5 Replies Latest reply on Dec 27, 2016 5:29 AM by pbjork

    Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"

    pchapman Hot Shot
    vExpert

      Hi,

       

      Attempting to configure Identity Manager 2.8 on-prem with AirWatch 9.0.1.0 and am running into major issues attempting to configure iOS SSO.  We are following the instructions in the "Workspace One Quick Configuration Guide" http://pubs.vmware.com/identity-manager-28/topic/com.vmware.ICbase/PDF/WS1_quick_configuration_guide.pdf

       

      I've completed everything up to Page 13, Step 9.  On Step 9, when I click download certificate, an red box pops up and states "Built-in KDC has not yet been configured"

       

      Any ideas? I've tried an older version of Identity Manager (2.7.1) and ran into the same issue.  I've gone thru the VMware HOL for identity manager and am not experiencing this issue there.  I've also tried manually downloading that cert as explained in the Identity Manager 2.7 release notes with no luck.

       

      Thanks

        • 1. Re: Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"
          pbjork Master
          vExpertVMware Employees

          To me it looks like that guide only covers cloud deployment.. While similar process for an on-prem deployment you must first initiate the KDC by following these steps in the manual:

           

          http://pubs.vmware.com/identity-manager-28/topic/com.vmware.wsp-install_28/GUID-58EF2B63-C733-45DD-94CD-E4E4CA671FBB.html

          • 2. Re: Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"
            pchapman Hot Shot
            vExpert

            Thank you!  I am not sure how I missed that.

             

            I do have another question though.  This looks like I need to create a DNS srv record which points to port 88 for Kerberos.  How does that work if I am using Access Point as a reverse proxy to identity manager? I do not see anything in the access point documentation about port 88.  Just 80 and 443 for this use case.  It sounds like I may need to eliminate the access point and expose the identity manager directly to the Internet?

             

            Also, the documentation is a bit confusing.  Particularly the example in the section titled "Creating public DNS entries for KDC with built-in kerberos"

             

            why are the entries pointing to kdc.example.com if the identity manager is configured as idm.example.com? 

             

            In this example DNS record, the realm is EXAMPLE.COM; the VMware Identity Manager fully qualified domain name is idm.example.com, and the VMware Identity Manager IP address 1.2.3.4.

            kdc.example.com.               1800 IN  AAAA         ::ffff:1.2.3.4

            kdc.example.com.               1800 IN  A            1.2.3.4

            _kerberos._tcp.EXAMPLE.COM          IN  SRV  10  0   88 kdc.example.com.

             

            Thank you for the help.  I have several other questions regarding the Identity Manager 2.8 / Airwatch config I am struggling with, I'll have to post later, but am looking to get past this hurdle for now.

            • 3. Re: Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"
              pbjork Master
              vExpertVMware Employees

              Mobile SSO for iOS in Workspace One/VMware Identity Manager uses the built-in Kerberos support in iOS to achieve its unique and seamless authentication of users.. Therefore a Kerberos realm most be established. The Kerberos REALM is tied to a domain name. And only one Kerberos REALM can exist per domain..

               

              In order to support client on Internet the domain must be publicly accessible. Often are a company´s public domain name not already Kerberos enabled. E.g. EXAMPLE.COM. If you want to you can use a subdomain e.g. test.example.com.. The integration is case sensitive.. If you initiate your Identity Manager KDC using capital letters you must use capital letters in the Kerberos SSO profile you create in AirWatch.

               

              Your DNS records for Kerberos must point to a A record. This A record can but do not have to be the same FQDN as your VMware Identity Manger (vIDM).

               

              Regarding Kerberos ports TCP and UDP 88.. They must terminate on VMware Identity Manager appliance. It cannot be proxied. But using Access Point you can use AP to simply forward traffic and not proxy port 88.. If you use the PowerShell deployment script (Using PowerShell to Deploy VMware Unified Access Gateway) you can simply add iptables rules like below:

               

              forwardrules=tcp/5262/192.168.1.29:5262,tcp/88/192.168.1.29:88,udp/88/192.168.1.29:88

               

              (Port 5262 is for Mobile SSO for Androids) 192.168.1.29 is my vIDM appliance IP.

               

              Attached is my deployment script for reference..

              • 4. Re: Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"
                pchapman Hot Shot
                vExpert

                Thank you, very helpful.  One last question for now - how would this work if you are using the recommended number of 3 load balanced identity manager appliances?  Does this change replicate to the others, is special configuration needed, or is HA not possible at this time?

                • 5. Re: Identity Manager 2.8 AirWatch IOS SSO "Built in KDC has not yet been configured"
                  pbjork Master
                  VMware EmployeesvExpert

                  I believe either one of the HA nodes can act as KDC since you cloned after initiating the KDC server.. But I do not know 100%