The domain_krb.properties file determines the domain controllers to use for directories that have DNS Service Location lookup enabled. You can edit the file at any time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will not be overridden.

About this task

In a Linux virtual appliance, the domain_krb.properties file is located in the /usr/local/horizon/conf directory. In a Windows server, the domain_krb.properties file is located in the installDir\IDMConnector\usr\local\horizon\conf directory.

The file is initially created and auto-populated by the connector. You need to update it manually in some cases, such as the following scenarios.

  • If the domain controllers selected by default are not the optimal ones for your configuration, edit the file and specify the domain controllers to use.

  • If you delete a directory, delete the corresponding domain entry from the file.

  • If any domain controllers in the file are not reachable, remove them from the file.

See also About Domain Controller Selection (domain_krb.properties file).

Procedure

  1. (Linux virtual appliance) Log in to the VMware Identity Manager service or connector virtual machine as the root user.

    In a typical on-premises deployment, with no additional connectors deployed, the file is created in the VMware Identity Manager service server. If you are using an external connector for the directory, the file is created in the connector server.

    In a SaaS deployment, the file is created in the connector server.

  2. (Windows server) Log in to the VMware Identity Manager service or connector server.

    In a typical on-premises deployment, with no additional connectors deployed, the file is created in the VMware Identity Manager service server. If you are using an external connector for the directory, the file is created in the connector server.

    In a SaaS deployment, the file is created in the connector server.

  3. (Linux virtual appliance) Change directories to /usr/local/horizon/conf.
  4. (Windows server) Go to the installDir\IDMConnector\usr\local\horizon\conf directory.
  5. Edit the domain_krb.properties file to add or edit the list of domain to host values.

    Use the following format:

    domain=host:port,host2:port,host3:port

    For example:

    example.com=examplehost1.example.com:389,examplehost2.example.com:389

    List the domain controllers in order of priority. To connect to Active Directory, the connector tries the first domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.

    Important:

    Domain names must be in lowercase.

  6. Change the owner of the domain_krb.properties file to horizon and group to www.

    On Linux, use the following command:

    chown horizon:www /usr/local/horizon/conf/domain_krb.properties

  7. Restart the service.

    On Linux, use the following command:

    service horizon-workspace restart

What to do next

(Linux virtual appliance only) After you edit the domain_krb.properties file, edit the /etc/krb5.conf file. The krb5.conf file must be consistent with the domain_krb.properties file.

  1. Edit the /etc/krb5.conf file and update the realms section to specify the same domain-to-host values that are used in the /usr/local/horizon/conf/domain_krb.properties file. You do not need to specify the port number. For example, if your domain_krb.properties file has the domain entry example.com=examplehost.example.com:389, you would update the krb5.conf file to the following.

    [realms]
    GAUTO-QA.COM = {
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO2QA\.GAUTO-QA\.COM\\.*)s/^GAUTO2QA\.GAUTO-QA\.COM/GAUTO2QA/
    auth_to_local = RULE:[1:$0\$1](^GLOBEQE\.NET\\.*)s/^GLOBEQE\.NET/GLOBEQE/
    auth_to_local = DEFAULT                                                          
    kdc = examplehost.example.com
    }

    Note:

    It is possible to have multiple kdc entries. However, it is not a requirement as in most cases there is only a single kdc value. If you choose to define additional kdc values, each line will have a kdc entry which will define a domain controller.

  2. Restart the workspace service.

    service horizon-workspace restart

See also Knowledge Base article 2091744.