You can convert a directory of type Other, which stores users and groups synced from Workspace ONE UEM, to a directory of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication, which are associated with the VMware Identity Manager connector. After you convert the directory, the VMware Identity Manager connector is used instead of ACC to sync users and groups from your enterprise directory to the VMware Identity Manager service.

Prerequisites

  • Install and activate the VMware Identity Manager connector.

    To use some features, you must join the Windows server to the domain, you must install the VMware Identity Manager connector as a domain user that is part of the administrator group on the Windows server, and you must choose to run the IDM Connector service as a Windows domain user.

    This requirement applies to the following cases.

    • If you plan to convert the Other directory to Active Directory over Integrated Windows Authentication
    • If you plan to use Kerberos authentication
  • The following Active Directory information is required:
    • If you are converting to Active Directory over LDAP, the Base DN, and Bind user DN and password are required.

      The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

      • Read
      • Read All Properties
      • Read Permissions

      Using a Bind user account with a non-expiring password is recommended.

    • If you are converting to Active Directory over Integrated Windows Authentication, the user name and password of the Bind user who has permission to query users and groups for the required domains is required.

      The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

      • Read
      • Read All Properties
      • Read Permissions

      Using a Bind user account with a non-expiring password is recommended.

    • If your Active Directory requires access over SSL/TLS, the Intermediate (if used) and Root CA certificates of the domain controllers for all relevant Active Directory domains are required. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, all the Intermediate and Root CA certificates are required.
    • For Active Directory over Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
    • For Active Directory over Integrated Windows Authentication:
      • For all domain controllers listed in SRV records and hidden RODCs, nslookup of hostname and IP address should work.
      • All the domain controllers must be reachable in terms of network connectivity.

Procedure

  1. In the VMware Identity Manager administration console, click the Identity & Access Management tab, then click the Directories tab.
  2. Click the directory that you want to convert.
  3. In the directory page, click the Convert button.
  4. In the Add Directory page, change the name of the directory if required and select the type of directory to which you want to convert the Other directory, Active Directory over LDAP or Active Directory over Integrated Windows Authentication.
  5. Enter the Active Directory connection information and continue with the wizard to set up the directory.
    See "Configuring Active Directory Connection to the Service" in the Directory Integration with VMware Identity Manager guide for information.

    Follow these guidelines.

    • In the Sync Connector field, select the VMware Identity Manager connector that you installed.
    • In the Directory Sync and Authentication section, select Yes for Authentication, unless you intend to use a third-party identity provider instead of the connector for authentication.
    • Ensure that you set up the converted directory identically to the Workspace ONE UEM directory so that it has the same directory structure. Select the same domains. When you specify users and groups to sync, make the same selections as the Workspace ONE UEM directory so that the same users and groups are synced to the converted directory.
  6. On the last page of the wizard, click Sync Directory.
    The directory is converted and set up to use the VMware Identity Manager connector. A Workspace Identity Provider is created, if one did not already exist, and the directory is associated with it automatically. The Password authentication method is already enabled for the directory.
  7. (Optional) To enable other authentication methods for the directory, follow these steps.
    1. In the Identity & Access Management tab, click Setup.
    2. On the Connectors page, locate the connector and the worker with which the converted directory is associated, and click the link in the Worker column.
    3. In the worker page, click the Auth Adapters tab.
    4. Configure and enable the authentication adapters you want to use for the directory by clicking the link for each and entering the configuration information.
      See VMware Identity Manager Administration for information about configuring authentication adapters.
  8. Edit the default_access_policy_set and any custom policies to select VMware Identity Manager connector authentication methods instead of Password (AirWatch Connector).
    1. In the Identity & Access Management tab, click the Policies tab.
    2. Click Edit Default Policy.
    3. Click Configuration.
    4. Edit each policy rule and replace the Password (AirWatch Connector) authentication method with Password, which is a VMware Identity Manager connector authentication method.
    5. Click the Policies tab again and edit custom policies, if any, to use Password or any other VMware Identity Manager connector authentication method that you have configured.
      Important: If you do not change Password (Airwatch Connector) to Password or another VMware Identity Manager connector-based authentication method, users of the converted directory will not be able to log in.

What to do next

Stop directory sync from Workspace ONE UEM to the converted directory.