You can add Kerberos authentication for internal users, which requires inbound connection mode, to your deployment of outbound connection mode connectors. The same connectors can be configured to use Kerberos authentication for users coming from the internal network and another authentication method for users coming from the external network. This can be achieved by defining authentication policies based on network ranges.

Requirements and considerations include:

  • Kerberos authentication can be configured regardless of the type of directory you set up in VMware Identity Manager, Active Directory over LDAP or Active Directory (Integrated Windows Authentication).

  • The connector must be joined to the Active Directory domain.

  • The connector host name must match the Active Directory domain to which the connector is joined. For example, if the Active Directory domain is sales.example.com, the connector host name must be connectorhost.sales.example.com.

    If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure the connector and Active Directory manually. See the Knowledge Base for information.

  • Each connector on which Kerberos authentication is configured must have a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.

    Trusted SSL certificates are required regardless of whether you enable Kerberos on a single connector or on multiple connectors for high availability.

  • To set up high availability for Kerberos authentication, a load balancer is required.