When the Kerberos Auth service is installed on a Workspace ONE Access connector, you enable and configure the Kerberos authentication method from the Workspace ONE Access console. You then add the Workspace IDP identity provider and associate the Kerberos authentication method in the identity provider.
Prerequisites
The Kerberos Auth services must be correctly configured in the Workspace ONE Access connector. A correct configuration includes the following.
- The Windows machine on which the Kerberos Auth service is installed must be joined to the domain.
- During the installation of the Kerberos Auth service, you specified the domain user account to use to run the service. This domain user is part of the administrator group on the Windows machine on which the service is installed.
- A trusted SSL certificate signed by a public or internal CA was uploaded. If you deployed multiple instances of the Kerberos Auth service for high availability, a trusted SSL certificate signed by a public or internal CA was uploaded to each connector.
- Kerberos Auth services requires inbound connect to the connector on port TCP 443.
- To set up high availability for Kerberos authentication, a load balance is required. The load balance must have a trusted SSL certificate signed by a public or internal CA. See the Installing the Workspace ONE Access Connector guide for configuration information.
Procedure
What to do next
In the Identity Provider page, add the Workspace IDP identity provider and associated the Kerberos Authentication method to the identity provider. See Configure Workspace Identity Provider Instance with Kerberos Authentication in Workspace ONE Access.
Add the authentication method to the default access policy in the Resources > Policies page and edit the default policy rules to add the Kerberos authentication method to the rule in the correct authentication order, with Password authentication (cloud) configured as the fallback authentication method. See Managing Access Policies in the Workspace ONE Access Service.
If high availability is configured, on each connector, configure the Kerberos authentication method for the Kerberos Authentication service.