Modified AUG 2020 JUL 2019 VMware Workspace ONE …...Configuring High Availability for the VMware Identity Manager Connector 31 ... n VMware Horizon ® 7, Horizon 6, or View desktop

Installing and Configuring VMware Identity Manager Connector 19.03.0.0 (Windows)

Modified OCT 2020JUL 2019VMware Workspace ONE Access 19.03VMware Identity Manager 19.03

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright ©

2018-2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

http://pubs.vmware.com/copyright-trademark.html

Contents

Installing and Configuring VMware Identity Manager Connector 19.03.0.0 (Windows) 5

1 About the VMware Identity Manager Connector 6

2 Preparing to Install the VMware Identity Manager Connector on Windows 8System Requirements for VMware Identity Manager Connector 19.03 (Windows) 8

Deployment Checklist for VMware Identity Manager Connector (Windows) 13

3 Installing the VMware Identity Manager Connector on Windows 15Generate an Activation Code for the VMware Identity Manager Connector 15

Run the VMware Identity Manager Connector Installer 16

Run the VMware Identity Manager Connector Setup Wizard 23

Configuring Proxy Settings for the VMware Identity Manager Connector 25

4 Configuring the VMware Identity Manager Connector 27Set up a Directory 27

Enable Authentication Adapters on the VMware Identity Manager Connector 28

Enable Outbound Mode for the VMware Identity Manager Connector 29

5 Configuring High Availability for the VMware Identity Manager Connector 32Install and Configure Additional VMware Identity Manager Connector Instances 33

Configure High Availability for Authentication 34

Configure High Availability for Directory Sync (On Premises VMware Identity Manager Only)35

6 Adding Kerberos Authentication Support to Your VMware Identity Manager Connector Deployment 39Configuring and Enabling the Kerberos Authentication Adapter 40

Configuring High Availability for Kerberos Authentication 42

Configure Load Balancer Settings 42

Apply VMware Identity Manager Connector Root Certificate to the Load Balancer 43

Apply Load Balancer Root Certificate to the VMware Identity Manager Connector 44

Change Connector IdP Host Name to the Load Balancer Host Name 44

7 Additional VMware Identity Manager Connector Settings 46Using SSL Certificates for the VMware Identity Manager Connector 47

Installing a Signed SSL Certificate for the Connector 47

Downloading the Connector Self-Signed Root CA Certificate 49

VMware, Inc. 3

Installing Trusted Root Certificates on the Connector 49

Configuring a Syslog Server for the VMware Identity Manager Connector 50

Managing Your VMware Identity Manager Connector Passwords 50

Configuring Proxy Settings for the VMware Identity Manager Connector 51

Viewing and Downloading VMware Identity Manager Connector Log Files 51

Download a Log Bundle 52

Setting the VMware Identity Manager Connector Log Level to DEBUG 52

Configuring Time Synchronization for the VMware Identity Manager Connector (Windows) 53

8 Upgrading the VMware Identity Manager Connector (Windows) 55

9 Upgrading Java on the VMware Identity Manager Connector Server 56

10 Deleting a VMware Identity Manager Connector Instance 57

11 Directory Migration from ACC to the VMware Identity Manager Connector 59Convert Other Directory to Active Directory over LDAP or Active Directory over Integrated

Windows Authentication 59

Stop Directory Sync from Workspace ONE UEM to VMware Identity Manager 62

12 Troubleshooting VMware Identity Manager Connector 64Resetting admin User Password for VMware Identity Manager Connector 64

Kerberos Initialization Error 64


VMware, Inc. 4


Installing and Configuring VMware Identity Manager Connector 19.03.0.0 (Windows) provides information about installing and configuring the Windows version of the VMware Identity Manager™ connector, an on-premises component of VMware Identity Manager.

Note The Linux version of the VMware Identity Manager connector is no longer available. For information about prior versions of the Linux connector, see VMware Identity Manager Cloud Deployment (with Linux Connector) for cloud deployments or the appropriate version of Deploying VMware Identity Manager in the DMZ for on-premises deployments.

Intended Audience

This information is written for experienced Windows system administrators who are familiar with virtual machine technology and data center operations.

VMware, Inc. 5

About the VMware Identity Manager Connector 1The VMware Identity Manager connector is an on-premises component of VMware Identity Manager that provides directory integration, user authentication, and integration with resources such as Horizon 7.

The connector is deployed in outbound connection mode and does not require inbound port 443 to be opened. It communicates with the VMware Identity Manager service through a Websocket-based communication channel.

Figure 1-1. VMware Identity Manager Connector Deployment

requestresponse

VMware Identity Manager Tenant

WebsocketChannel

HTTPS 443(outbound only)

Active Directory/

LDAP

VMware IdentityManager Connector

On Premises

OptionalServices

IntegrationBroker

Citrix Farms

View Connection

Servers

RSA SecurID

RSA Adaptive Auth

RADIUSServer

11

2

3

Note The VMware Identity Manager tenant depicted in the diagram can either be in the cloud or deployed on premises.

VMware, Inc. 6

Supported Authentication Methods

The VMware Identity Manager connector supports the following authentication methods.

n Password

n RSA Adaptive Authentication

n RSA SecurID

n RADIUS

n Kerberos authentication for internal users

Note In addition to these connector-based authentication methods, VMware Identity Manager service-based authentication methods are also available. Additionally, inbound SAML through a third-party identity provider is available.

Supported Directory Integrations

The VMware Identity Manager connector supports integration with the following types of enterprise directories.

n Active Directory over LDAP

n Active Directory over Integrated Windows Authentication

n LDAP Directory

Note You can also use Just-in-Time provisioning to create users in the VMware Identity Manager service dynamically at login, using SAML assertions sent by a third-party identity provider.

Supported Resources

The VMware Identity Manager connector supports integration with the following types of resources.

n VMware Horizon® 7, Horizon 6, or View desktop and application pools

n VMware Horizon® Cloud Service™ with Hosted and On-Premises Infrastructure

n Citrix-published resources

Note Additionally, VMware Identity Manager supports Web apps and native mobile apps.


VMware, Inc. 7

Preparing to Install the VMware Identity Manager Connector on Windows

2Before you deploy the VMware Identity Manager Connector, review the systems requirements and prepare your environment.

This chapter includes the following topics:

n System Requirements for VMware Identity Manager Connector 19.03 (Windows)

n Deployment Checklist for VMware Identity Manager Connector (Windows)

System Requirements for VMware Identity Manager Connector 19.03 (Windows)

To deploy the VMware Identity Manager connector, ensure your system meets the necessary requirements.

Compatibility Between VMware Identity Manager Service and Connector

You can use the VMware Identity Manager connector with the VMware Identity Manager Cloud service or with the on premises VMware Identity Manager service virtual appliance.

With the VMware Identity Manager Cloud service, you can use all supported versions of the connector. However, using the latest version of the connector is recommended.

With the VMware Identity Manager on premises service, you can use supported connector versions that are either the same or lower than the service version. For example, with the VMware Identity Manager 19.03 service, you can use connector 19.03 and earlier versions. You cannot use a connector version that is higher than the service version. For example, you cannot use the 20.01 connector with the 19.03 service. Using the latest compatible version of the connector is recommended.

For information on supported versions, see https://www.vmware.com/support/policies/lifecycle.html.

Hardware Requirements

Ensure the Windows server meets the following hardware requirements.

VMware, Inc. 8

https://www.vmware.com/support/policies/lifecycle.html

https://www.vmware.com/support/policies/lifecycle.html

Table 2-1. VMware Identity Manager Connector Requirements

Number of Users Up to 1000 1000 to 10,00010,000 to 25,000

25,000 to 50,000 50,000 to 100,000

CPU 2 2 load-balanced servers, each with 4 CPU

2 load-balanced servers, each with 4 CPU



RAM (GB) Per Server

6 6 each 8 each 16 each 16 each

Disk Space (GB) 50 50 each 50 each 50 each 50 each

Note n CPU Cores should each be 2.0 GHz or higher. An Intel processor is required.

n Disk Space requirements include: 1 GB disk space for the VMware Identity Manager connector application, Windows OS, and .NET runtime. Additional disk space is allocated for logging.

Software Requirements

Ensure the Windows server meets the following software requirements.

Requirement Notes

Windows Server 2019 or

Windows Server 2016 or

Windows Server 2012 R2

Note As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.

Install PowerShell on the server Note PowerShell version 4.0 is required if you are installing on Windows Server 2008 R2.

Note As of September 2020, Windows Server 2012 and 2008 R2 are no longer supported.

Install .NET Framework 4.6.2

Network Requirements

For configuring the ports listed below, all traffic is uni-directional (outbound) from the source component to the destination component.

An outbound proxy or any other connection management software or hardware must not terminate or reject the outbound connection from the VMware Identity Manager connector. The outbound connection required for use by VMware Identity Manager connector must remain open at all times.


VMware, Inc. 9

Table 2-2. VMware Identity Manager Connector Port Requirements

Source Destination Port Protocol Notes

VMware Identity Manager connector

VMware Identity Manager service

VMware Identity Manager service host (on-premises installations)

443 HTTPS Default port

Required


VMware Identity Manager service load balancer (on-premises installations)

443 HTTPS

Browsers VMware Identity Manager connector

8443 HTTPS Administrative port

Required


80 HTTP Required


443 HTTPS This port is only required for a connector being used in inbound mode.

If Kerberos authentication is configured on the connector, this port is required.


Active Directory 389, 636, 3268, 3269

Default ports. These ports are configurable.


DNS server 53 TCP/UDP Every instance must have access to the DNS server on port 53 and allow incoming SSH traffic on port 22.


Domain controller 88, 464, 135, 445

TCP/UDP For Kerberos authentication


RSA SecurID system 5500 Default port. This port is configurable.


Horizon Connection Server

389, 443 Access to Horizon Connection Server instances for Horizon integrations


VMware, Inc. 10

Table 2-2. VMware Identity Manager Connector Port Requirements (continued)

Source Destination Port Protocol Notes


Integration Broker 80, 443 Access to the Integration Broker for integration with Citrix-published resources.

Important If you install the Integration Broker on the same Windows server as the VMware Identity Manager connector, you must ensure that in the IIS Server Default Web Site site bindings, the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager connector.

The VMware Identity Manager connector uses ports 80, 443, and 8443.

Installing the Integration Broker on the VMware Identity Manager connector server is not recommended.


syslog server 514 UDP For external syslog server, if configured

VMware Identity Manager Cloud Hosted IP Addresses

(Cloud deployments) See Knowledge Base article 2149884 for the list of VMware Identity Manager service IP addresses to which the VMware Identity Manager connector must have access.

DNS Records and IP Addresses Requirements

A DNS entry and a static IP address must be available for the connector. Before you begin your installation, obtain the DNS record and IP addresses to use and configure the network settings of the Windows server.

Ensure that you select an appropriate, user-friendly host name for the connector if you intend to configure Kerberos authentication. The VMware Identity Manager connector host name is visible to end users when Kerberos is configured.


VMware, Inc. 11

https://kb.vmware.com/kb/2149884

Configuring reverse lookup is optional. When you implement reverse lookup, you must define a PTR record on the DNS server so the connector uses the correct network configuration.

You can use the following sample list of DNS records. Replace the sample information with information from your environment. This example shows forward DNS records and IP addresses.

Table 2-3. Example of Forward DNS Records and IP Addresses

Domain Name Resource Type IP Address

myconnector.company.com A 10.28.128.3

This example shows reverse DNS records and IP addresses.

Table 2-4. Example of Reverse DNS Records and IP Addresses

IP Address Resource Type Host Name

10.28.128.3 PTR myconnector.company.com

After you complete the DNS configuration, verify that the reverse DNS lookup is properly configured. For example, the command host IPaddress must resolve to the DNS name lookup.

Note If you have a load balancer with a Virtual IP address (VIP) in front of the DNS servers, note that VMware Identity Manager does not support using a VIP. You can specify multiple DNS servers separated by a comma.

Note If you are using a Unix or Linux-based DNS server and plan to join the connector to the Active Directory domain, make sure that the appropriate service (SRV) resource records are created for each Active Directory domain controller.

Time Synchronization

Configuring time synchronization on all VMware Identity Manager service and connector instances is required for a VMware Identity Manager deployment to function correctly.

For information on configuring time synchronization for the VMware Identity Manager connector, see Configuring Time Synchronization for the VMware Identity Manager Connector (Windows).

For information on configuring time synchronization for the VMware Identity Manager service, see Installing and Configuring VMware Identity Manager for Linux and Installing and Configuring VMware Identity Manager for Windows.

Supported Active Directory Versions

An Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests is supported.


VMware, Inc. 12

VMware Identity Manager supports Active Directory on Windows Server 2012 R2, 2016, and 2019 with a Domain functional level and Forest functional level of Windows 2003 and later.

Note As of September 2020, Windows Server 2008, 2008 R2, and 2012 are no longer supported.

Note A higher functional level may be required for some features. For example, to allow users to change Active Directory passwords from Workspace ONE, the Domain functional level must be Windows 2008 or later.

Limit on Number of Connectors

The VMware Identity Manager console can display only 20 legacy connectors (19.03 or earlier connectors). Depending on the version of the VMware Identity Manager service that you are using, legacy connectors are listed on either the Identity & Access Management > Setup > Connectors page or the Identity & Access Management > Setup > Legacy Connectors page. Do not add more than 20 legacy connector instances to the service.

This restriction does not apply to Workspace ONE Access connector 20.01 or later.

Deployment Checklist for VMware Identity Manager Connector (Windows)

You can use the deployment checklist to gather the necessary information to install and configure the VMware Identity Manager Connector on Windows.

Fully Qualified Domain Name Information

Information to Gather List the Information

VMware Identity Manager Connector FQDN

Network Information


IP address Note You must use a static IP address and it must have a PTR and an A record defined in the DNS.

DNS host name

Default Gateway address

Netmask or prefix

Directory Information

VMware Identity Manager supports integrating with Active Directory or LDAP directories.


VMware, Inc. 13

Table 2-5. Active Directory Domain Controller Information Checklist


Active Directory server name

Active Directory domain name

Base DN

For Active Directory over LDAP, the Bind DN username and password

For Active Directory over Integrated Windows Authentication, the user name and password of a domain user that is also part of the administrator group on the Windows server on which you are installing

Table 2-6. LDAP Directory Server Information Checklist


LDAP directory server name or IP address

LDAP directory server port number

Base DN

Bind DN username and password

LDAP search filters for bind user objects, group objects, and user objects

LDAP attribute names for membership, object UUID, and distinguished name

SSL Certificates

You can add an SSL certificate from a Certificate Authority after you deploy the VMware Identity Manager Connector.

Table 2-7. SSL Certificate Information Checklist


SSL certificate

Private key

Note For Kerberos authentication, the connector must have a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.


VMware, Inc. 14

Installing the VMware Identity Manager Connector on Windows 3Installing the VMware Identity Manager Connector includes several tasks.

1 Generate an activation code in the VMware Identity Manager console.

2 Download and run the VMware Identity Manager Connector Installer on a Windows server that meets all the requirements

3 Run the Connector Setup Wizard to activate the connector and set passwords

4 Configure proxy settings for the connector, if required.


n Generate an Activation Code for the VMware Identity Manager Connector

n Run the VMware Identity Manager Connector Installer

n Run the VMware Identity Manager Connector Setup Wizard

n Configuring Proxy Settings for the VMware Identity Manager Connector

Generate an Activation Code for the VMware Identity Manager Connector

Before you install the VMware Identity Manager connector, log in to the VMware Identity Manager console and generate an activation code for the connector. This activation code is used to establish communication between the VMware Identity Manager service and the VMware Identity Manager connector instance.

Prerequisites

You have the VMware Identity Manager service URL and System domain admin credentials. In cloud deployments, the System domain admin is the admin whose credentials you receive when you get your VMware Identity Manager tenant. In on-premises deployments, the System domain admin is the admin user that is created when you install VMware Identity Manager.

Procedure

1 Log in to the VMware Identity Manager console as the System domain admin.

2 Click the Identity & Access Management tab.

VMware, Inc. 15

3 Click Setup.

4 On the Connectors page, click Add Connector.

5 Enter a name for the connector.

6 Click Generate Activation Code.

The activation code displays on the page.

7 Copy the activation code and save it.

Later, after you install the connector, you enter the activation code in the Connector Setup Wizard.

What to do next

Download and install the VMware Identity Manager connector.

Run the VMware Identity Manager Connector Installer

Run the VMware Identity Manager Connector installer on a Windows server that meets all the requirements.

Prerequisites

n Ports 80, 443, and 8443 must be available on the Windows server. If these ports are being used by other services, you will not be able to install the VMware Identity Manager connector.


VMware, Inc. 16

n The Windows server must be joined to the Active Directory domain, and you must install the VMware Identity Manager connector as a domain user that is also part of the administrator group on the Windows server on which you are installing, in the following cases:

n If you plan to connect to Active Directory over Integrated Windows Authentication

n If you plan to use Kerberos authentication

In these cases, you must also choose to run the IDM Connector service as a domain user. This option appears in the installation wizard.

n For the installer to be able to browse to and validate domains and users during installation, the following requirements must be met.

n The Windows server must be domain joined.

Note This is required only if you need to select a domain user to run the IDM Connector service. See the previous bullet for the scenarios to which the requirement applies.

n The Computer Browser service might need to be enabled and running to browse domains.

n NetBIOS over TCP/IP must be enabled.

n A master browser system should be configured on the network.

n Broadcast traffic should be enabled on the network.

n If you are migrating an embedded connector to a standalone connector, or migrating a Linux connector to a Windows connector, generate a configuration file from the original deployment before running the installer. The file contains configuration information about the original connector.

See Upgrading to VMware Identity Manager 19.03 for information about the migration process.

Procedure

1 Download the VMware Identity Manager Connector Installer for Windows.

You can download the installer from the VMware Identity Manager product page on My VMware, or from My Workspace ONE.


VMware, Inc. 17

2 Double-click the installer file to run the VMware Identity Manager Connector installation wizard.

3 On the Welcome page, click Next.

The installer verifies prerequisites on the server. If .NET Framework is not installed, you are prompted to install it and to restart the server. After restarting, run the installer again to resume the installation process.

If a previous version is installed, the installer auto-detects it and offers the option to upgrade to the latest version.


VMware, Inc. 18

4 Read and accept the VMware End User License Agreement, then click Next.

5 Select the folder in which to install the VMware Identity Manager Connector.

By default C:\VMware is selected.


VMware, Inc. 19

6 If the latest, major version of the Java Runtime Environment (JRE™) is not already installed on the Windows server, the following pop-up appears.

Click Yes to install JRE. The installation takes a few minutes. Existing JRE versions are not deleted when the required version is installed.

7 In the VMware Identity Manager Configuration page, enter a host name and port for the connector.

Specify the host name as a fully-qualified domain name (FQDN). For example, connector.example.com.

Note The name should match the domain to which the server is joined, if applicable.

The default port is 443. Only 443 is supported for the VMware Identity Manager connector.

8 In the VMware Identity Manager Connector Service Account page, if you want to run the Connector service as a domain user account, select the option and enter the user name and password of the domain user account.

You must run the service as a domain user in the following cases:

n If you plan to connect to Active Directory over Integrated Windows Authentication


VMware, Inc. 20


Note If you are unable to locate domains or users when you click Browse, verify that you have met all the prerequisites.

9 Click Next.

10 Make your selections based on whether you are installing a new connector or migrating a connector.

n If you are installing a new connector, deselect the Are you migrating your connector? option, and click Next.

n If you are migrating an embedded connector to a standalone connector or migrating a Linux connector to a Windows connector, follow these steps.

a Select the Are you migrating a connector? check box.

b In the Config Package (.enc) text box, enter the path to the configuration file you generated from the original deployment.

c Enter the password that you set for the configuration file while creating it.


VMware, Inc. 21

11 Click Next.

12 In the Ready to Install the Program page, click Install.

The installation takes a few minutes.

13 When the Installation Wizard Completed page appears, click Finish.

The following pop-up appears, listing the URL to go to complete the setup wizard for the connector.


VMware, Inc. 22

The URL points to the connector admin pages at https://connectorhostname:8443.

What to do next

Go to the URL listed and complete the setup wizard for the connector.

Run the VMware Identity Manager Connector Setup Wizard

After you install the VMware Identity Manager Connector, go to the URL listed on the confirmation page of the installation wizard, https://connectorhostname:8443, and complete the connector setup wizard.

In the setup wizard, you enter the connector activation code and set passwords.

Prerequisites

n You have an activation code for the connector that you generated in the VMware Identity Manager console. See Generate an Activation Code for the VMware Identity Manager Connector.

n Do not use Internet Explorer in Enhanced Security Mode to run the setup wizard. Scripting must be enabled on the browser.


VMware, Inc. 23

Procedure

1 Open a browser window and go to the URL https://connectorhostname:8443.

For example, https://connector.example.com:8443.

The Welcome page appears.

2 Click Continue.

3 In the Set Passwords page, create a password for the connector admin user, which will be used to access the connector admin pages.

Then click Continue.


VMware, Inc. 24

4 In the Activate Connector page, enter the connector activation code, then click Continue.

A Setup is Complete message appears when the connector is activated successfully.

Results

The VMware Identity Manager connector installation is now complete.

What to do next

n Configure proxy settings for the VMware Identity Manager connector, if required.

n Log in to the VMware Identity Manager console to configure the connector.

Configuring Proxy Settings for the VMware Identity Manager Connector

The VMware Identity Manager connector accesses Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must adjust the proxy settings on the VMware Identity Manager connector.

Note Enable your proxy to handle only Internet traffic. To ensure that the proxy is set up correctly, set the parameter for internal traffic to no-proxy within the domain.

Procedure

1 Use a browser to go to the VMware Identity Manager connector admin pages at https://connectorhostname:8443/cfg/login.

2 Log in with the connector admin user password.

3 Click Proxy Configuration.

4 Select Enable.

5 In the Proxy host with port text box, enter the proxy server host name and port.

For example: proxy.example.com:3128


VMware, Inc. 25

6 In the Non-proxied hosts field, enter the hosts that the connector can access without going through the proxy server.

Use a comma to separate a list of host names.

7 Click Save.


VMware, Inc. 26

Configuring the VMware Identity Manager Connector 4After installing the VMware Identity Manager Connector, log in to the VMware Identity Manager console and complete the configuration. This includes setting up a directory to sync users and groups to the VMware Identity Manager service, configuring the authentication methods you want to use, and enabling outbound mode for the VMware Identity Manager Connector.


n Set up a Directory

n Enable Authentication Adapters on the VMware Identity Manager Connector

n Enable Outbound Mode for the VMware Identity Manager Connector

Set up a Directory

After you install and activate the VMware Identity Manager connector, add a directory in the VMware Identity Manager console and establish the connection with your enterprise directory to sync users and groups to the service.

VMware Identity Manager supports integrating the following types of directories.

n Active Directory over LDAP

n Active Directory over Integrated Windows Authentication

n LDAP directory

See Directory Integration with VMware Identity Manager for more information before you set up the directory. High-level tasks are listed here.

Prerequisites

The prerequisites depend on the type of directory you are integrating. See Directory Integration with VMware Identity Manager for information.

VMware, Inc. 27

Procedure

1 Log in to the VMware Identity Manager console.

Tip You can also go to the administration console by clicking the Log in to the administration console link in the Setup is Complete page that is displayed after you activate the connector.

2 Select the user attributes to sync to the directory.

a Click the Identity & Access Management tab, then click Setup.

b In the User Attributes tab, select which attributes are required, and add additional attributes if necessary.

If an attribute is marked required, only users with that attribute are synced to the service.

Important Be aware of the following restrictions.

n After the directory is created, you cannot change an attribute from optional to required. You must make that selection now.

n The settings in the User Attributes page apply to all directories in the service. When you make an attribute required, consider the effect on other directories.

3 Click Manage.

4 Click Add Directory and select the type of directory you want to add.

5 Follow the wizard to enter the directory configuration information, select groups and users to sync, and sync users to the VMware Identity Manager service.

See Directory Integration with VMware Identity Manager for information.

What to do next

Click the Users & Groups tab and verify that users are synced.

Enable Authentication Adapters on the VMware Identity Manager Connector

Several authentication adapters are available for the VMware Identity Manager connector in outbound mode, including PasswordIdpAdapter, RSAAIdpAdapter, SecurIDAdapter, and RadiusAuthAdapter. Configure and enable the adapters that you intend to use.

If you have already created a directory, the Password authentication method is automatically enabled for it. The PasswordIdpAdapter was configured with the information you provided for the directory.

Procedure

1 In the VMware Identity Manager console, click the Identity & Access Management tab.


VMware, Inc. 28

2 Click Setup, then click the Connectors tab.

The connector you deployed is listed.

3 Click the link in the Worker column.

4 Click the Auth Adapters tab.

All available authentication adapters for the connector are listed.

If you have already set up a directory, the PasswordIdpAdapter is already configured and enabled, with the configuration information you specified while creating the directory.

5 Configure and enable the authentication adapters you want to use by clicking on the link for each and entering the configuration information. You must enable at least one authentication adapter.

For information on configuring specific authentication adapters, see the VMware Identity Manager Administration Guide.

For example:

Enable Outbound Mode for the VMware Identity Manager Connector

To enable outbound-only connection mode for the VMware Identity Manager connector, associate the connector with the Built-in identity provider.


VMware, Inc. 29

The Built-in identity provider is available by default in the VMware Identity Manager service and provides additional built-in authentication methods such as VMware Verify. For information about the Built-in identity provider, see the VMware Identity Manager Administration Guide.

Note The connector can be used in both outbound and regular mode simultaneously. Even if you enable outbound mode, you can still configure Kerberos authentication for internal users using authentication methods and policies.

Procedure

1 In the VMware Identity Manager console, select the Identity & Access Management tab, then click Manage.

2 Click the Identity Providers tab.

3 Click the Built-in link.

4 Enter the following information.

Option Description

Users Select the directory or domains that will use the Built-in identity provider.

Network Select the network ranges that will use the Built-in identity provider.

Connector(s) Select the connector that you set up and click Add Connector.

Note Later, when you add additional connectors for high availability, select and add all of them here to associate them with the Built-in identity provider. VMware Identity Manager automatically distributes traffic among all the connectors associated with the Built-in identity provider. A load balancer is not required.

Connector Authentication Methods The authentication methods that you enabled for the connector are listed. Select the authentication methods that you want to use.

The PasswordIdpAdapter, which was automatically configured and enabled when you created a directory, is displayed on this page as Password (cloud deployment), which denotes that it is used with the connector in outbound mode.

For example:


VMware, Inc. 30

5 Click Save to save the Built-in identity provider configuration.

6 Edit policies to use the authentication methods that you enabled.

a In the Identity & Access Management tab, click Manage.

b Click the Policies tab and click the policy you want to edit.

c Click Edit.

d In the Configuration page of the wizard, edit the rules. Select the authentication methods that you want to use for each rule.

e Save your changes.

For more information about configuring policies, see the VMware Identity Manager Administration Guide.

Results

The outbound mode of the connector is now enabled. When a user logs in using one of the authentication methods that you enabled for the connector in the Built-in identity provider page, an HTTP redirect to the connector is not required.


VMware, Inc. 31

Configuring High Availability for the VMware Identity Manager Connector

5You can set up the VMware Identity Manager connector for high availability by adding multiple connector instances in a cluster. If one of the connector instances becomes unavailable for any reason, other instances will still be available.

To create a cluster, you install new connector instances and configure them in exactly the same way as you set up the first connector.

You then associate all the connector instances with the Built-in identity provider. The VMware Identity Manager service automatically distributes traffic among all the connectors associated with the Built-in identity provider. A load balancer is not required. If one of the connectors becomes unavailable because of a network issue, for example, the service does not direct traffic to it. When connectivity is restored, the service resumes sending traffic to the connector.

After you set up the connector cluster and associate all the connectors with the Built-in identity provider, the authentication methods that you enabled on the connector are highly available. If one of the connector instances is unavailable, authentication will still be available.

In VMware Identity Manager on-premises installations, beginning with version 19.03, you can also set up high availability for directory sync. To set up high availability for directory sync, you associate all the connector instances with the directory and then set up a Sync Connectors list for the directory. The connectors in the Sync Connectors list are arranged in failover order. The VMware Identity Manager service uses the first connector in the list for directory sync. If the first connector is unavailable, it uses the second connector, and so on. The Sync Connectors list is set per directory from the directory's Sync Settings page.

In VMware Identity Manager cloud, the directory sync high availability feature is not available. In the event of a connector instance failure, you need to manually select another connector instance as the sync connector.

Note This section does not apply to high availability of Kerberos authentication. See Chapter 6 Adding Kerberos Authentication Support to Your VMware Identity Manager Connector Deployment.


n Install and Configure Additional VMware Identity Manager Connector Instances

VMware, Inc. 32

n Configure High Availability for Authentication

n Configure High Availability for Directory Sync (On Premises VMware Identity Manager Only)

Install and Configure Additional VMware Identity Manager Connector Instances

After you install and configure the first VMware Identity Manager connector instance, you can add additional connectors for high availability by installing new connector instances and configuring them in exactly the same way as the first connector instance.

Important The new connector instances must be activated against the same VMware Identity Manager service as the first connector instance.

Prerequisites

You have installed and configured the first connector instance.

Procedure

1 Install and configure a new VMware Identity Manager connector instance according to Chapter 3 Installing the VMware Identity Manager Connector on Windows.

2 Associate the new VMware Identity Manager connector with the WorkspaceIDP of the first connector instance.

a In the VMware Identity Manager administration console, select the Identity & Access Management tab, then select the Identity Providers tab.

b In the Identity Providers page, find the WorkspaceIDP of the first connector instance and click the link.

c In the Connector(s) field, select the new connector.

d Enter the Bind DN password and click Add Connector.

e Click Save.

3 Configure and enable authentication adapters on the new connector.

Important Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be enabled on all the connectors.

a In the Identity & Access Management tab, click Setup, then click the Connectors tab.

b Click the link in the Worker column of the new connector.


VMware, Inc. 33

c Click the Auth Adapters tab.

All available authentication adapters for the connector are listed.

The PasswordIdpAdapter is already configured and enabled because you associated the new connector with the directory associated with the first connector.

d Configure and enable the other authentication adapters in the same way as the first connector. Ensure that the configuration information is identical.

For information on configuring authentication adapters, see the VMware Identity Manager Administration Guide.

What to do next

Configure High Availability for Authentication

Configure High Availability for Authentication

After you deploy and configure new VMware Identity Manager connector instances, configure high availability for authentication by adding the new instances to the Built-in identity provider and enabling the same authentication methods that are enabled on the first connector instance. VMware Identity Manager automatically distributes traffic among all the connectors associated with the Built-in identity provider.

Prerequisites

You have installed and configured additional connector instances. See Install and Configure Additional VMware Identity Manager Connector Instances.

Procedure

1 In the VMware Identity Manager administration console Identity & Access Management tab, click Manage.


3 Click the Built-in link.

4 In the Connector(s) field, select the new connector from the drop-down list and click Add Connector.

5 In the Connector Authentication Methods section, enable the same authentication methods that you enabled for the first connector.

The Password (cloud deployment) authentication method is automatically configured and enabled. You must enable the other authentication methods.

Important Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be enabled on all the connectors.

For information on configuring specific authentication adapters, see VMware Identity Manager Administration.


VMware, Inc. 34

6 Click Save to save the Built-in identity provider configuration.

Configure High Availability for Directory Sync (On Premises VMware Identity Manager Only)

To configure high availability for directory sync, after installing additional connector instances, you associate them with the directory that is associated with the first connector instance. You then set up a Sync Connectors list for the directory. The connectors in the Sync Connectors list are arranged in failover order. The VMware Identity Manager service uses the first connector in the list to sync users and groups for the directory. If the first connector is unavailable, it uses the next connector in the list, and so on.

Each directory has its own Sync Connectors list.

As a best practice, set up your deployment in a way that the same connector does not sync multiple directories at the same time. You can use the following strategies.

n Use a different set of connectors for different directories.

n If you use the same set of connectors in the same failover order, schedule the sync at different times for each directory.

n If you use the same set of connectors for multiple directories, set a different failover order for each directory so that sync does not fall back to the same connector.

This feature is available beginning with the VMware Identity Manager 19.03 on-premises release. To use this feature, upgrade all connectors to version 19.03.0.0, then follow this procedure to set up the Sync Connectors list. Take into account the following situations.

n For existing directories, the Sync Connectors list is empty. Until you configure the Sync Connectors list, the connector that was originally configured for the directory continues to be used for sync and no fallback is available if the connector fails.

n New directories created in an upgraded or new environment have one connector listed in the Sync Connectors list. This connector is the one you selected as the sync connector while creating the directory.

Important This feature is only available in VMware Identity Manager on-premises installations. It is not available in VMware Identity Manager cloud.

Prerequisites

n You have installed and configured additional connector instances. See Install and Configure Additional VMware Identity Manager Connector Instances.

n All connectors associated with the service must be version 19.03.0.0 or later. If any connectors are an older version, the Sync Connectors tab does not appear in the directory's Sync Settings page.


VMware, Inc. 35

Procedure

1 Associate the new connector instances with the Workspace IDP of the directory with which the first connector instance is associated.

a In the VMware Identity Manager console, click the Identity & Access Management tab, then click Setup.

b On the Connectors page, locate the connector instance that you installed first.

c In that row, click the WorkspaceIDP link in the Identity Provider column for the directory for which you want to configure high availability.

d On the WorkspaceIDP page, scroll to the Connector section, select each new connector instance from the drop-down menu, and click Add Connector.

e Click Save.

2 Click Setup to return to the Connectors page.

3 On the Connectors page, click the directory link in the Associated Directories column to go to the directory page.

4 Click Sync Settings.

5 Click the Sync Connectors tab.


VMware, Inc. 36

6 Select the connector instances to be used to sync users and groups for this directory.

a From the Select a Connector list, which displays all the connectors added to the service, select a connector and click the + icon.

The connector is added to the Sync Connectors list.

b Add all the connectors that you want to use for sync to the Sync Connectors list.

c In the Sync Connectors list, arrange the connectors in failover order by using the up and down arrow keys.

To perform a directory sync, VMware Identity Manager tries to use the first connector in the list. If the first connector is unavailable, it tries to use the second connector, and so on.

For example:

7 Click Save.

Results

The list of sync connectors for the directory is saved and is applied from the next sync onwards.

You can view which connectors were used for sync in the Sync Log tab of the directory page.

For example:


VMware, Inc. 37


VMware, Inc. 38

Adding Kerberos Authentication Support to Your VMware Identity Manager Connector Deployment

6You can add Kerberos authentication for internal users, which requires inbound connection mode, to your deployment of outbound connection mode connectors. The same connectors can be configured to use Kerberos authentication for users coming from the internal network and another authentication method for users coming from the external network. This can be achieved by defining authentication policies based on network ranges.

The following diagram depicts Kerberos authentication in an on-premises VMware Identity Manager deployment.

Figure 6-1. Kerberos Authentication

VMware IdentityManagerServer

Load Balancer

VMware IdentityManager

Connector 1

VMware IdentityManager

Connector 2

On Premises

DMZ Enterprise Network

443443

443

443

443

Requirements and considerations for Kerberos authentication include the following:

n Kerberos authentication can be configured regardless of the type of directory you set up in VMware Identity Manager, Active Directory over LDAP or Active Directory over Integrated Windows Authentication.

n The Windows machine on which the VMware Identity Manager connector is installed must be joined to the Active Directory domain.

VMware, Inc. 39

n You must have installed the VMware Identity Manager connector as a domain user that is part of the administrator group on the Windows machine on which the connector is installed, and you must be running the VMware IDM Connector service as a Windows domain user.

n Ensure that you select an appropriate, user-friendly host name for the connector. The VMware Identity Manager connector host name is visible to end users when Kerberos authentication is configured.

n Each connector on which Kerberos authentication is configured must have a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.

Trusted SSL certificates are required regardless of whether you enable Kerberos on a single connector or on multiple connectors for high availability.

n To set up high availability for Kerberos authentication, a load balancer is required.


n Configuring and Enabling the Kerberos Authentication Adapter

n Configuring High Availability for Kerberos Authentication

Configuring and Enabling the Kerberos Authentication Adapter

Configure and enable the KerberosIdpAdapter on the VMware Identity Manager connector. If you have deployed a cluster for high availability, configure and enable the adapter on all the connectors in your cluster.

Important Authentication adapters on all the connectors in your cluster must be configured identically. The same authentication methods must be configured on all the connectors.

When you configure the Kerberos authentication adapter, the VMware Identity Manager connector attempts to initialize Kerberos automatically. If the VMware IDM Connector service is not being run with sufficient privileges to initialize Kerberos, an error message appears. In this case, follow the instructions in http://kb.vmware.com/kb/2149753 to run a script to initialize Kerberos.

For more information about configuring Kerberos authentication, see the VMware Identity Manager Administration Guide.

Prerequisites

n The Windows machine on which the VMware Identity Manager connector is installed must be joined to the domain.

n You must have installed the VMware Identity Manager connector as a domain user that is part of the administrator group on the Windows machine on which the connector is installed, and you must be running the VMware IDM Connector service as a Windows domain user.


VMware, Inc. 40

http://kb.vmware.com/kb/2149753

Procedure

1 In the VMware Identity Manager administration console, click the Identity & Access Management tab.

2 Click Setup, then click the Connectors tab.

All the connectors that you have deployed are listed.

3 Click the link in the Worker column of one of the connectors.

4 Click the Auth Adapters tab.

5 Click the KerberosIdpAdapter link, and configure and enable the adapter.

Option Description

Name The default name of the adapter is KerberosIdpAdapter. You can change this name.

Directory UID Attribute The account attribute that contains username.

Enable Windows Authentication Select this option.

Enable Redirect If you have multiple connectors in a cluster and plan to set up Kerberos high availability by using a load balancer, select this option and specify a value for Redirect Host Name.

If your deployment has only one connector, you do not need to use the Enable Redirect and Redirect Host Name options.

Redirect Host Name A value is required if the Enable Redirect option is selected. Enter the connector's own host name. For example, if the connector's host name is connector1.example.com, enter connector1.example.com in the text box.

For example:

For more information on configuring the KerberosIdPAdapter, see the VMware Identity Manager Administration Guide.

6 Click Save.

Note If you get an error stating that Kerberos initialization failed, see Kerberos Initialization Error . After you run the script, return to this page and configure the adapter.


VMware, Inc. 41

7 If you have deployed a cluster, configure the KerberosIdPAdapter on all the connectors in your cluster.

Ensure that you configure the adapter identically on all the connectors, except for the Redirect Host Name value, which should be specific to each connector.

What to do next

n Ensure that each connector on which the KerberosIdpAdapter is enabled has a trusted SSL certificate. You can obtain the certificate from your internal certificate authority. Kerberos authentication does not work with self-signed certificates.

Trusted SSL certificates are required regardless of whether you enable Kerberos on a single connector or on multiple connectors for high availability.

n Set up high availability for Kerberos authentication, if necessary. Kerberos authentication is not highly available without a load balancer.

Configuring High Availability for Kerberos Authentication

To configure high availability for Kerberos authentication, install a load balancer in your internal network inside the firewall and add the VMware Identity Manager connector instances to it.

You must also configure certain settings on the load balancer, establish SSL trust between the load balancer and the connector instances, and change the connector authentication URL to use the load balancer host name.

Configure Load Balancer Settings

You must configure certain settings on the load balancer, such as setting the load balancer timeout correctly and enabling sticky sessions.

Configure these settings.

n Load Balancer Timeout

For the VMware Identity Manager connector to function correctly, you might need to increase the load balancer request timeout from the default. The value is set in minutes. If the timeout setting is too low, you might see the following error.

502 error: The service is currently unavailable

n Enable Sticky Sessions

You must enable the sticky session setting on the load balancer if your deployment has multiple connector instances. The load balancer will then bind a user's session to a specific connector instance.


VMware, Inc. 42

Apply VMware Identity Manager Connector Root Certificate to the Load Balancer

When the VMware Identity Manager connector is configured behind a load balancer, you must establish SSL trust between the load balancer and the connector. The connector root certificate must be copied to the load balancer as a trusted root certificate.

The VMware Identity Manager connector certificate can be downloaded from the connector admin pages at https://connectorFQDN:8443/cfg/ssl.

When the connector domain name points to the load balancer, the SSL certificate can only be applied to the load balancer.

Procedure

1 Log in to the connector admin pages, https://connectorFQDN:8443/cfg/login, as the admin user.

2 Select Install SSL Certificates.

3 In the Server Certificate tab, click the link in the Appliance Self Signed Root CA Certificates field.

4 Copy everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- and paste the root certificate into the correct location on each of your load balancers. Refer to the load balancer documentation.

What to do next

Copy and paste the load balancer root certificate to the VMware Identity Manager connector.


VMware, Inc. 43

Apply Load Balancer Root Certificate to the VMware Identity Manager Connector

When the VMware Identity Manager connector is configured behind a load balancer, you must establish trust between the load balancer and the connector. In addition to copying the connector root certificate to the load balancer, you must copy the load balancer root certificate to the connector.

Procedure

1 Obtain the load balancer root certificate.

2 Go to the VMware Identity Manager connector admin pages at https://connectorFQDN:8443/cfg/login and log in as the admin user.

3 Select the Install SSL Certificates > Trusted CAs tab.

4 Paste the text of the load balancer certificate into the Root or Intermediate Certificate text box.

5 Click Add.

Change Connector IdP Host Name to the Load Balancer Host Name

After you add the VMware Identity Manager connector instances to the load balancer, you must change the IdP host name on the Workspace IdP of each connector to the load balancer host name.

Prerequisites

The connector instances are configured behind a load balancer. Make sure that the load balancer port is 443. Do not use 8443 as this port number is the administrative port.

Procedure

1 Log in to the VMware Identity Manager administration console.


VMware, Inc. 44

2 Click the Identity & Access Management tab.


4 In the Identity Providers page, click the Workspace IdP link for the connector instance.

5 In the IdP Hostname text box, change the host name from the connector host name to the load balancer host name.

For example, if your connector host name is myconnector and your load balancer hostname is mylb, change the URL

myconnector.mycompany.com:port

to the following:

mylb.mycompany.com:port


VMware, Inc. 45

Additional VMware Identity Manager Connector Settings 7After the initial VMware Identity Manager connector configuration is complete, you can go to the connector admin pages at any time for tasks such as installing certificates, managing passwords, and downloading log files.

The VMware Identity Manager connector admin pages are available at https://connectorFQDN:8443/cfg/login, for example, https://myconnector.example.com:8443/cfg/login. Log in as the connector admin user with the password you created when you installed the connector.

Table 7-1. Connector Settings

Option Description

Install SSL Certificates On the tabs on this page, you can install an SSL certificate for the connector, download the self-signed root certificate, and install trusted root certificates.

Configure Syslog On this page, you can enable an external syslog server if you want connector logs to be sent to the external server.

Change Password On this page, you can change the connector admin password.

Proxy Configuration On this page, you can configure proxy settings for the connector.

Log File Locations On this page, you can create and download a bundle of connector log files.


n Using SSL Certificates for the VMware Identity Manager Connector

n Configuring a Syslog Server for the VMware Identity Manager Connector

n Managing Your VMware Identity Manager Connector Passwords

n Configuring Proxy Settings for the VMware Identity Manager Connector

n Viewing and Downloading VMware Identity Manager Connector Log Files

n Configuring Time Synchronization for the VMware Identity Manager Connector (Windows)

VMware, Inc. 46

Using SSL Certificates for the VMware Identity Manager Connector

When the VMware Identity Manager connector is installed, a default self-signed SSL server certificate is automatically generated. You can continue to use this self-signed certificate in most scenarios.

With the connector deployed in outbound mode, end users do not access the connector directly, so installing a public Certificate Authority (CA)-signed SSL certificate is not required. For administrator access to the connector, you can either continue to use the default self-signed certificate or use a certificate generated by your internal CA.

However, if you enable the KerberosIdpAdapter on the connector to set up Kerberos authentication for internal users, end users will establish SSL connections to the connector so the connector must have a signed SSL certificate. Use your internal CA to generate the SSL certificate.

If you set up high availability for Kerberos authentication, a load balancer is required in front of the connector instances. In this case, the load balancer as well as all the connector instances must have signed SSL certificates. Use your internal CA to generate the SSL certificates. For the load balancer certificate, use the Workspace IdP Hostname, which is set in the Workspace IdP configuration page, as the Subject DN Common Name. For each connector instance certificate, use the connector host name as the Subject DN Common Name. Alternatively, you can create a single certificate, using the Workspace Idp host name as the Subject DN Common Name, and all the connector host names as well as the Workspace Idp host name as Subject Alternative Names (SANs).

Installing a Signed SSL Certificate for the Connector

You can install a signed SSL certificate for the VMware Identity Manager connector from the connector admin pages at https://connectorFQDN:8443/cfg/login.

Requirements for the signed certificate include the following:

n The certificate must be in the PEM or PFX format.

n The certificate key length must be from 1024-3072 bits. A 4096-bit key length is not supported.

See Using SSL Certificates for the VMware Identity Manager Connector for the scenarios in which a signed SSL certificate is required.

Prerequisites

Generate a Certificate Signing Request (CSR) and obtain a signed SSL certificate.

Procedure

1 Log in to the connector admin pages at https://connectorFQDN:8443/cfg/login as the admin user.


VMware, Inc. 47

2 Click Install SSL Certificates.

3 In the Server Certificate tab, for the SSL Certificate field select Custom Certificate.

4 In the SSL Certificate Chain text box, paste the server, intermediate, and root certificates, in that order.

You must include the entire certificate chain in the correct order. For each certificate, copy everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

5 In the Private Key text box, paste the private key. Copy everything between ----BEGIN RSA PRIVATE KEY and ---END RSA PRIVATE KEY.

6 Click Add.

Example: Certificate Examples

Certificate Chain Example

-----BEGIN CERTIFICATE-----

jlQvt9WdR9Vpg3WQT5+C3HU17bUOwvhp/r0+

...

W53+O05j5xsxzDJfWr1lqBlFF/OkIYCPcyK1

-----END CERTIFICATE-----


WdR9Vpg3WQT5+C3HU17bUOwvhp/rjlQvt90+

...

O05j5xsxzDJfWr1lqBlFF/OkIYCPW53+cyK1



dR9Vpg3WQTjlQvt9W5+C3HU17bUOwvhp/r0+

...

5j5xsxzDJfWr1lqW53+O0BlFF/OkIYCPcyK1


Private Key Example

-----BEGIN RSA PRIVATE KEY-----

jlQvtg3WQT5+C3HU17bU9WdR9VpOwvhp/r0+

...

...

...

1lqBlFFW53+O05j5xsxzDJfWr/OkIYCPcyK1

-----END RSA PRIVATE KEY-----


VMware, Inc. 48

Downloading the Connector Self-Signed Root CA Certificate

If you deploy the connector with the self-signed SSL certificate that is generated by default when the connector is installed, install the connector's self-signed root CA certificate on any clients that access the connector. You can download the root CA certificate from the VMware Identity Manager administration console.

Procedure

1 Log in to the VMware Identity Manager connector admin pages at https://connectorFQDN:8443/cfg/login as the admin user.

2 Click Install SSL Certificates.

3 In the Server Certificate tab, click the link in the Appliance Self-Signed Root CA Certificates field.

The certificates are displayed.

4 Copy the entire text, including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Installing Trusted Root Certificates on the Connector

Install the root or intermediate certificates that should be trusted by the VMware Identity Manager connector. The connector will be able to establish secure connections to servers whose certificate chain includes any of these certificates.

Scenarios in which you need to install trusted root certificates on the connector include the following:

n If you have set up a load balancer for high availability of Kerberos authentication, install the load balancer's root CA certificate on the connector instances to establish trust between the connectors and the load balancer.

Procedure


2 Click Install SSL Certificates, then select the Trusted CAs tab.

3 Paste the root or intermediate certificate into the text box.

Include everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----.

4 Click Add.


VMware, Inc. 49

Configuring a Syslog Server for the VMware Identity Manager Connector

Application-level events from the service can be exported to an external syslog server. Operating system events are not exported.

Since most companies do not have unlimited disk space, the virtual appliance does not save the complete logging history. If you want to save more history or create a centralized location for your logging history, you can set up an external syslog server.

Prerequisites

n Set up an external syslog server. You can use any of the standard syslog servers available. Several syslog servers include advanced search capabilities.

n Ensure that the connector can reach the syslog server on port 514 (UDP).

Procedure


2 Select Configure Syslog in the left pane.

3 Click Enable.

4 Enter the IP address or the FQDN of the syslog server where you want to store the logs.

5 Click Save.

Results

A copy of your logs is sent to the syslog server.

Managing Your VMware Identity Manager Connector Passwords

When you installed the VMware Identity Manager connector, you created a password for the admin user. You can change this password from the connector admin pages.

Important Make sure that you create strong passwords. Strong passwords should be at least eight characters long and include uppercase and lowercase characters and at least one digit or special character.

Procedure


2 Click Change Password.


VMware, Inc. 50

3 Enter the old and new passwords.

Important The admin user password must be at least 6 characters in length.

4 Click Save.

Configuring Proxy Settings for the VMware Identity Manager Connector

The VMware Identity Manager connector accesses Web services on the Internet. If your network configuration provides Internet access through an HTTP proxy, you must adjust the proxy settings on the VMware Identity Manager connector.

Note Enable your proxy to handle only Internet traffic. To ensure that the proxy is set up correctly, set the parameter for internal traffic to no-proxy within the domain.

Procedure

1 Use a browser to go to the VMware Identity Manager connector admin pages at https://connectorhostname:8443/cfg/login.

2 Log in with the connector admin user password.

3 Click Proxy Configuration.

4 Select Enable.

5 In the Proxy host with port text box, enter the proxy server host name and port.

For example: proxy.example.com:3128

6 In the Non-proxied hosts field, enter the hosts that the connector can access without going through the proxy server.

Use a comma to separate a list of host names.

7 Click Save.

Viewing and Downloading VMware Identity Manager Connector Log Files

The VMware Identity Manager connector log files can help you debug and troubleshoot problems. The log files can be found in the InstallDirectory\VMware Identity Manager\Connector\opt\vmware\horizon\workspace\logs directory.

The following log files are the most relevant.


VMware, Inc. 51

Table 7-2. Log Files

Component Log File Location on Windows Description

Configurator Logs InstallDirectory\VMware Identity

Manager\Connector\opt\vmware\horizon

\workspace\logs\configurator.log

Requests that the configurator receives from the REST client and the Web interface.

Connector Logs InstallDirectory\VMware Identity


\workspace\logs\connector.log

A record of each request received from the Web interface. Each log entry also includes the request URL, timestamp, and exceptions. No sync actions are recorded.

InstallDirectory\VMware Identity


\workspace\logs\connector-dir-

sync.log

Messages related to directory sync.

Apache Tomcat Logs InstallDirectory\VMware Identity


\workspace\logs\catalina.log

Apache Tomcat records of messages that are not recorded in other log files.

You can also download a log file bundle from the VMware Identity Manager connector admin pages at https://connectorhostname:8443/cfg/login. Log in as the admin user and click Log File Locations.

Download a Log Bundle

You can download a log file bundle for the VMware Identity Manager connector from the connector admin pages. The log files can help you debug and troubleshoot problems.

To collect logs from each connector instance in your environment, log in to the admin pages for each instance.

Procedure

1 Log in to the VMware Identity Manager connector admin pages at https://connectorFQDN:8443/cfg/login as the admin user.

2 Click Log File Locations and click Prepare log bundle.

The information is collected into a zip file for you to download.

3 Download the log bundle.

Setting the VMware Identity Manager Connector Log Level to DEBUG

You can set the log level to DEBUG to log additional information that can help debug problems.

Procedure

1 On the Windows server on which the connector is installed, go to the INSTALL_DIR\VMware Identity Manager\Connector\usr\local\horizon\conf\ directory.


VMware, Inc. 52

2 Update the log level in the cfg-log4j.properties and hc-log4j.properties files, which are the most commonly-used log4j files for the connector.

a Edit the file.

b In the lines that have the log level set to INFO, replace INFO with DEBUG.

For example, change:

rootLogger.level=INFO

to:

rootLogger.level=DEBUG

c Save the file.

A restart of the service or system is not required.

Configuring Time Synchronization for the VMware Identity Manager Connector (Windows)

Configuring time synchronization on all instances of the VMware Identity Manager service and connector is required for a VMware Identity Manager deployment to function correctly. To configure time synchronization for the VMware Identity Manager connector (Windows), you use the Appliance Settings > Manage Configuration > Time Synchronization tab in the VMware Identity Manager console.

You can synchronize the VMware Identity Manager connector clock either with the ESXi host or with a Network Time Protocol (NTP) server. By default, the VMware Identity Manager connector is set to synchronize with the host. If your connector Windows machine is not running on an ESXi host, the Host Time synchronization option is not applicable and you must either select the NTP option or configure time synchronization on the Windows machine directly.

Follow these guidelines:

n As a best practice, synchronize time with an NTP server if the VMware Identity Manager connector instance can access an NTP server. Otherwise, synchronize time with the ESXi host and configure the ESXi host to synchronize time with an NTP server.

Note If your connector Windows machine is not running on an ESXi host, either select the NTP option or configure time synchronization on the Windows machine directly.

n If your deployment includes VMware Identity Manager service or connector instances on different hosts, the best practice is to synchronize time with an NTP server directly instead of synchronizing with the host to ensure that there is no time drift between the instances.

Prerequisites

If your connector Windows machine is running on an ESXi host and you want to use the Host Time synchronization option, install VMware Tools on the Windows machine.


VMware, Inc. 53

Procedure


2 Click Time Synchronization in the left pane.

3 Select a time synchronization option.

Option Description

NTP Synchronizes the VMware Identity Manager connector system clock with an NTP server. The default NTP server is time.nist.gov. To use another NTP server, enter its fully qualified domain name (FQDN) in the NTP Server text box. For example:

ntpserver.example.com

Host Time Synchronizes the VMware Identity Manager connector system clock with the ESXi host, if applicable. This is the default setting.

4 Click Save.


VMware, Inc. 54

Upgrading the VMware Identity Manager Connector (Windows) 8To upgrade the VMware Identity Manager connector (Windows), you download the installer for the new version from My VMware or My Workspace ONE and run the installer. You do not need to uninstall the old version.

After upgrade, you do not need to generate a new activation code for the VMware Identity Manager connector or activate it again. Your existing configuration applies to the upgraded connector.

Procedure

1 Download the VMware Identity Manager Connector Installer for Windows from My VMware or My Workspace ONE.

To obtain the installer from My VMware:

a Log in to My VMware.

b Download the VMware Identity Manager Connector Installer for Windows from the VMware Identity Manager download page.

2 Save the installer file on the same Windows server on which the earlier version of the connector is installed.

3 Run the installer and follow the prompts to complete the upgrade.

Note During upgrade, if the installer detects a lower version of JRE on the Windows server than the one packaged with the installer, you are prompted to install the new JRE version.

4 If JRE is upgraded during the connector upgrade, reboot the Windows server after the upgrade is complete.

Rebooting the server sets the JAVA_HOME variable to the latest JRE that is installed with the upgrade, enabling the connector to use the latest JRE.

VMware, Inc. 55

Upgrading Java on the VMware Identity Manager Connector Server

9The VMware Identity Manager connector requires the Java Runtime Environment (JRE).

The JRE version required for the connector is packaged with the VMware Identity Manager connector installer. When you upgrade the connector, you are prompted to upgrade the JRE version too. For information on upgrading JRE while running the installer, see Chapter 8 Upgrading the VMware Identity Manager Connector (Windows).

If you want to upgrade JRE on the connector server at any other time, follow these steps to ensure that the VMware Identity Manager connector continues to work correctly after the JRE upgrade.

Note This procedure is applicable to VMware Identity Manager connector version 3.2.0.1 and later.

Note If JRE gets upgraded automatically, follow steps 3-4 after the upgrade.

Procedure

1 Stop the VMware IDM Connector service.

2 Install the new JRE version.

3 Update the JAVA_HOME environment variable to point to the new JRE.

4 Restart the VMware IDM Connector service.

VMware, Inc. 56

Deleting a VMware Identity Manager Connector Instance 10You can delete a VMware Identity Manager connector instance from the VMware Identity Manager service when you no longer need it. Before you delete the connector instance, disassociate it from any directories, virtual apps collections, and identity providers with which it is associated.

Procedure

1 In the VMware Identity Manager console, click the Identity & Access Management tab, then click Setup.

2 If the connector instance that you want to delete is the only connector in your environment, add a new connector instance first.

3 Verify that directory sync or virtual apps sync is not in progress.

a To view the sync status of directories, navigate to the Identity & Access Management > Directories page.

b To view the sync status of virtual apps collections, navigate to the Catalog > Virtual Apps Collections page.

4 Make sure that the connector is not being used as a sync connector for any directory.

n (SaaS) Follow these steps:

n Navigate to the Identity & Access Management > Setup > Connectors page.

n Click each directory associated with the connector, check the connector that is selected in the Sync Connector list, and change it to another connector if necessary.

n (On premises) Follow these steps:

n Navigate to the Identity & Access Management > Setup > Connectors page.

n Click each directory associated with the connector, navigate to Sync Settings > Sync Connectors, and remove the connector from the list of failover connectors.

VMware, Inc. 57

5 Check all your virtual apps collections and make sure that the connector is not used as the sync connector and does not appear in the failover list of connectors.

a Click the Catalog > Virtual Apps Collections tab.

b Click each virtual apps collection, check the list of connectors associated with the virtual apps collection, and remove the connector you want to delete.

6 Remove the connector from any Workspace IDPs and Built-in IDPs with which it is associated.

a Navigate to the Identity & Access Management > Setup > Identity Providers page.

On this page, you can see the identity providers with which the connector is associated.

b Click each identity provider with which the connector is associated and delete the connector from the Connector(s) section, if possible.

Note For Workspace IDPs, the delete icon appears only if other connectors are available.

7 Delete the connector.

a Navigate to the Identity & Access Management > Setup > Connectors page.

b Click the Delete icon next to the connector instance you want to delete and click Confirm.

If you get an error stating that the connector cannot be deleted, you can use the Force Delete command that appears on the error page to delete the connector. The Force Delete command deletes the connector regardless of whether it is associated with any directories or identity providers. Ensure that you follow the instructions on the error page. The Force Delete command is only available in on-premises installations.

The connector instance is deleted from the VMware Identity Manager service.

8 Uninstall the VMware Identity Manager connector instance from the Windows server on which it is installed.

You can uninstall the connector instance in one of the following ways.

n Run the VMware Identity Manager connector installer and select the Uninstall option.

n Uninstall the connector from the Control Panel.

a From the Start menu, select Control Panel.

b Under Programs, click Uninstall a program.

c Select VMware Identity Manager Connector from the list and click Uninstall.


VMware, Inc. 58

Directory Migration from ACC to the VMware Identity Manager Connector

11Workspace ONE customers who have deployed Active Directory synchronization with VMware Identity Manager using AirWatch Cloud Connector (ACC) must follow a migration procedure if they want to take advantage of the additional functionality included with the VMware Identity Manager connector. This one-time procedure converts the ACC directory of type Other to a directory of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication, which are associated with the VMware Identity Manager connector. This procedure does not remove the existing directory or any entitlements associated with it.

Converting the Other directory includes the following tasks.

1 Convert the Other Directory to Active Directory over LDAP or Active Directory over Integrated Windows Authentication.

2 Configure additional VMware Identity Manager connector authentication methods for the directory, if necessary. The Password authentication method is available by default.

3 Edit the default policy and any custom policies to use Password or another VMware Identity Manager connector authentication method instead of Password (AirWatch Connector).

4 Stop user and group sync from AirWatch to the VMware Identity Manager directory.


n Convert Other Directory to Active Directory over LDAP or Active Directory over Integrated Windows Authentication

n Stop Directory Sync from Workspace ONE UEM to VMware Identity Manager

Convert Other Directory to Active Directory over LDAP or Active Directory over Integrated Windows Authentication

You can convert a directory of type Other, which stores users and groups synced from Workspace ONE UEM, to a directory of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication, which are associated with the VMware Identity Manager connector. After you convert the directory, the VMware Identity Manager connector is used instead of ACC to sync users and groups from your enterprise directory to the VMware Identity Manager service.

VMware, Inc. 59

Prerequisites

n Install and activate the VMware Identity Manager connector.

To use some features, you must join the Windows server to the domain, you must install the VMware Identity Manager connector as a domain user that is part of the administrator group on the Windows server, and you must choose to run the IDM Connector service as a Windows domain user.

This requirement applies to the following cases.

n If you plan to convert the Other directory to Active Directory over Integrated Windows Authentication


n The following Active Directory information is required:

n If you are converting to Active Directory over LDAP, the Base DN, and Bind user DN and password are required.

The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

n Read

n Read All Properties

n Read Permissions

Using a Bind user account with a non-expiring password is recommended.

n If you are converting to Active Directory over Integrated Windows Authentication, the user name and password of the Bind user who has permission to query users and groups for the required domains is required.

The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

n Read

n Read All Properties

n Read Permissions

Using a Bind user account with a non-expiring password is recommended.

n If your Active Directory requires access over SSL/TLS, the Intermediate (if used) and Root CA certificates of the domain controllers for all relevant Active Directory domains are required. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, all the Intermediate and Root CA certificates are required.


VMware, Inc. 60

n For Active Directory over Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.

n For Active Directory over Integrated Windows Authentication:

n For all domain controllers listed in SRV records and hidden RODCs, nslookup of hostname and IP address should work.

n All the domain controllers must be reachable in terms of network connectivity.

Procedure

1 In the VMware Identity Manager administration console, click the Identity & Access Management tab, then click the Directories tab.

2 Click the directory that you want to convert.

3 In the directory page, click the Convert button.

4 In the Add Directory page, change the name of the directory if required and select the type of directory to which you want to convert the Other directory, Active Directory over LDAP or Active Directory over Integrated Windows Authentication.

5 Enter the Active Directory connection information and continue with the wizard to set up the directory.

See "Configuring Active Directory Connection to the Service" in the Directory Integration with VMware Identity Manager guide for information.

Follow these guidelines.

n In the Sync Connector field, select the VMware Identity Manager connector that you installed.

n In the Directory Sync and Authentication section, select Yes for Authentication, unless you intend to use a third-party identity provider instead of the connector for authentication.

n Ensure that you set up the converted directory identically to the Workspace ONE UEM directory so that it has the same directory structure. Select the same domains. When you specify users and groups to sync, make the same selections as the Workspace ONE UEM directory so that the same users and groups are synced to the converted directory.

6 On the last page of the wizard, click Sync Directory.

The directory is converted and set up to use the VMware Identity Manager connector. A Workspace Identity Provider is created, if one did not already exist, and the directory is associated with it automatically. The Password authentication method is already enabled for the directory.


VMware, Inc. 61

7 (Optional) To enable other authentication methods for the directory, follow these steps.

a In the Identity & Access Management tab, click Setup.

b On the Connectors page, locate the connector and the worker with which the converted directory is associated, and click the link in the Worker column.

c In the worker page, click the Auth Adapters tab.

d Configure and enable the authentication adapters you want to use for the directory by clicking the link for each and entering the configuration information.

See VMware Identity Manager Administration for information about configuring authentication adapters.

8 Edit the default_access_policy_set and any custom policies to select VMware Identity Manager connector authentication methods instead of Password (AirWatch Connector).

a In the Identity & Access Management tab, click the Policies tab.

b Click Edit Default Policy.

c Click Configuration.

d Edit each policy rule and replace the Password (AirWatch Connector) authentication method with Password, which is a VMware Identity Manager connector authentication method.

e Click the Policies tab again and edit custom policies, if any, to use Password or any other VMware Identity Manager connector authentication method that you have configured.

Important If you do not change Password (Airwatch Connector) to Password or another VMware Identity Manager connector-based authentication method, users of the converted directory will not be able to log in.

What to do next

Stop directory sync from Workspace ONE UEM to the converted directory.

Stop Directory Sync from Workspace ONE UEM to VMware Identity Manager

After you convert the Other directory to Active Directory over LDAP or Active Directory over Integrated Windows Authentication and associate it with a VMware Identity Manager connector, the VMware Identity Manager connector is used to sync users and groups from your enterprise directory to the converted directory. You must stop user and group sync from Workspace ONE UEM to the VMware Identity Manager directory.

Procedure

1 In the Workspace ONE UEM console, navigate to your Organization Group.


VMware, Inc. 62

2 Navigate to the Groups & Settings > All Settings > System > Enterprise Integration > VMware Identity Manager page.

3 Click the Delete button at the bottom of the page.

Results

The directory conversion is complete. Users and groups are now synced from your enterprise directory to the VMware Identity Manager service by the VMware Identity Manager connector. Users can continue to log in and access their applications.

Note The domain name displayed on the login page may be different after the directory is converted if the domain name is different from the domain NETBIOS name. With Workspace ONE UEM sync, the domain NETBIOS name is displayed. With VMware Identity Manager connector sync, the domain name is displayed.


VMware, Inc. 63

Troubleshooting VMware Identity Manager Connector 12The troubleshooting topics describe common problems and solutions for the installation and management of the VMware Identity Manager Connector on Windows.


n Resetting admin User Password for VMware Identity Manager Connector

n Kerberos Initialization Error

Resetting admin User Password for VMware Identity Manager Connector

You can change the VMware Identity Manager connector admin user password from the connector admin pages at https://connectorFQDN:8443/cfg/login. However, if you are unable to log in and need to reset the password, you can use the hznSetAdminPassword.bat script to reset the password.

Procedure

1 In the Windows server, open the Command window.

2 Navigate to the INSTALL_DIR\VMware Identity Manager\Connector\usr\local\horizon\bin folder:

cd INSTALL_DIR\VMware Identity Manager\Connector\usr\local\horizon\bin

where INSTALL_DIR is the VMware Identity Manager connector installation directory.

3 Run the following command:

hznSetAdminPassword.bat newPassword

Kerberos Initialization Error

When you configure the Kerberos authentication adapter, you get an error that states that Kerberos initialization failed.

VMware, Inc. 64

Problem

During the installation of the VMware Identity Manager Connector, if you did not select the Would you like to run the IDM Connector service as a domain user account? option or if you selected the option but specified a domain account that does not have the right to "Create, delete, and manage user accounts" in Active Directory, Kerberos cannot be initialized after installation. When you try to configure the Kerberos authentication adapter, you get an error message that states that Kerberos initialization failed.

Solution

Run the setupkerberos.bat script with a user account that has higher privileges. Use an account that:

n Is a domain user

n Has the right to "Create, delete, and manage user accounts" in Active Directory (members of Admin Users and Account Operators groups have those rights)

n Is part of the administrator group on the Windows server on which the VMware Identity Manager connector is installed

This user account with higher privileges is only required temporarily to run the script and will not be stored or used again for connector services. After you run the script, you can continue configuring the Kerberos authentication adapter with the original user account that you were using.

To run the script:

1 Log in to the Windows connector machine and navigate to the InstallDir\VMware Identity Manager\Connector\usr\local\horizon\scripts directory.

2 Right click setupkerberos.bat and select Run as administrator.

3 Enter the user account with higher privileges described above.

A confirmation message appears after the script has run successfully

4 Log in to the VMware Identity Manager console with the original user account that you were using and configure the Kerberos authentication adapter.

About the setupkerberos.bat Script

The setupkerberos.bat script performs the following tasks:

1 Creates a service account with the same name as the machine account (without the $)

2 Sets a random password for the account

3 Generates a keytab file for the account, stored in /usr/horizon/conf

4 Maps the given principal of the machine as a SPN inside the account


VMware, Inc. 65

Documents

Modified AUG 2020 JUL 2019 VMware Workspace ONE …...Configuring High Availability for the VMware Identity Manager Connector 31 ... n VMware Horizon ® 7, Horizon 6, or View desktop