After the Kerberos Auth service is installed on the Workspace ONE Access connector, you get an error that states that Kerberos initialization failed.
Problem
During the installation of the Kerberos Auth service in the Workspace ONE Access connector, if you did not select the Would you like to run the Workspace ONE Access Services as a domain user account? option or if you selected the option but specified a domain account that does not have the right to "Create, delete, and manage user accounts" in Active Directory, Kerberos cannot be initialized after installation. When you try to configure the Kerberos authentication adapter, you get an error message that states that Kerberos initialization failed.
Solution
Run the setupkerberos.bat script with a user account that has higher privileges. Use an account that:
- Is a domain user
- Has the right to "Create, delete, and manage user accounts" in Active Directory (members of Admin Users and Account Operators groups have those rights)
- Is part of the administrator group on the Windows server on which the Workspace ONE Access connector is installed
This user account with higher privileges is only required temporarily to run the script and is not stored or used again for connector services. After you run the script, you can continue configuring the Kerberos authentication method with the original user account that you were using.
To run the script:
- Log in to the connector Windows machine and navigate to the InstallDir\Workspace_ONE_Access\Support\scripts directory.
- Right click setupkerberos.bat and select Run as administrator.
- Enter the user account with higher privileges described above.
A confirmation message appears after the script has run successfully.
- Log in to the Workspace ONE Access console with the original user account that you were using and configure the Kerberos authentication method.
About the setupkerberos.bat Script
When Kerberos auth is installed on the Workspace ONE Access connector, 20.01 or later, the setupkerberos.bat script performs the following tasks:
- Creates a service account with the same name as the machine account (without the $)
- Sets a random password for the account
- Generates a keytab file for the account, by default stored in InstallDir\Workspace ONE Access\Kerberos Auth Service\conf.
For Workspace ONE Access connector 19.03, the keytab file for the account is stored in /usr/horizon/conf.
- Maps the given principal of the machine as an SPN inside the account