To me it looks like that guide only covers cloud deployment.. While similar process for an on-prem deployment you must first initiate the KDC by following these steps in the manual:
Thank you! I am not sure how I missed that.
I do have another question though. This looks like I need to create a DNS srv record which points to port 88 for Kerberos. How does that work if I am using Access Point as a reverse proxy to identity manager? I do not see anything in the access point documentation about port 88. Just 80 and 443 for this use case. It sounds like I may need to eliminate the access point and expose the identity manager directly to the Internet?
Also, the documentation is a bit confusing. Particularly the example in the section titled "Creating public DNS entries for KDC with built-in kerberos"
why are the entries pointing to kdc.example.com if the identity manager is configured as idm.example.com?
Example: DNS Record Entries for KDC
Thank you for the help. I have several other questions regarding the Identity Manager 2.8 / Airwatch config I am struggling with, I'll have to post later, but am looking to get past this hurdle for now.
Mobile SSO for iOS in Workspace One/VMware Identity Manager uses the built-in Kerberos support in iOS to achieve its unique and seamless authentication of users.. Therefore a Kerberos realm most be established. The Kerberos REALM is tied to a domain name. And only one Kerberos REALM can exist per domain..
In order to support client on Internet the domain must be publicly accessible. Often are a company´s public domain name not already Kerberos enabled. E.g. EXAMPLE.COM. If you want to you can use a subdomain e.g. test.example.com.. The integration is case sensitive.. If you initiate your Identity Manager KDC using capital letters you must use capital letters in the Kerberos SSO profile you create in AirWatch.
Your DNS records for Kerberos must point to a A record. This A record can but do not have to be the same FQDN as your VMware Identity Manger (vIDM).
Regarding Kerberos ports TCP and UDP 88.. They must terminate on VMware Identity Manager appliance. It cannot be proxied. But using Access Point you can use AP to simply forward traffic and not proxy port 88.. If you use the PowerShell deployment script (Using PowerShell to Deploy VMware Unified Access Gateway) you can simply add iptables rules like below:
(Port 5262 is for Mobile SSO for Androids) 192.168.1.29 is my vIDM appliance IP.
Attached is my deployment script for reference..
ap1.ini.zip 2.3 K
Thank you, very helpful. One last question for now - how would this work if you are using the recommended number of 3 load balanced identity manager appliances? Does this change replicate to the others, is special configuration needed, or is HA not possible at this time?
I believe either one of the HA nodes can act as KDC since you cloned after initiating the KDC server.. But I do not know 100%