Setup Kerberos Authentication Adapter

This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.

1. Setup Kerberos Authentication using the Batch File

The setupKerberos.bat file that needs to be run is on the server where the VMware Identity Manager Connector service was installed, which was conn-01a.corp.local.

Double-click the conn-01a.rdp link on the Desktop to connect to the conn-01a server.

1.1. Run the setupKerberos.bat file

  1. Click the File Explorer icon from the task bar.
  2. Click Local Disk (C:).
  3. Click VMware.
  4. Click IDMConnector.
  5. Click usr.
  6. Click local.
  7. Click horizon.
  8. Click scripts.
  9. Right-click the setupKerberos.bat file.
  10. Click Run as Administrator.

1.2. Enter the User Credentials (IF NEEDED)

  1. Enter "corp\administrator" for the Username.
  2. Enter "VMware1!" for the Password.
  3. After the PowerShell window closes and the process finishes, press any key to continue.

1.3. Return to the Main Console

After the setupKerberos.bat file has completed running, return to the Main Console in order to save the KerberosIdpAdapter.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

2. Enable the Kerberos Authentication Adapter on the Connector

In the VMware Identity Manager Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Connectors
  4. Click the Lab worker link
  1. Click the Auth Adapters tab.
  2. Click KerberosIdpAdapter.

NOTE - The page may take several seconds to load after clicking the KerberosIdpAdapter link.  Please be patient while it loads!

2.2. Allow Auth Adapter Popup (IF NEEDED)

If the Auth Adapter pop-up does not load and the pop-up shows it has been blocked, follow these steps.  Otherwise, continue to the next step.

  1. Click the Pop-up blocked button.
  2. Select Always allow pop-ups.
  3. Click Done.

2.3. Configure KerberosIdpAdapter Authentication Adapter

  1. Enter sAMAccountName for the Directory UID Attribute
  2. Check Enable Windows Authentication
  3. Check Enable Redirect
  4. Enter conn-01a.corp.local for the Redirect Host Name
  5. Click Save

NOTE - The KerberosIdpAdapter may take several minutes to save.  Please do not navigate away from the page or refresh while this completes!

2.4. Confirm the KerberosIdpAdapter is Enabled

  1. The KerberosIdpAdapter should now show as Enabled.
  2. Click Admin Console to return.

3. Update the Policy Rules

  1. Click Identity & Access Management.
  2. Click Manage.
  3. Click Policies.
  4. Click Edit Default Policy.

3.1. Add Policy Rule

  1. Click the Configuration tab.
  2. Click Add Policy Rule.

3.2. Configure Policy Rule Details

  1. Select ALL RANGES for the Network Range.
  2. Select Windows 10 for the Device Type.
  3. Select Kerberos for the primary Authentication Method.
  4. Select Password for the fallback Authentication Method.

3.3. Save the New Policy Rule

  1. Scroll down to find the Save button.
  2. Click Save.

3.4. Update the Policy Rule Order

  1. Click and drag the created Windows 10 policy rule to the top of the list.
  2. Click Next.

The order of the Policy Rules determines in which order they are processed when users authenticate.  For this exercise, you want the newly policy rule to process first.

3.5. Save Default Access Policy Set Changes

Click Save.

4. Authenticate with Kerberos using the Workspace ONE App

From the Desktop, double-click the Win10-01a.rdp shortcut.

4.1. Use the Workspace ONE App to Connect To Your Tenant

  1. Click the Workspace ONE App from the task bar.
  2. Enter https://vidm-01a.corp.local for the URL.
  3. Click Continue.

4.2. Select the corp.local Domain

  1. Select corp.local for the Domain.
  2. Click Next.

4.3. Enter Credentials for Windows Authentication

  1. Enter [email protected] for the username.
  2. Enter VMware1! for the password.
  3. Click OK.

4.4. Enter Workspace

Click Enter after the workspace finishes building.

4.5. Confirm User Details

  1. Click the User icon.
  2. Click the Account tab.
  3. Confirm that the User details show that we successfully signed in as [email protected].

This confirms that we were able to successfully enable Kerberos authentication for our Connector, configure our Policy Rules to authenticate our Windows 10 users via Kerberos, and then authenticate using Windows Authentication via Kerberos from our Windows 10 device by leveraging the Workspace ONE application.

5. Return to the Main Console

Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.