When the Kerberos Auth service is installed on a Workspace ONE Access connector, you enable and configure the Kerberos authentication method from the Workspace ONE Access console. You then add the Workspace ONE Access identity provider and associate the Kerberos authentication method in the identity provider.
The Kerberos Auth services must be correctly configured in the Workspace ONE Access connector. A correct configuration includes the following.
- The Windows machine on which the Kerberos Auth service is installed must be joined to the domain.
- During the installation of the Kerberos Auth service, you specified the domain user account to use to run the service. This domain user is part of the administrator group on the Windows machine on which the service is installed.
- A trusted SSL certificate signed by a public or internal CA was uploaded. If you deployed multiple instances of the Kerberos Auth service for high availability, a trusted SSL certificate signed by a public or internal CA was uploaded to each connector.
- To set up high availability for Kerberos authentication, a load balance is required. The load balance must have a trusted SSL certificate signed by a public or internal CA. See the Installing the Workspace ONE Access Connector guide for configuration information.
- In the Workspace ONE Access console Identity & Access Management tab, select Manage > Enterprise Authentication Methods.
- Click NEW and select Kerberos.
- Select the directory and the service host to configure with this authentication method.
- Configure the Kerberos authentication method.
Option Description Directory UID Attribute Enter the account attribute that contains the user name. Enable Redirect Enable Redirect displays if redirect is enabled because you are deploying multiple connectors configured with the Kerberos Auth service for high availability with a load balancer.
- Click NEXT to review the configuration and then click SAVE.
What to do next
In the Identity Provider page, add the Workspace ONE Access identity provider and associated the Kerberos Authentication method to the identity provider. See Configure Workspace ONE Access Identity Provider Instance with Kerberos Authentication.
Add the authentication method to the default access policy. Go to the Identity & Access Management > Manage > Policies page and edit the default policy rules to add the Kerberos authentication method to the rule in the correct authentication order, with Password authentication (cloud) configured as the fallback authentication method. See Managing Access Policies.
If high availability is configured, on each connector, configure the Kerberos authentication method for the Kerberos Authentication service.