store Location.
  2. Click Next.

3.5.2. Select the Certificate Store

  1. Select Place all certificates in the following store.
  2. Click Browse.
  3. Select Trusted Root Certification Authorities.
  4. Click OK.
  5. Click Next.

3.5.3. Complete the Certificate Import Wizard

Click Finish.

3.5.4. Close the Certificate Wizard

  1. Click OK to confirm the Certificate Import Wizard was successful.
  2. Click OK to close the root_ca.cer window.

3.6. Install the controlcenter.corp.local.cer

Double-click the vescsrv-01a.corp.local.cer file from the Desktop.

3.6.1. Install the Certificate

Click Install Certificate...

3.6.2. Select Local Machine for the Store Location

  1. Select Local Machine for the Store Location.
  2. Click Next.

3.6.3. Select the Certificate Store

  1. Select Place all certificates in the following store.
  2. Click Browse...
  3. Select Personal.
  4. Click OK.
  5. Click Next.

3.6.4. Complete the Certificate Import Wizard

Click Finish.

3.6.5. Close the Certificate Wizard

  1. Click OK to confirm the Certificate Import Wizard was successful.
  2. Click OK to close the controlcenter.corp.local.cer window.

4. Authenticate with Kerberos using the Workspace ONE App

  1. Click the Workspace ONE App from the task bar.
  2. Enter https://{yourtenant}.vidmpreview.com for the URL.
    NOTE - Replace {yourtenant} with your actual tenant name that you accessed in previous steps!
  3. Click Continue.

4.1. Select the corp.local Domain

  1. Select corp.local for the Domain.
  2. Click Next.

4.2. Enter Credentials for Windows Authentication

  1. Enter "[email protected]" for the username.
  2. Enter "VMware1!" for the password.
  3. Click OK.

4.3. Enter Workspace

Click Enter after the workspace finishes building.

4.4. Confirm User Details

  1. Click the User icon.
  2. Click the Account tab.
  3. Confirm that the User details show that we successfully signed in as [email protected].

This confirms that we were able to successfully enable Kerberos authentication for our Connector, configure our Policy Rules to authenticate our Windows 10 users via Kerberos, and then authenticate using Windows Authentication via Kerberos from our Windows 10 device by leveraging the Workspace ONE application.

5. Return to the ControlCenter VM

Click the X on the Remote Desktop session at the top of your screen to return to the ControlCenter VM.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.