Setup Kerberos Authentication Adapter

This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.

1. Enable the Kerberos Authentication Adapter on the Connector

The setupKerberos.bat file that needs to be run to enable Kerberos Authentication for our VMware Identity Manager Connector is on the server where the VMware Identity Manager Connector service was installed, which was conn-01a.corp.local.

Double-click the conn-01a.rdp link on the Main Console Desktop to connect to the conn-01a server.

1.1. Run the setupKerberos.bat file

  1. Click the File Explorer icon from the task bar.
  2. Click Local Disk (C:).
  3. Click VMware.
  4. Click IDMConnector.
  5. Click usr.
  6. Click local.
  7. Click horizon.
  8. Click scripts.
  9. Right-click the setupKerberos.bat file.
  10. Click Run as Administrator.

1.2. Enter the User Credentials (IF NEEDED)

  1. Enter CORP\Administrator for the Username.
  2. Enter VMware1! for the Password.
  3. After the PowerShell window closes and the process finishes, press any key to continue.

1.3. Return to the Main Console

After the setupKerberos.bat file has completed running, return to the Main Console in order to save the KerberosIdpAdapter.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Connectors
  4. Click the Lab worker link
  1. Click the Auth Adapters tab.
  2. Click KerberosIdpAdapter.

NOTE - The page may take several seconds to load after clicking the KerberosIdpAdapter link.  Please be patient while it loads!

1.6. Configure KerberosIdpAdapter Authentication Adapter

  1. Enter sAMAccountName for the Directory UID Attribute.
  2. Check Enable Windows Authentication.
  3. Click Save.

NOTE - The KerberosIdpAdapter may take several minutes to save.  Please do not navigate away from the page or refresh while this completes!

1.7. Confirm the KerberosIdpAdapter is Enabled

  1. The KerberosIdpAdapter should now show as Enabled.
  2. Click Admin Console to return.

2. Update the Policy Rules

  1. Click Identity & Access Management
  2. Click Manage
  3. Click Policies
  4. Click Edit Default Policy

2.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the Network Range.
  2. Select Windows 10 for the Device Type.

2.3. Configure Policy Rule Authentication

  1. Scroll down to the bottom.
  2. Select Authenticate using... for the action.
  3. Select Kerberos for the authentication action.
  4. Select Password (cloud deployment) for the fallback authentication action.
  5. Click Save.

2.4. Update the Policy Rule Order

  1. Click and drag the created Windows 10 policy rule to the top of the list.
  2. Click Next.

2.5. Review and Save the Policy Rule Changes

Review the configuration as desired and click Save.

You have now configured your Policies to authenticate all Windows 10 Devices using Kerberos and failover to Password (cloud deployment) if Kerberos isn't applicable or fails.

3. Authenticate with Kerberos using the Workspace ONE App

From the Desktop, double-click the Win10-01a.rdp shortcut.

3.1. Use the Workspace ONE App to Connect To Your Tenant

  1. Click the Workspace ONE App from the task bar.
  2. Enter https://{yourtenant} for the URL.
    NOTE - Replace {yourtenant} with your actual tenant name that you accessed in previous steps!
  3. Click Continue.

3.2. Select the corp.local Domain

  1. Select corp.local for the Domain.
  2. Click Next.

3.3. Enter Workspace

Click Enter after the workspace finishes building.

3.4. Confirm User Details

Notice that you were authenticated via Kerberos without having to enter any additional credentials.

  1. Click the User icon.
  2. Click the Account tab.
  3. Confirm that the User details show that we successfully signed in as [email protected].  This is the user account that is signed in to the Windows 10 virtual machine you have connected to.

This confirms that we were able to successfully enable Kerberos authentication for our Connector, configure our Policy Rules to authenticate our Windows 10 users via Kerberos, and then authenticate using Windows Authentication via Kerberos from our Windows 10 device by leveraging the Workspace ONE application.

4. Return to the Main Console

Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.