IF YOU TOOK MODULE 02 IN THE SAME LAB SESSION, RESTART THIS LAB BEFORE TAKING MODULE 03! These modules will reuse many of the same assets and configurations made in Module 02, and the quickest way of starting with a clean install to complete Module 03 with will be the restart the lab.
This module will guide you through on how to setup Identity Bridging (Certificate to Kerberos) to provide Single Sign On (SSO) for legacy Web Application using VMware Browser and Unified Access Gateway.
Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications, in this exercise a user certificate is passed.
When you use the VMware Browser to access the target website, the target website acts as the reverse-proxy. Unified Access Gateway validates the presented certificate. If the certificate is valid, the browser displays the user interface page for the back-end application.
During the lab you will:
- Deploy an Unified Access Gateway Appliance with two NICs: one facing the internet and the second one will be dedicated to Management and Backend access. The Web Reverse Proxy configurations to access the Intranet will be automatically configured during deployment using PowerShell.
- Configure Internet Information Server (IIS) to support Kerberos Authentication.
- Configure Kerberos Delegation on the Service Account.
- Configure Identity Bridging on Unified Access Gateway.
- Configure Enterprise System Connector to Integrate Microsoft AD with Workspace ONE UEM.
- Configure CA integration on Workspace ONE UEM.
- Configure VMware Browser to use Certificate for Authentication.
- Test SSO access to an internal Web Application performing Certificate to Kerberos authentication through VMware Browser.
This manual covers Unified Access Gateway 3.4 integrated with Workspace ONE UEM 9.7.
All of the following pre-requisites are already installed for this Module, the following information is just for your reference.
To configure Identity Bridging in Unified Access Gateway, you must use specific versions of VMware products.
- vSphere ESX host with a vCenter Server.
- PowerShell script runs on Windows 8.1 or later machines or Windows Server 2008 R2 or later.
- The Windows machine running the script must have VMware OVF Tool command installed.
- You must install OVF Tool 4.3 or later from https://www.vmware.com/support/developer/ovf/
- Download a version of VMware Unified Access Gateway virtual appliance image from VMWare. This is an OVA file e.g. .euc-access-point-3.4.X.X-XXXXXXXXXXX.ova. Refer to VMware Product Interoperability Matrixes to determine the version to download.
- Download the correct UAG PowerShell script, it's name uagdeploy-VERSION.ZIP file and extract the files into a folder on your Windows machine. The scripts are host at https://my.vmware.com under Unified Access Gateway product.
- Network access from the Unified Access Gateway Backend services NIC to the internal website used on the reverse proxy.
2. Authentication Flow
The below diagram describes step by step the authentication flow that you will be configuring in this lab.
- Client navigates to application URL https://uag.airwlab.com/itbudget (Client Certificate is sent to UAG in TLS Handshake)
- UAG check if the Client Certificate is valid or revoked
- UAG extracts the client’s UPN from the Certificate and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
- Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.