To configure the Directories Management service to provide Kerberos authentication, you must join to the domain and enable Kerberos authentication on the Directories Management connector.


  1. As a tenant administrator, navigate to Administration > Directories Management > Connectors
  2. On the Connectors page, for the connector that is being configured for Kerberos authentication, click Join Domain.
  3. On the Join Domain page, enter the information for the Active Directory domain.




    Enter the fully qualified domain name of the Active Directory. The domain name you enter must be the same Windows domain as the connector server.

    Domain User

    Enter the user name of an account in the Active Directory that has permissions to join systems to that Active Directory domain.

    Domain Password

    Enter the password associated with the AD Username. This password is not stored by Directories Management


    Click Save.

    The Join Domain page is refreshed and displays a message that you are currently joined to the domain.

  4. In the Worker column for the connector click Auth Adapters.
  5. Click KerberosIdpAdapter

    You are redirected to the identity manager sign in page.

  6. Click Edit in the KerberosldpAdapter row and configure the Kerberos authentication page.




    A name is required. The default name is KerberosIdpAdapter. You can change this.

    Directory UID Attribute

    Enter the account attribute that contains the user name.

    Enable Windows Authentication

    Select this to extend authentication interactions between users' browsers and Directories Management.

    Enable NTLM

    Select this to enable NT LAN Manager (NTLM) protocol-based authentication only if your Active Directory infrastructure relies on NTLM authentication.

    Enable Redirect

    Select this if round-robin DNS and load balancers do not have Kerberos support. Authentication requests are redirected to Redirect Host Name. If this is selected, enter the redirect host name in Redirect Host Name text box. This is usually the hostname of the service.

  7. Click Save.

What to do next

Add the authentication method to the default access policy. Navigate to Administration > Directories Management > Policies and click Edit Default Policy to edit the default policy rules to add the Kerberos authentication method to the rule in the correct authentication order.