Setup Kerberos Authentication Adapter
This section will review how to configure Kerberos authentication through the IDM Connector to enable Windows Single Sign On.
1. Setup Kerberos Authentication using the Batch File
The setupKerberos.bat file that needs to be run is on the server where the VMware Identity Manager Connector service was installed, which was conn-01a.corp.local.
Double-click the conn-01a.rdp link on the Desktop to connect to the conn-01a server.
1.1. Run the setupKerberos.bat file
- Click the File Explorer icon from the task bar.
- Click Local Disk (C:).
- Click VMware.
- Click IDMConnector.
- Click usr.
- Click local.
- Click horizon.
- Click scripts.
- Right-click the setupKerberos.bat file.
- Click Run as Administrator.
1.2. Enter the User Credentials (IF NEEDED)
- Enter "corp\administrator" for the Username.
- Enter "VMware1!" for the Password.
- After the PowerShell window closes and the process finishes, press any key to continue.
1.3. Return to the Main Console
After the setupKerberos.bat file has completed running, return to the Main Console in order to save the KerberosIdpAdapter.
Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.
NOTE: If you do not see the Remote Desktop Connection bar, you may have un-pinned the bar. Hover your mouse over the top and center part of the screen to reveal it.
2. Enable the Kerberos Authentication Adapter on the Connector
In the VMware Identity Manager Administration Console,
- Click Identity & Access Management
- Click Setup
- Click Connectors
- Click the Lab worker link
2.1. Navigate to the KerberosIdpAdapter
- Click the Auth Adapters tab.
- Click KerberosIdpAdapter.
NOTE - The page may take several seconds to load after clicking the KerberosIdpAdapter link. Please be patient while it loads!
2.2. Allow Auth Adapter Popup (IF NEEDED)
If the Auth Adapter pop-up does not load and the pop-up shows it has been blocked, follow these steps. Otherwise, continue to the next step.
- Click the Pop-up blocked button.
- Select Always allow pop-ups.
- Click Done.
2.3. Configure KerberosIdpAdapter Authentication Adapter
- Enter
sAMAccountName
for the Directory UID Attribute - Check Enable Windows Authentication
- Check Enable Redirect
- Enter
conn-01a.corp.local
for the Redirect Host Name - Click Save
NOTE - The KerberosIdpAdapter may take several minutes to save. Please do not navigate away from the page or refresh while this completes!
2.4. Confirm the KerberosIdpAdapter is Enabled
- The KerberosIdpAdapter should now show as Enabled.
- Click Admin Console to return.
3. Update the Policy Rules
- Click Identity & Access Management.
- Click Manage.
- Click Policies.
- Click Edit Default Policy.
3.2. Configure Policy Rule Details
- Select ALL RANGES for the Network Range.
- Select Windows 10 for the Device Type.
- Select Kerberos for the primary Authentication Method.
- Select Password for the fallback Authentication Method.
3.3. Save the New Policy Rule
- Scroll down to find the Save button.
- Click Save.
3.4. Update the Policy Rule Order
- Click and drag the created Windows 10 policy rule to the top of the list.
- Click Next.
The order of the Policy Rules determines in which order they are processed when users authenticate. For this exercise, you want the newly policy rule to process first.
3.5. Save Default Access Policy Set Changes
Click Save.
4. Authenticate with Kerberos using the Workspace ONE App
From the Desktop, double-click the Win10-01a.rdp shortcut.
4.1. Use the Workspace ONE App to Connect To Your Tenant
- Click the Workspace ONE App from the task bar.
- Enter
https://vidm-01a.corp.local
for the URL. - Click Continue.
4.2. Select the corp.local Domain
- Select corp.local for the Domain.
- Click Next.
4.3. Enter Credentials for Windows Authentication
- Enter
[email protected]
for the username. - Enter
VMware1!
for the password. - Click OK.
4.4. Enter Workspace
Click Enter after the workspace finishes building.
4.5. Confirm User Details
- Click the User icon.
- Click the Account tab.
- Confirm that the User details show that we successfully signed in as [email protected].
This confirms that we were able to successfully enable Kerberos authentication for our Connector, configure our Policy Rules to authenticate our Windows 10 users via Kerberos, and then authenticate using Windows Authentication via Kerberos from our Windows 10 device by leveraging the Workspace ONE application.
5. Return to the Main Console
Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.
0 Comments
Add your comment