After the Kerberos Auth service is installed on the Workspace ONE Access connector, you get an error that states that Kerberos initialization failed.

Problem

During the installation of the Kerberos Auth service, if you did not select the Would you like to run the Workspace ONE Access Services as a domain user account? option or if you selected the option but specified a domain account that does not have the right to "Create, delete, and manage user accounts" in Active Directory, Kerberos cannot be initialized after installation. When you try to configure the Kerberos authentication method, you get an error message that states that Kerberos initialization failed.

Solution

Run the setupkerberos.bat script with a user account that has higher privileges. Use an account that:

  • Is a domain user
  • Has the right to "Create, delete, and manage user accounts" in Active Directory (members of Admin Users and Account Operators groups have those rights)
  • Is part of the administrator group on the Windows server on which the Workspace ONE Access connector is installed

This user account with higher privileges is only required temporarily to run the script and is not stored or used again for connector services. After you run the script, you can continue configuring the Kerberos authentication method with the original user account that you were using.

Note: The setupkerberos.bat script supports only the following special characters in the domain user account password: 
! ( & % @ / = ? * , .

To run the script:

  1. Log in to the connector server and navigate to the InstallDir\Workspace_ONE_Access\Support\scripts directory.
  2. Right-click setupkerberos.bat and select Run as administrator.
  3. Enter the user account that has higher privileges.

    A confirmation message appears after the script has run successfully.

  4. Log in to the Workspace ONE Access console with the original user account that you were using and configure the Kerberos authentication method.

About the setupkerberos.bat Script

The setupkerberos.bat script performs the following tasks:

  1. Creates a service account with the same name as the machine account (without the $).
  2. Sets a random password for the account.
  3. Generates a keytab file for the account, by default stored in InstallDir\Workspace ONE Access\Kerberos Auth Service\conf.
  4. Maps the given principal of the machine as an SPN inside the account.