1. Click the File Explorer icon from the task bar
2. Click Local Disk (C:)
3. Click VMware
4. Click VMwareIdentityManager
5. Click Connector
6. Click usr
7. Click local
8. Click horizon
9. Click scripts
10. Right-click the setupKerberos.bat file
11. Click Run as Administrator

1. Enter CORP\Administrator for the Username
2. Enter VMware1! for the Password
3. After the PowerShell window closes and the process finishes, press any key to continue to close the command prompt

1. Click the Windows Service shortcut from the task bar
2. Right-click the VMware IDM Connector service
3. Click Restart

Wait until the VMware IDM Connector service successfully stops and restarts before continuing.

After the setupKerberos.bat file has completed running, return to the Main Console to finish setting up the Kerberos Authentication adapter in Workspace ONE Access.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

In the Workspace ONE Access Administration Console,

1. Click Identity & Access Management
2. Click Setup
3. Click Legacy Connectors
4. Click the Lab worker link

NOTE: If you see an error that says Failed to execute the request, then the connector is still coming back online after the VMware IDM Connector service restart from earlier.  Wait a few minutes and refresh the page to check if it is back online.

1. Click the Auth Adapters tab
2. Click KerberosIdpAdapter

NOTE: The page may take several seconds to load after clicking the KerberosIdpAdapter link.  Please be patient while it loads!

IMPORTANT: If the page does not load, it is because the VMware IDM Connector service is still registering after the recent restart.  Please wait a minute and refresh the page periodically to check if the service is online again.

IMPORTANT: If only the Name field loads, the VMware IDM Connector service was not restarted after the setupKerberos.bat file was run.  Return to the previous step (Restart the VMware IDM Connector Windows Service) to see how to restart the service.

1. Enter sAMAccountName for the Directory UID Attribute
2. Enable the Enable Windows Authentication option
3. Click Save

NOTE: The KerberosIdpAdapter may take several minutes to save and activate.  Please do not navigate away from the page or refresh while this completes!

1. The KerberosIdpAdapter should now show as Enabled
2. Click the Close (X) button on the current tab to return to the Workspace ONE Access Administrator Console

1. Click Configuration
2. Click Add Policy Rule

1. Select ALL RANGES for the Network Range
2. Select Windows 10 for the Device Type

1. Scroll down to the bottom
2. Select Authenticate using... for the action
3. Select Kerberos for the primary authentication action
4. Select Password (cloud deployment) for the fallback authentication action
5. Click Save

This access policy is similar to the first policy you created to allow for Password (cloud deployment) authentication for your corp.local users, but there are a few key differences:

• First, you configured this rule to only apply for Windows 10 devices, so other devices attempting to authenticate will not use this access policy.  You will validate this authentication method from a Windows 10 VM provided to you in the lab.
• Secondly, you configured the primary authentication method as Kerberos.  If this authentication method is available, the user will not be prompted to enter their credentials and will be signed on automatically.
• Lastly, you configured a fallback authentication method using Password (cloud deployment).  This means if the primary authentication method for Kerberos is unavailable or fails, the user will be prompted to enter their Active Directory credentials as a fallback option.  This means an issue with your Kerberos authentication will not prevent your users from getting access to their App Catalog.

1. Click and drag the created Windows 10 policy rule to the top of the list
2. Click Next

Since the new Access Policy only applies to Windows 10 devices, you want to ensure that it is checked first before processing your previously created Access Policy that applies to any device type, otherwise the new Access Policy won't be used for your Windows 10 devices.

Review the configuration as desired and click Save.

You have now configured your Access Policies to authenticate all Windows 10 Devices using Kerberos and failover to Password (cloud deployment) if Kerberos isn't applicable or fails.

1. Click the Workspace ONE App from the task bar
2. Enter https://{yourtenant}.vidmpreview.com for the URL
   NOTE: Replace {yourtenant} with your actual tenant name that you accessed in previous steps!
3. Click Continue

1. Select corp.local for the Domain
2. Click Next

If your Kerberos authentication was setup correctly, you will not receive a prompt for input.  Instead, you will see a message stating that your workspace is being prepared, and will be presented with an Enter button once it is ready.

Click Enter after the workspace finishes building.

Notice that you were authenticated via Kerberos without having to enter any credentials!

1. Click Settings
2. Confirm that the User details show that we successfully signed in as [email protected].  This is the user account that is signed in to the Windows 10 virtual machine you have connected to.
3. Click Sign Out then confirm the popup to finish signing out.

This confirms that we were able to successfully enable Kerberos authentication for your Connector, configure your Access Policies to authenticate Windows 10 devices via Kerberos, and then validated that authentication using Kerberos from the Windows 10 device through the Workspace ONE application was successful.