Configure and enable the KerberosIdpAdapter on the VMware Identity Manager connector. If you have deployed a cluster for high availability, configure and enable the adapter on all the connectors in your cluster.

Important: Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be configured on all the connectors.

When you configure the Kerberos authentication adapter, the VMware Identity Manager connector attempts to initialize Kerberos automatically. If the VMware IDM Connector service is not being run with sufficient privileges to initialize Kerberos, an error message appears. In this case, follow the instructions in http://kb.vmware.com/kb/2149753 to run a script to initialize Kerberos.

For more information about configuring Kerberos authentication, see the VMware Identity Manager Administration Guide.

Prerequisites

  • The Windows machine on which the VMware Identity Manager connector is installed must be joined to the domain.
  • You must have installed the VMware Identity Manager connector as a domain user that is part of the administrator group on the Windows machine on which the connector is installed, and you must be running the VMware IDM Connector service as a Windows domain user.

Procedure

  1. In the VMware Identity Manager administration console, click the Identity & Access Management tab.
  2. Click Setup, then click the Connectors tab.
    All the connectors that you have deployed are listed.
  3. Click the link in the Worker column of one of the connectors.
  4. Click the Auth Adapters tab.
  5. Click the KerberosIdpAdapter link, and configure and enable the adapter.
    Option Description
    Name The default name of the adapter is KerberosIdpAdapter. You can change this name.
    Directory UID Attribute The account attribute that contains username.
    Enable Windows Authentication Select this option.
    Enable Redirect If you have multiple connectors in a cluster and plan to set up Kerberos high availability by using a load balancer, select this option and specify a value for Redirect Host Name.

    If your deployment has only one connector, you do not need to use the Enable Redirect and Redirect Host Name options.

    Redirect Host Name A value is required if the Enable Redirect option is selected. Enter the connector's own host name. For example, if the connector's host name is connector1.example.com, enter connector1.example.com in the text box.
    For example:
    For more information on configuring the KerberosIdPAdapter, see the VMware Identity Manager Administration Guide.
  6. Click Save.
    Note: If you get an error stating that Kerberos initialization failed, see Kerberos Initialization Error. After you run the script, return to this page and configure the adapter.
  7. If you have deployed a cluster, configure the KerberosIdPAdapter on all the connectors in your cluster.
    Ensure that you configure the adapter identically on all the connectors, except for the Redirect Host Name value, which should be specific to each connector.

What to do next

  • Ensure that each connector on which the KerberosIdpAdapter is enabled has a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.

    Trusted SSL certificates are required regardless of whether you enable Kerberos on a single connector or on multiple connectors for high availability.

  • Set up high availability for Kerberos authentication, if necessary. Kerberos authentication is not highly available without a load balancer.