The /usr/local/horizon/conf/domain_krb.properties file determines the domain controllers to use for directories that have DNS Service Location lookup enabled. You can edit the file at any time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will not be overridden.

About this task

The file is initially created and auto-populated by the connector. You need to update it manually in scenarios such as the following:

  • If the domain controllers selected by default are not the optimal ones for your configuration, edit the file and specify the domain controllers to use.

  • If you delete a directory, delete the corresponding domain entry from the file.

  • If any domain controllers in the file are not reachable, remove them from the file.

See also About Domain Controller Selection (domain_krb.properties file).

Procedure

  1. Log in to the VMware Identity Manager virtual machine as the root user.
    Note:

    If you are using an additional connector for the directory, log in to the connector virtual machine.

  2. Change directories to /usr/local/horizon/conf.
  3. Edit the domain_krb.properties file to add or edit the list of domain to host values.

    Use the following format:

    domain=host:port,host2:port,host3:port

    For example:

    example.com=examplehost1.example.com:389,examplehost2.example.com:389

    List the domain controllers in order of priority. To connect to Active Directory, the connector tries the first domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.

    Important:

    Domain names must be in lowercase.

  4. Change the owner of the domain_krb.properties file to horizon and group to www using the following command.

    chown horizon:www /usr/local/horizon/conf/domain_krb.properties

  5. Restart the service.

    service horizon-workspace restart

What to do next

After you edit the domain_krb.properties file, edit the /etc/krb5.conf file. The krb5.conf file must be consistent with the domain_krb.properties file.

  1. Edit the /etc/krb5.conf file and update the realms section to specify the same domain-to-host values that are used in the /usr/local/horizon/conf/domain_krb.properties file. You do not need to specify the port number. For example, if your domain_krb.properties file has the domain entry example.com=examplehost.example.com:389, you would update the krb5.conf file to the following.

    [realms]
    GAUTO-QA.COM = {
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
    auth_to_local = RULE:[1:$0\$1](^GAUTO2QA\.GAUTO-QA\.COM\\.*)s/^GAUTO2QA\.GAUTO-QA\.COM/GAUTO2QA/
    auth_to_local = RULE:[1:$0\$1](^GLOBEQE\.NET\\.*)s/^GLOBEQE\.NET/GLOBEQE/
    auth_to_local = DEFAULT                                                          
    kdc = examplehost.example.com
    }

    Note:

    It is possible to have multiple kdc entries. However, it is not a requirement as in most cases there is only a single kdc value. If you choose to define additional kdc values, each line will have a kdc entry which will define a domain controller.

  2. Restart the workspace service.

    service horizon-workspace restart

See also Knowledge Base article 2091744.