Configure and enable the KerberosIdpAdapter on the VMware Identity Manager Connector. If you have deployed a cluster for high availability, configure and enable the adapter on all the connectors in your cluster.

About this task

Important:

Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be configured on all the connectors.

When you configure the Kerberos authentication adapter, the VMware Identity Manager connector attempts to initialize Kerberos automatically. If the VMware IDM Connector service is not being run with sufficient privileges to initialize Kerberos, an error message appears. In this case, follow the instructions in http://kb.vmware.com/kb/2149753 to run a script to initialize Kerberos.

For more information about configuring Kerberos authentication, see the VMware Identity Manager Administration Guide.

Prerequisites

  • The Windows machine on which the VMware Identity Manager connector is installed must be joined to the domain.

  • You must have installed the VMware Identity Manager Connector component as a domain user that is part of the administrator group on the Windows machine, and you must be running the VMware IDM Connector service as a Windows domain user.

Procedure

  1. In the VMware Identity Manager administration console, click the Identity & Access Management tab.
  2. Click Setup, then click the Connectors tab.

    All the connectors that you have deployed are listed.

  3. Click the link in the Worker column of one of the connectors.
  4. Click the Auth Adapters tab.
  5. Click the KerberosIdpAdapter link, and configure and enable the adapter.

    Option

    Description

    Name

    The default name of the adapter is KerberosIdpAdapter. You can change this name.

    Directory UID Attribute

    The account attribute that contains username.

    Enable Windows Authentication

    Select this option.

    Enable Redirect

    If you have multiple connectors in a cluster and plan to set up Kerberos high availability by using a load balancer, select this option and specify a value for Redirect Host Name.

    If your deployment has only one connector, you do not need to use the Enable Redirect and Redirect Host Name options.

    Redirect Host Name

    A value is required if the Enable Redirect option is selected. Enter the connector's own host name. For example, if the connector's host name is connector1.example.com, enter connector1.example.com in the text box.

    For example:

    For more information on configuring the KerberosIdPAdapter, see the VMware Identity Manager Administration Guide.

  6. Click Save.
    Note:

    If you get an error stating that Kerberos initialization failed, run the Kerberos initialization script manually by following the instructions in http://kb.vmware.com/kb/2149753, then return to this page and configure the adapter.

  7. If you have deployed a cluster, configure the KerberosIdPAdapter on all the connectors in your cluster.

    Ensure that you configure the adapter identically on all the connectors.

What to do next

Set up high availability for Kerberos authentication, if necessary. Kerberos authentication is not highly available without a load balancer.