Configure and enable the KerberosIdpAdapter on the VMware Identity Manager Connector. If you have deployed a cluster for high availability, configure and enable the adapter on all the connectors in your cluster.

Important: Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be configured on all the connectors.

For more information about configuring Kerberos authentication, see the VMware Identity Manager Administration Guide.

Prerequisites

  • The connector must be joined to the Active Directory domain.
  • The connector host name must match the Active Directory domain to which the connector is joined. For example, if the Active Directory domain is sales.example.com, the connector host name must be connectorhost.sales.example.com.

    If you cannot assign a hostname that matches the Active Directory domain structure, you need to configure the connector and Active Directory manually. See the Knowledge Base for information.

Procedure

  1. In the VMware Identity Manager administration console, click the Identity & Access Management tab.
  2. Click Setup, then click the Connectors tab.
    All the connectors that you have deployed are listed.
  3. Click the link in the Worker column of one of the connectors.
  4. Click the Auth Adapters tab.
  5. Click the KerberosIdpAdapter link, and configure and enable the adapter.
    Option Description
    Name The default name of the adapter is KerberosIdpAdapter. You can change this name.
    Directory UID Attribute The account attribute that contains username.
    Enable Windows Authentication Select this option.
    Enable NTLM You do not need to select this option unless your Active Directory infrastructure relies on NTLM authentication.
    Note: This option is only supported on Linux-based VMware Identity Manager.
    Enable Redirect If you have multiple connectors in a cluster and plan to set up Kerberos high availability by using a load balancer, select this option and specify a value for Redirect Host Name.

    If your deployment has only one connector, you do not need to use the Enable Redirect and Redirect Host Name options.

    Redirect Host Name A value is required if the Enable Redirect option is selected. Enter the connector's own host name. For example, if the connector's host name is connector1.example.com, enter connector1.example.com in the text box.
    For example:
    Linux screeshot for Kerberos Adapter

    For more information on configuring the KerberosIdPAdapter, see the VMware Identity Manager Administration Guide.
  6. Click Save.
  7. If you have deployed a cluster, configure the KerberosIdPAdapter on all the connectors in your cluster.
    Ensure that you configure the adapter identically on all the connectors, except for the Redirect Host Name value, which should be specific to each connector.

What to do next

  • Ensure that each connector on which the KerberosIdpAdapter is enabled has a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.

    Trusted SSL certificates are required regardless of whether you enable Kerberos on a single connector or on multiple connectors for high availability.

  • Set up high availability for Kerberos authentication, if necessary. Kerberos authentication is not highly available without a load balancer.