pchapman
Hot Shot
Hot Shot

Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"

Hi,

Attempting to configure Identity Manager 2.8 on-prem with AirWatch 9.0.1.0 and am running into major issues attempting to configure iOS SSO.  We are following the instructions in the "Workspace One Quick Configuration Guide" http://pubs.vmware.com/identity-manager-28/topic/com.vmware.ICbase/PDF/WS1_quick_configuration_guide...

I've completed everything up to Page 13, Step 9.  On Step 9, when I click download certificate, an red box pops up and states "Built-in KDC has not yet been configured"

Any ideas? I've tried an older version of Identity Manager (2.7.1) and ran into the same issue.  I've gone thru the VMware HOL for identity manager and am not experiencing this issue there.  I've also tried manually downloading that cert as explained in the Identity Manager 2.7 release notes with no luck.

Thanks

0 Kudos
5 Replies
pbjork
VMware Employee
VMware Employee

To me it looks like that guide only covers cloud deployment.. While similar process for an on-prem deployment you must first initiate the KDC by following these steps in the manual:

http://pubs.vmware.com/identity-manager-28/topic/com.vmware.wsp-install_28/GUID-58EF2B63-C733-45DD-9...

0 Kudos
pchapman
Hot Shot
Hot Shot

Thank you!  I am not sure how I missed that.

I do have another question though.  This looks like I need to create a DNS srv record which points to port 88 for Kerberos.  How does that work if I am using Access Point as a reverse proxy to identity manager? I do not see anything in the access point documentation about port 88.  Just 80 and 443 for this use case.  It sounds like I may need to eliminate the access point and expose the identity manager directly to the Internet?

Also, the documentation is a bit confusing.  Particularly the example in the section titled "Creating public DNS entries for KDC with built-in kerberos"

why are the entries pointing to kdc.example.com if the identity manager is configured as idm.example.com? 

In this example DNS record, the realm is EXAMPLE.COM; the VMware Identity Manager fully qualified domain name is idm.example.com, and the VMware Identity Manager IP address 1.2.3.4.

kdc.example.com.               1800 IN  AAAA         ::ffff:1.2.3.4

kdc.example.com.               1800 IN  A            1.2.3.4

_kerberos._tcp.EXAMPLE.COM          IN  SRV  10  0   88 kdc.example.com.

Thank you for the help.  I have several other questions regarding the Identity Manager 2.8 / Airwatch config I am struggling with, I'll have to post later, but am looking to get past this hurdle for now.

0 Kudos
pbjork
VMware Employee
VMware Employee

Mobile SSO for iOS in Workspace One/VMware Identity Manager uses the built-in Kerberos support in iOS to achieve its unique and seamless authentication of users.. Therefore a Kerberos realm most be established. The Kerberos REALM is tied to a domain name. And only one Kerberos REALM can exist per domain..

In order to support client on Internet the domain must be publicly accessible. Often are a company´s public domain name not already Kerberos enabled. E.g. EXAMPLE.COM. If you want to you can use a subdomain e.g. test.example.com.. The integration is case sensitive.. If you initiate your Identity Manager KDC using capital letters you must use capital letters in the Kerberos SSO profile you create in AirWatch.

Your DNS records for Kerberos must point to a A record. This A record can but do not have to be the same FQDN as your VMware Identity Manger (vIDM).

Regarding Kerberos ports TCP and UDP 88.. They must terminate on VMware Identity Manager appliance. It cannot be proxied. But using Access Point you can use AP to simply forward traffic and not proxy port 88.. If you use the PowerShell deployment script (Using PowerShell to Deploy VMware Access Point) you can simply add iptables rules like below:

forwardrules=tcp/5262/192.168.1.29:5262,tcp/88/192.168.1.29:88,udp/88/192.168.1.29:88

(Port 5262 is for Mobile SSO for Androids) 192.168.1.29 is my vIDM appliance IP.

Attached is my deployment script for reference..

0 Kudos
pchapman
Hot Shot
Hot Shot

Thank you, very helpful.  One last question for now - how would this work if you are using the recommended number of 3 load balanced identity manager appliances?  Does this change replicate to the others, is special configuration needed, or is HA not possible at this time?

0 Kudos
pbjork
VMware Employee
VMware Employee

I believe either one of the HA nodes can act as KDC since you cloned after initiating the KDC server.. But I do not know 100%

0 Kudos