How to configure Kerberos Authentication with vRA 7

With vRealize Automation 7, you can now login into the vRA 7 portal without providing credentials. The vRA portal will automatically use the credentials of the user who is logged in into the Windows server or desktop system. This behaviour is called login via Kerberos Authentication (Only supported on Windows Operating Systems).

This blog article describes how to set this up.

  1. I assume that a directory already has been configured. I my case this is a directory of the type Active Directory with IWA (Integrated Windows Authentication)kerberos-howto-directories
  2. Now go to Administration –> Directories Management –> Connectors. Here you can find your Connectors. By default only Password Authentication has been configured.kerberos-howto-connector-password-auth
  3. Click on the Worker link in your connector configuration.kerberos-howto-connector-worker-link
  4. Navigate to the Auth Adapters tab. Here you can see that the KerberosIdpAdapter is Disabled.kerberos-howto-worker-auth-adapters
  5. Click on the KerberosIdpAdapter link and provide the Directory UID Attribute. In my case it is sAMAccountName. Also enable the checkbox “Enable Windows Authentication” and Click “Save”.kerberos-howto-auth-adapter
  6. Now you can see that the KerberosIdpAdapter has been enabled.kerberos-howto-auth-adapter-kerberos-enabled
  7. Go back to the vRA portal where your connector has been configured. As you can see both Authentication Methods “Kerberos and Password” are now available.kerberos-howto-connector-kerberos-auth
  8. Now lets configure the priority of these Authentication Methods. Go to Administration –> Directories Management –> Policies. Here you can see that only the Authentication Method “Password” has been configured for Device Type “Web Browser” in the default_access_policy_set.kerberos-howto-default-policy
  9. Click now on the default_access_policy_set link.kerberos-howto-default-policy-configure
  10. Click on the configured Authentication Method of the Device Type “Web Browser”.kerberos-howto-default-policy-configure-web-browser
  11. Change the policy rule by configuring kerberos as the primary authentication method and configure password as the fallback authentication method. Next save the updated policy rule. default_access_policy_set.kerberos-howto-default-policy-edit-rule-fallback
  12. Now you can see that the Authentication Method of the Device Type “Web Browser” has been configured for Kerberos. Click Save again.kerberos-howto-default-policy-updatedkerberos-howto-default-policy-updated-2
  13. Go to Administration –> Directories Management –> Identity Providers. Click on the Identity Provider link. In my case WorkspaceIDP__1kerberos-howto-identity-provider
  14. Click on the Identity Provider link. In my case WorkspaceIDP__1 and find the configured IdP Hostname. Remember the IdP Hostname because you need it to configure your web browsers.kerberos-howto-idp-hostname
  15. Finally we need to configure the web browser for kerberos authentication. For Internet Explorer and Google Chrome do the following. Open Internet Explorer and go to Internet Options and select the Security Tab.kerberos-howto-internet-explorer-kerberos-1
  16. Select Local Intranet and click Sites.kerberos-howto-internet-explorer-kerberos-2
  17. Click Advanced and Click Add this website to the zone. The configured IdP Hostname is expected in here. Click Close.
    kerberos-howto-internet-explorer-kerberos-3b
  18. Now close your Internet Explorer and Google Chrome Web Browsers and test your vRA Portal with kerberos authentication.kerberos-howto-internet-explorer-kerberos-loginkerberos-howto-google-chrome-kerberos-login
  19. For the Firefox Web Browser it works a little bit different. Open Firefox and type in the address bar “config:about“. Click on the button “I’ll be careful, I promise!”.kerberos-howto-firefox-about-config
  20. In the search bar type “network.negkerberos-howto-firefox-search-network.neg
  21. Populate the Preference Name “network.negotiate-auth.trusted-uris” with the configured IdP Hostname.kerberos-howto-firefox-network.neg-1kerberos-howto-firefox-network.neg-2
  22. Now close your Firefox Web Browser and test your vRA Portal with kerberos authentication.kerberos-howto-firefox-kerberos-login

4 thoughts on “How to configure Kerberos Authentication with vRA 7”

  1. Trying this in vRA 7.6 and get access denied for IE. Chrome just prompts me to try and log in using the username and password

Leave a Reply

Your email address will not be published. Required fields are marked *