When you configure the Kerberos authentication adapter, you get an error that states that Kerberos initialization failed.

Problem

During the installation of the VMware Identity Manager Connector, if you did not select the Would you like to run the IDM Connector service as a domain user account? option or if you selected the option but specified a domain account that does not have the right to "Create, delete, and manage user accounts" in Active Directory, Kerberos cannot be initialized after installation. When you try to configure the Kerberos authentication adapter, you get an error message that states that Kerberos initialization failed.

Solution

Run the setupkerberos.bat script with a user account that has higher privileges. Use an account that:

  • Is a domain user
  • Has the right to "Create, delete, and manage user accounts" in Active Directory (members of Admin Users and Account Operators groups have those rights)
  • Is part of the administrator group on the Windows server on which the VMware Identity Manager connector is installed

This user account with higher privileges is only required temporarily to run the script and will not be stored or used again for connector services. After you run the script, you can continue configuring the Kerberos authentication adapter with the original user account that you were using.

To run the script:

  1. Log in to the Windows connector machine and navigate to the InstallDir\VMware Identity Manager\Connector\usr\local\horizon\scripts directory.
  2. Right click setupkerberos.bat and select Run as administrator.
  3. Enter the user account with higher privileges described above.

    A confirmation message appears after the script has run successfully

  4. Log in to the VMware Identity Manager console with the original user account that you were using and configure the Kerberos authentication adapter.

About the setupkerberos.bat Script

The setupkerberos.bat script performs the following tasks:

  1. Creates a service account with the same name as the machine account (without the $)
  2. Sets a random password for the account
  3. Generates a keytab file for the account, stored in /usr/horizon/conf
  4. Maps the given principal of the machine as a SPN inside the account