Highlighted
Enthusiast
Enthusiast

Workspace ONE Access connector Configuring High Availability for Kerberos Authentication

Having intermintent issues with HA for Kerberos Authentication and the Workspace ONE Access connectors v20.01.

When going to our vmwareidentity portal from a domain-joined Windows 10 workstation, we get redirected to our internal virtual server on the F5 that load balances our 2 connectors.

Intermintently, the browser throws errors (Can't reach this page).

If we wait a little bit, we automaticaly get redirected and SSO works using kerberos.

If we press the refresh button on the error page, we also get redirected and SSO works using kerberos.

Not sure where the issue is.

Our load balancer is setup as a layer 4 virtual server which simply fowards packets.

Certificates are are handled on the 2 connectors directly and thet are valid.

Never has a certificate error.

Seems to be happening with the 2 connectors.

Even if we disable a node on the virtual server in our F5, the errors still shows up intermintently.

Any one has a clue?

Labels (1)
0 Kudos
3 Replies
Highlighted
VMware Employee
VMware Employee

Hi, I've not heard of any issues like this before. But so I understand the setup a little better. The WorkspaceIDP points using a FQDN to a virtual server on F5? Do you terminate the TLS session on F5 and do you have a valid certificate on F5 (with its full chain)?

Have you configured the Kerberos AuthN method to use redirect?

And lastly, have you uploaded new and trusted certificates to your Kerberos AuthN Services, including its full chain?

0 Kudos
Highlighted
Enthusiast
Enthusiast

Our virtual server on the F5 is setup in layer 4. Packet Fowarding only. Certificate for the FQDN was imported and setup on the connectors directly in the setup steps. The certificat has subject alternate names for the connectors themselves and the virtual server address. There is no apparent certificate issue.

The problem is with the weird redirection issue.

I can share a video or logs with you.

I have a ticket opened with VMware but so far it lead to nothing.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Have you tried to get the load-balancer out of the equation?

  1. Point the DNS A-Record direct to one of the two connectors instead to the LB - does this change the behaviour?
  2. If you point the A-Record to the other connector - any differences?

Alex

0 Kudos