Setup Kerberos Authentication Adapter

Your corp.local users can now authenticate to Workspace ONE Access for their App Catalog by providing their Active Directory credentials and leveraging the Lab Connector (conn-01.corp.local) for authentication.

Your corp.local users have requested for an easier way to access their App Catalog instead of having to re-enter their Active Directory credentials every 8 hours.  You could increase the re-authentication timer for your Access Policy, but your users will still need to regularly enter their Active Directory credentials.  What other options do you have?

You can setup the Kerberos Authentication adapter for your Connector and provide a Single Sign-On experience for your users.  That way your authentication cookies are not long-lasting but you alleviate the burden of your corp.local users have to manually enter their Active Directory credentials.

You will now configure the Kerberos authentication adapter to enable Windows Single Sign On.

1. Enable the Kerberos Authentication Adapter on the Connector

First, the domain account (CORP\Administrator) that is acting as a service account for the VMware Identity Manager Connector needs to be allowed to authenticate Kerberos requests.  A setupKerberos.bat file is provided with your VMware Identity Manager Connector install that can help you enable this requirement.

The setupKerberos.bat file that needs to be run is where the VMware Identity Manager Connector was installed, which is conn-01.corp.local.

Double-click the conn-01.rdp link on the Main Console desktop.

1.1. Run the setupKerberos.bat file

  1. Click the File Explorer icon from the task bar
  2. Click Local Disk (C:)
  3. Click VMware
  4. Click VMwareIdentityManager
  5. Click Connector
  6. Click usr
  7. Click local
  8. Click horizon
  9. Click scripts
  10. Right-click the setupKerberos.bat file
  11. Click Run as Administrator

1.2. Enter the User Credentials (IF NEEDED)

  1. Enter CORP\Administrator for the Username
  2. Enter VMware1! for the Password
  3. After the PowerShell window closes and the process finishes, press any key to continue to close the command prompt

1.3. Restart the VMware IDM Connector Windows Service

  1. Click the Windows Service shortcut from the task bar
  2. Right-click the VMware IDM Connector service
  3. Click Restart

Wait until the VMware IDM Connector service successfully stops and restarts before continuing.

1.4. Return to the Main Console

After the setupKerberos.bat file has completed running, return to the Main Console to finish setting up the Kerberos Authentication adapter in Workspace ONE Access.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

In the Workspace ONE Access Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Legacy Connectors
  4. Click the Lab worker link

NOTE: If you see an error that says Failed to execute the request, then the connector is still coming back online after the VMware IDM Connector service restart from earlier.  Wait a few minutes and refresh the page to check if it is back online.

  1. Click the Auth Adapters tab
  2. Click KerberosIdpAdapter

NOTE: The page may take several seconds to load after clicking the KerberosIdpAdapter link.  Please be patient while it loads!

1.7. Configure KerberosIdpAdapter Authentication Adapter

IMPORTANT: If the page does not load, it is because the VMware IDM Connector service is still registering after the recent restart.  Please wait a minute and refresh the page periodically to check if the service is online again.

IMPORTANT: If only the Name field loads, the VMware IDM Connector service was not restarted after the setupKerberos.bat file was run.  Return to the previous step (Restart the VMware IDM Connector Windows Service) to see how to restart the service.

  1. Enter sAMAccountName for the Directory UID Attribute
  2. Enable the Enable Windows Authentication option
  3. Click Save

NOTE: The KerberosIdpAdapter may take several minutes to save and activate.  Please do not navigate away from the page or refresh while this completes!

1.8. Confirm the KerberosIdpAdapter is Enabled

  1. The KerberosIdpAdapter should now show as Enabled
  2. Click the Close (X) button on the current tab to return to the Workspace ONE Access Administrator Console

2. Update the Policy Rules

  1. Click Identity & Access Management
  2. Click Policies
  3. Click Edit Default Policy

2.1. Add Policy Rule

  1. Click Configuration
  2. Click Add Policy Rule

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the Network Range
  2. Select Windows 10 for the Device Type

2.3. Configure Policy Rule Authentication

  1. Scroll down to the bottom
  2. Select Authenticate using... for the action
  3. Select Kerberos for the primary authentication action
  4. Select Password (cloud deployment) for the fallback authentication action
  5. Click Save

This access policy is similar to the first policy you created to allow for Password (cloud deployment) authentication for your corp.local users, but there are a few key differences:

  • First, you configured this rule to only apply for Windows 10 devices, so other devices attempting to authenticate will not use this access policy.  You will validate this authentication method from a Windows 10 VM provided to you in the lab.
  • Secondly, you configured the primary authentication method as Kerberos.  If this authentication method is available, the user will not be prompted to enter their credentials and will be signed on automatically.
  • Lastly, you configured a fallback authentication method using Password (cloud deployment).  This means if the primary authentication method for Kerberos is unavailable or fails, the user will be prompted to enter their Active Directory credentials as a fallback option.  This means an issue with your Kerberos authentication will not prevent your users from getting access to their App Catalog.

2.4. Update the Policy Rule Order

  1. Click and drag the created Windows 10 policy rule to the top of the list
  2. Click Next

Since the new Access Policy only applies to Windows 10 devices, you want to ensure that it is checked first before processing your previously created Access Policy that applies to any device type, otherwise the new Access Policy won't be used for your Windows 10 devices.

2.5. Review and Save the Policy Rule Changes

Review the configuration as desired and click Save.

You have now configured your Access Policies to authenticate all Windows 10 Devices using Kerberos and failover to Password (cloud deployment) if Kerberos isn't applicable or fails.

3. Authenticate with Kerberos using the Workspace ONE App

From the Desktop, double-click the Win10-01a.rdp shortcut.

3.1. Use the Workspace ONE App to Connect To Your Tenant

  1. Click the Workspace ONE App from the task bar
  2. Enter https://{yourtenant} for the URL
    NOTE: Replace {yourtenant} with your actual tenant name that you accessed in previous steps!
  3. Click Continue

3.2. Select the corp.local Domain

  1. Select corp.local for the Domain
  2. Click Next

3.3. Enter Workspace

If your Kerberos authentication was setup correctly, you will not receive a prompt for input.  Instead, you will see a message stating that your workspace is being prepared, and will be presented with an Enter button once it is ready.

Click Enter after the workspace finishes building.

3.4. Confirm User Details

Notice that you were authenticated via Kerberos without having to enter any credentials!

  1. Click Settings
  2. Confirm that the User details show that we successfully signed in as [email protected].  This is the user account that is signed in to the Windows 10 virtual machine you have connected to.
  3. Click Sign Out then confirm the popup to finish signing out.

This confirms that we were able to successfully enable Kerberos authentication for your Connector, configure your Access Policies to authenticate Windows 10 devices via Kerberos, and then validated that authentication using Kerberos from the Windows 10 device through the Workspace ONE application was successful.

4. Return to the Main Console

Click the X on the Remote Desktop session at the top of your screen to return to the Main Console.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.