A few weeks ago, I wrote an article that shows how to integrate vROPS with Identity Manager and create catalog apps (here). So if we are logged into vRIDM, we can access our apps without adding a username and password a second time. But what if we have our computer in the domain, are logged to the computer with a domain account, and want to access all apps using our credentials? We can set up Identity Manager to use Kerberos authentication. Below you can find a short instruction on how to do that.
Requirements/assumptions:
Because in this article we are focused on Kerberos authentication, I assume that you have added and synced Active Directory in Identity Manager. If not, there are plenty of articles in internet describing that.
- vRealize Identity Manager is configured and synced to use Active Directory. If not, go to documentation here. In my case i have configured Active Directory (Integrated Windows Authentication) and use sAMAccountName attribute for users.
- Active Directory connector(s) joined to AD Domain.
- Identity Provider is configured.
- Desktop and domain account with privileges to catalog apps for test purposes.
Below I added few screenshots from my AD configuration to help you with some doubts.
Kerberos configuration in vRIDM:
Go to Identity & Access Management -> Setup -> Connectors, click on the Worker name and go to Auth Adapter.
Click KerberosIdpAdapter and configure adapter as below (Redirect Host Name and Enable Redirect is necessary only for clustered environment):
Next, we need to edit our policy and add Kerberos as a authentication method for our applications:
Check if Kerberos is enabled on Identity Provider and test configuration:
Additional steps:
In vRealize Identity Manager version 3.3.4 sometimes there is a problem with Kerberos. If you have some problems, go in vRIDM console to Dashboard->Reports, select report Audit Events and click Show. If you can see something like below (error: SAML_VALIDATION failed):
{
"baseType" : "Action",
"uuid" : "4d9e16ea-46b2-4d6e-ab5d-6164d99b220e",
"timestamp" : 1620843519923,
"organizationId" : 2,
"tenantId" : "VRIDM",
"actorId" : null,
"actorUserName" : "Not Available",
"actorDomain" : null,
"actorUuid" : null,
"clientId" : null,
"deviceId" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0",
"workspaceId" : null,
"sourceIp" : "10.20.40.1",
"objectType" : "SAML_VALIDATION",
"objectId" : "54",
"objectName" : "WorkspaceIDP__1",
"values" : {
"deviceType" : null,
"success" : "false",
"message" : "Received error SAML response. StatusCode=urn:oasis:names:tc:SAML:2.0:status:AuthnFailed StatusMessage=null",
"actorExternalId" : null,
"failureMessage" : "Received error SAML response. StatusCode=urn:oasis:names:tc:SAML:2.0:status:AuthnFailed StatusMessage=null"
}
}And in /opt/vmware/horizon/workspace/logs/horizon.log you can see something similar:
INFO (Thread-3) [VRIDM;-;10.20.40.1;] com.tricipher.tacsag.saml.AuthenticationUtilities - SAML exception occurred : saml.authentication.failed
com.vmware.horizon.common.api.exception.SamlAuthenticationException: saml.authentication.failed
INFO (Thread-3) [VRIDM;-;10.20.40.1;] com.tricipher.saas.action.api.impl.AuthenticationServiceImpl - Invalid SAML response. Cause: Received error SAML response. StatusCode=urn:oasis:names:tc:SAML:2.0:status:AuthnFailed StatusMessage=null
INFO (Thread-3) [VRIDM;-;10.20.40.1;] com.vmware.horizon.service.controller.auth.LoginController - Federation exception:
com.vmware.horizon.common.api.exception.SamlAuthenticationException: saml.authentication.failed
You should do steps mention below.
– log into vRIDM appliance using root account and run command (if not work, try privileges 664 instead of 644) :
# chmod 644 /etc/krb5*
BlanketVM 