If you upgraded from VMware Identity Manager 3.3.1 or 3.3.2 to 3.3.3, and you have a directory of type Active Directory over IWA or the Kerberos authentication adapter configured on the embedded connector, you must migrate from the embedded connector to the external VMware Identity Manager 3.3.3 Windows connector.

During the VMware Identity Manager service upgrade to 3.3.3, a script runs automatically and saves the embedded connector’s configuration information to a file named cluster-hostname-conn-timestamp.enc file in the /root directory. You use this file to migrate the embedded connector configuration to the new, external Windows connector.

To install the external connector, you require a Windows server that meets all requirements.


  • If you have configured any authentication methods on the embedded connector in addition to password authentication, make a note of the authentication adapter configurations. During connector migration, only the Password authentication adapter is migrated. After you migrate to the new, external Windows connector, you must reconfigure the other authentication adapters.
  • Prepare a Windows server for the new external connector. See System Requirements for VMware Identity Manager Connector (Windows) in Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows).
  • Download the VMware Identity Manager Connector 3.3.3 (Windows) installer from the VMware Identity Manager 3.3.3 Download page on My VMware to the Windows server.


  1. After upgrading the VMware Identity Manager service to 3.3.3, log in to the service virtual appliance and verify that the cluster-hostname-conn-timestamp.enc connector configuration file appears in the /root directory of the service virtual appliance.
  2. Copy the cluster-hostname-conn-timestamp.enc file from the upgraded VMware Identity Manager service appliance to the Windows server.
    Important: Use a secure method, such as Secure File Transfer Protocol (SFTP), to transfer the configuration file from one server to another as the file contains sensitive information.

    To ensure security, also delete the configuration file from both the old and new servers after migration is finished, and delete old deployments that are no longer needed. See Perform Migration-Related Steps When Configuring the External Windows-Based Connector.

  3. See Perform Migration-Related Steps When Configuring the External Windows-Based Connector for information on performing migration-related steps while installing and configuring the external connector.