Configure Kerberos Auth in vIDM

In this section, we are going to configure Kerberos Auth in vIDM. Once the configuration is completed, we will validate it by logging in using Kerberos.

Ensure that you are on the Main Console server

Before we proceed with this section, let us ensure that we are back to the Main Console. You should be seeing all the RDP shortcuts on the Desktop. If not, please go back and follow the steps to close the RDP session from vIDM-01 VM to return to the Main Console.

Launch Chrome Browser

Ensure that you are on the Main Console. If you are not, please follow previous step to logout of the Connector-01 VM to go back to the Main Console.

On the Main Console Toolbar, click on icon to launch Chrome

Login to VIDM Console (IF NEEDED)

Navigate to the VIDM Console URL

  1. Enter the default admin account admin
  2. Enter the admin account password VMware1!
  3. Click Sign in
  1. Click on Identity & Access Management
  2. Click on Setup
  3. Click on the Connector worker object
  1. Click on the Auth Adapters tab
  2. Click on the KerberosIdpAdapter adapter name

Allow pop-ups for Admin Console (IF NEEDED)

If the previous step doesn't open the Authentication Adapter page you might need to enable pop-ups in your browser

  1. Click on the pop-up warning sign on the right side of the browser navigation bar
  2. Select Always allow pop-ups from
  3. Click Done

Authentication Adapter

  1. Ensure KerberosIdpAdapter as the Name
  2. Enter sAMAccountName as the Directory UID Attribute
  3. Check the Enable Windows Authentication box
  4. Click Save

Confirm KerberoIdpAdapter Enabled

Confirm the KerberosIdpAdapter is Enabled

Return to the vIDM Admin Console

Switch to the tab of your vIDM Console i.e.

Add Network Range

In the vIDM Admin Console

  1. Click on the Identity & Access Management tab
  2. Click on Setup
  3. Click on Network Ranges
  4. Click on Add Network Range

Add Network Range

  1. Type Internal as the network range name
  2. Type as the start of the IP range
  3. Type as the end of the IP range
  4. Click Save

Confirm New Network Range

Confirm the Internal network range has been added with the name as Internal

Edit Default Access Policy

  1. Navigate to Identity & Access Management tab
  2. Click on Manage
  3. Click on Policies
  4. Click on default_access_policy_set

Add New Policy Rule

  1. Scroll down until you see the section Policy Rules
  2. Click on the + symbol to add a new policy rule

Add New Policy Rule

  1. Select Internal from the network range drop-down menu
  2. Select Web Browser from the client type drop-down
  3. Select Kerberos from the authentication method drop-down
  4. Select Password from the fallback authentication method drop-down
  5. Click Ok

Change Policy Rule Order

  1. Scroll Down until you see the option Save
  2. Drag and drop the new policy rule for the Internal network range to the top
  3. Click Save

Launch Start Menu

Click on the icon to launch Start Menu

Select Internet Explorer

From the Start Menu, click on the icon to launch Internet Explorer

By default, Windows will not exchange Kerberos credentials with an untrusted website, even if that website is within an internal domain. The settings to whitelist websites as trusted endpoint for Kerberos authentication within Windows are maintained within IE and inherited by other browsers. Usually these settings would be propagated to domain-joined machines via a GPO policy, but for the purpose of this lab the configuration is done manually.

  1. Click on the settings icon on the top right
  2. Click on Internet Options
  1. Click on the Security tab
  2. Click on Local Intranet
  3. Click on Sites

Local Internet Advanced Settings

Click on Advanced

Add Connector as a Local Intranet Site

  1. Enter https://connector-01.corp.local in the website text box
  2. Click Add
  3. Click Close

Click OK successively to close all the pop-up windows.

Click on the icon from the Toolbar to return to Chrome

Open an Incongito Window

  1. Click on the Chrome Menu icon
  2. Click New incognito Window

Test Kerberos Authentication

  1. In the incognito window, navigate to your vIDM console
  2. Select corp.local from the domain drop down
  3. Click Next

Validate that Kerberos Authentication is successful

Validate that you are logged in successfully without having to enter username and password. We have used Kerberos Authentication for logging in which we configured in the previous section.