Configuring Certificate to Kerberos Option for Identity Bridging

VMware Workspace ONE UEM 9.5 and later VMware Unified Access Gateway 3.3 and later

Configuring Certificate to Kerberos Option for Identity Bridging

Introduction

Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications.

When you use VMware Workspace ONE Web (formerly VMware Browser) to access the target website; the target website acts as the reverse-proxy. Unified Access Gateway validates the presented certificate. If the certificate is valid, the browser displays the user interface page for the back-end application.

This section helps you to configure the certificate to Kerberos option in identity bridging to provide SSO for legacy web applications using Workspace ONE Web and Unified Access Gateway. You also learn how to leverage Workspace ONE UEM to deploy and manage the user certificate life cycle on the device, automating the entire process and eliminating manual configurations.

Any browser can be used to access the internal web application through Unified Access Gateway, however, other browsers open a dialog requesting the user certificate. Workspace ONE Web does not request a user certificate initially, as the browser checks the local certificate store for a certificate that matches the one requested, therefore providing a silent experience to the end user. In this scenario, you can still use Workspace ONE UEM to deploy and manage the user certificate on managed devices.

These exercises cover a Unified Access Gateway 3.3 deployment integrated with Workspace ONE UEM 9.6.

Procedures include:

  • Deploying a Unified Access Gateway appliance with two NICs, one facing the internet and the second one dedicated to management and back end access
  • Configuring Identity Bridging on Unified Access Gateway
  • Configuring VMware Enterprise Systems Connector to integrate Microsoft AD with Workspace ONE UEM.
  • Configuring CA integration in Workspace ONE UEM
  • Configuring Workspace ONE Web to use certificate for authentication
  • Testing SSO access to an internal web application performing certificate to kerberos authentication through Workspace ONE Web

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

1. Authentication Flow

The following diagram describe the authentication flow that you will configure in this section.

  1. Client navigates to application URL (https://uag.airwlab.com/itbudget). (The client certificate is sent to Unified Access Gateway in TLS handshake).
  2. Unified Access Gateway checks if the client certificate is valid or revoked.
  3. Unified Access Gateway extracts the client’s UPN from the certificate and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  4. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • iPhone, iPad, and iPod Touch devices running iOS 9.0 and later
  • CA Root and Intermediate certificate, and user certificate to configure Device Certificate Authentication

Ensure the following settings are enabled in the Workspace ONE UEM Console:

  • Organization Group created and set as Customer Type 
  • Device Root Certificate issued
  • REST API Key generated at the Organization Group where VMware Tunnel will be enabled

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Integrating Active Directory and Workspace ONE UEM

This section helps you to integrate Microsoft AD with Workspace ONE UEM.

This integration is required for a few reasons:

  1. The user certificate is generated based on the enrolled user information.
  2. Workspace ONE UEM sends the certificate request to Microsoft CA. This request is based on a certificate template that requires the user information.
  3. To perform Kerberos authentication, a domain account is required.

Perform these exercises on the machine where you will install the VMware Enterprise Systems Connector.

  1. Select Groups & Settings.
  2. Select All Settings.

2. Enable VMware Enterprise Systems Connector

In this step, you enable VMware Enterprise Systems Connector, which acts as a gateway between your devices and internal services such as Microsoft AD, Certificate Authority, SMP Server, and so on.

  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Enterprise Systems Connector.
  4. Select Override.
  5. Select Enabled for Enable VMware Enterprise System Connector.
  6. Select Enable for Enable Auto Update.
  7. Click Save.

3. Download VMware Enterprise Systems Connector

Download

Click Download VMware Enterprise Systems Connector Installer.

3.1. Create a Password for the VMware Enterprise Systems Connector Installer Certificate

Password

When you run the installer, a password is requested. This password allows the import of current settings to the VMware Enterprise Systems Connector.

After you provide the password, the installer is downloaded to the Downloads folder.

  1. Enter VMware1! for the Password.
  2. Enter VMware1! again to confirm the password.
  3. Click Download.

4. Install the VMware Enterprise Systems Connector

Ensure you are logged into the machine where you will install VMware Enterprise Systems Connector.

4.1. Run the VMware Enterprise Systems Connector Installer

Run Installer

After the download completes, click the VMware Enterprise Systems Connector Installer.exe to begin installation.

4.2.

Click Run when prompted to run this software.

4.3. Begin the VMware Enterprise Systems Connector Installer

Click Next.

4.4. Accept the License Agreement Terms

  1. Select I accept the terms in the license agreement.
  2. Click Next.

4.5. Choose the Program Features to Install

  1. Ensure that the AirWatch Cloud Connector is set to install and that the VMware Identity Manager Connector is not set to install.
  2. Click Next.

4.6. Accept the Default Destination Folder

Accept the default destination folder by clicking Next.

4.7. Enter the Certificate Password

  1. Enter the Certificate Password, for example, VMware1!.
  2. Click Next.

4.8. Disable Outbound Proxy

Ensure Outbound Proxy is not selected and click Next.

4.9. Begin the Installation Process

Click Install.

4.10. Close the VMware Enterprise Systems Connector Installer

Click Finish.

5. Confirm the VMware Enterprise Systems Connector Installation was Successful

In the Workspace ONE UEM Console:

  1. In the VMware Enterprise Systems Connector settings, scroll down to find the Test Connection button.
  2. Click Test Connection. Ensure the VMware Enterprise Systems Connector is active message is displayed.

6. Integrate Microsoft AD and Workspace ONE UEM

To integrate Active Directory with Workspace ONE UEM, navigate to the Directory Services settings.

  1. Select Directory Services under Enterprise Integration.
  2. Click Skip wizard and configure manually.

6.1. Configure AD Server Settings

  1. Select Override for Current Settings.
  2. Select Active Directory for Directory Type.
  3. Enter the Server, for example, controlcenter.corp.local.
  4. Select NONE for Encryption Type.
  5. Enter 389 for Port.
  6. Enter 3 for Protocol Version.
  7. Select Disabled for Use Service Account Credentials.
  8. Select GSS-Negotiate for Bind Authentication Type.
  9. Enter the Bind UserName, for example, corp\imaservice.
  10. Enter the Bind Password, for example, VMware1!.
  11. Enter the Domain, for example, CORP.
  12. Select the User tab located on the top.

6.2. Configure AD User Settings

  1. Select Override for Current Settings.
  2. Click the plus icon next to CORP domain.
  3. Select the Base DN, for example, DC=corp, DC=local.
  4. Select the Group tab.

6.3. Configure AD Group Settings

  1. Select Override for Current Settings.
  2. Click the plus icon next to CORP domain.
  3. Select the Base DN, for example, DC=corp, DC=local.
  4. Select Server to return to the server settings.

6.4. Test AD Connection

  1. Scroll down to find the Test Connection button.
  2. Click Test Connection and check for the message Connection successful with the given server name, bind username, and password.
  3. Click Save.

Integrating Certificate Authority with Workspace ONE UEM

This section helps you to integrate Microsoft Certificate Authority (CA) with Workspace ONE UEM, and configure the Certificate Template to be requested by Workspace ONE Web.

This integration is required for a few reasons:

  1. Workspace ONE UEM requests and delivers the user certificate on the user device, fully automated.
  2. Workspace ONE UEM revokes the certificate when the device is unenrolled.
  3. Workspace ONE Web presents the user certificate to Unified Access Gateway when accessing the internal website, to initiate the validation process and transformation of the request to Kerberos.

1. Add Certificate Authority to Workspace ONE UEM

In the Workspace ONE UEM Console,

  1. Navigate to System > Enterprise Integration > Certificate Authorities.
  2. Click Add under the Certificate Authorities tab.

2. Configure Certificate Authority

Configure CA
  1. Enter a name, for example, CONTROLCENTER CA.
  2. Select Microsoft ADCS.
  3. Select ADCS.
  4. Enter the Server Hostname, for example, controlcenter.corp.local.
  5. Enter the Authority Name, for example, corp-CONTROLCENTER-CA.
  6. Enter the User name, for example, corp\imaservice. This service account must have permission to request, renew, and revoke certificates on the CA.
  7. Enter the Password, for example, VMware1!.
  8. Enter the password again.
  9. Click Test Connection. You should see the message Test is successful .
  10. Click Save and Add Template.

3. Add Certificate Template

In this step, you add the certificate template that associates the CA used to generate the user certificate.

The properties of this certificate template must match the template defined on the CA, otherwise the user cannot authenticate using the certificate.

Configure Template
  1. Enter a Name, for example, MobileUserCertificate.
  2. Select the Certificate Authority, for example, CONTROLCENTER CA.
  3. Enter certificatetemplate:MobileUser for Issuing Template. The issuing template must match the template on the CA. In this example, the template name is MobileUser.
  4. Enter CN={EnrollmentUser} for Subject Name.
  5. Select 2048 for Private Key Length.
  6. Select both the Signing and Encryption options for Private Key Type
  7. For SAN Type, select Email Address and {Email Address}.
  8. Add a second SAN Type and select User Principal Name and {UserPrincipalName}.
  9. Select the Enable Certificate Revocation check box.
  10. Click Save.

4. Confirm the Certificate Authority was Created

  1. Select the Certificate Authorities tab.
  2. Click Refresh if needed.
  3. Confirm that the CONTROLCENTER.CORP.LOCAL Certificate Authority was added.

4.1. Confirm the Certificate Request Template was Created

  1. Select the Request Templates tab.
  2. Click Refresh if needed.
  3. Confirm the MobileUserCertificate Request Template was added.

5. Validate the Certificate Template

There are several ways to validate that the Certificate Template is available on Microsoft CA. If you are using Enterprise Microsoft CA, open the Certificate Authority and you will see a folder named Certificate Template. If you are using Standalone CA (as in this exercise), use mmc.exe to see the list of templates.

Launch MMC

Launch MMC on your machine. In this example, the MMC snap-in is available on the task bar.

5.1. Select MobileUser Template

  1. Click Certificate Templates.
  2. Right-click the user template, for example, Mobile User.
  3. Click Properties.

The next steps help you to locate some of the template attributes that you defined in the Workspace ONE UEM Console.

5.2. Validate Template Name

Template Name
  1. Select the General tab.
  2. Validate your Template name, for example, MobileUser.

5.3. Validate Private Key Type

  1. Select the Request Handling tab.
  2. Confirm the Purpose is set to Signature and encryption.

5.4. Validate Private Key Length

  1. Select the Cryptography tab.
  2. Ensure the Minimum key size is 2048.

5.5. Validate Subject Name Request

  1. Select the Subject Name tab.
  2. Ensure Supply in the request is selected.

Enabling VMware Tunnel in the Workspace ONE UEM Console

When the VMware Tunnel edge service is enabled on the Unified Access Gateway appliance, it retrieves the VMware Tunnel configuration from Workspace ONE UEM. Therefore, the VMware Tunnel must be configured first in the Workspace ONE UEM Console, prior to deployment of the Unified Access Gateway appliance.

This section helps you to configure VMware Tunnel in the Workspace ONE UEM Console.

1. Open All Settings

Open All Settings
  1. Select Groups & Settings.
  2. Select All Settings.

 

2. Configure VMware Tunnel Settings

  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Tunnel.
  4. Select Configuration.
  5. Change the setting to Override.
  6. Select Enabled for VMware Tunnel.
  7. Click Configure.

2.1. Configure Deployment Type

  1. Select Enabled for Proxy (Windows & Linux).
  2. Select Basic (Single-Tier) from the drop-down menu for VPN Configuration Type. The Unified Access Gateway appliance is deployed on a DMZ where the VMware Tunnel edge service is enabled to communicate with the internal network.
  3. Select Disabled for Per-App Tunnel (Linux Only).
  4. Click Next to continue.

Enabling the Proxy option allows access to internal websites exclusively through Workspace ONE Web, which uses port 2020 to communicate with the front-end appliance. In this exercise, Proxy is not enabled.

2.2. Configure Hostname and Port Details

  1. Enter the VMware Tunnel server host name for Hostname.
  2. Enter a Port number.
  3. Click Next.

2.3. Configure VMware Tunnel SSL Certificate

  1. Ensure Use Public SSL Certificate is selected.
  2. Click Upload and navigate to your certificate. This example uses the airwlab.pfx file in C:\AW Tools.
  3. Click Next.

2.4. Select Authentication

  1. Select Default.
  2. Click Next.

2.5. Select Miscellaneous Details

  1. Select Disabled for Access Logs.
  2. Click Next to continue.

2.6. Confirm VMware Tunnel Settings

Verify that the configuration summary is correct. Click Save to continue.

2.7. Download the Unified Access Gateway Appliance

After the configuration is saved, click Download the Unified Access Gateway to download the virtual appliance. Extract the ZIP file on the Windows machine where you will install Unified Access Gateway.

Workspace ONE Web Application Settings and Policies

The Settings and Policies section of the Workspace ONE UEM Console contains settings that control security, behavior, and the data retrieval of specific applications. The settings are often called SDK settings because they run on the Workspace ONE SDK framework.

You can apply these SDK features to applications built with the Workspace ONE SDK, to supported Workspace ONE UEM applications, and to applications wrapped by the Workspace ONE App Wrapping engine. The same features can be applied because the Workspace ONE SDK framework processes the functionality.

Workspace ONE Web can use these Setting and Policies, which can be based on two types of SDK settings:

  • Default settings work well across organization groups, applied to large numbers of devices.
  • Custom settings work with individual devices or for small numbers of devices with applications that require special mobile application management (MAM) features.

In this exercise, you change the default settings of Workspace ONE Web.

1. Configure VMware Browser

  1. Select Apps.
  2. Select Browser.
  3. Select Override for Current Setting.
  4. Scroll down to find the Mode section.

1.1. Configure Browser Mode

Mode
  1. Select Disabled for Kiosk Mode.
  2. Enter your intranet website for Home Page URL, for example, http://intranet.corp.local/intranet.
  3. Select Allow for Selection Mode.
  4. Enter your Allowed Site URLs, for example,  *.corp.local and *.airwlab.com.
  5. Click Save.

2. Configure Security Policies

  1. Select Settings and Policies.
  2. Select Security Policies.
  3. Select Override for Current Setting.
  4. Select Enabled for Integrated Authentication.
  5. Select Enabled for Use Certificate.
  6. Select Defined Certificate Authority for Credential Source.
  7. Select the Certificate Authority, for example, CONTROLCENTER CA.
  8. Select the Certificate Template, for example, MobileUserCertificate.
  9. Enter * for Allowed Sites.
  10. Scroll down to the end of the page.

This configuration allows the user credentials to be passed on to allowed sites for integrated authentication. In this example, the user certificate is the user credential.

2.1. Configure App Tunnel Mode Settings

App Tunnel Mode
  1. Select Enabled for AirWatch App Tunnel.
  2. Select VMware Tunnel - Proxy for App Tunnel Mode.
  3. Enter the App Tunnel URLs, for example, *.corp.local and *uag.airwlab.com*.
  4. Click Save.

In this step, you define how Workspace ONE Web redirects the traffic to access internal resources. Any requests from Workspace ONE Web that match the App Tunnel URLs, are redirected through Tunnel Proxy.

Preparing VMware Tunnel and Reverse Proxy INI Settings for Deployment

This section covers the required INI settings to configure VMware Tunnel and web reverse proxy during the Unified Access Gateway appliance deployment.

1. Configure the General Deployment settings

The INI file contains all the configuration settings required to deploy the Unified Access Gateway appliance.

This exercise uses the uag-Cert-to-Kerberos.ini file and is configured for a Unified Access Gateway appliance called uag-Cert, that has two NICs—NIC one is set to internet facing and NIC two for back end and management.

2. Edit the INI File

Editing UAG-2NIC.ini

Navigate to your Unified Access Gateway INI file. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon from the task bar.
  2. Select Desktop.
  3. Select UAG Resources.
  4. Right-click the ini file, for example, uag-Cert-to-Kerberos.
  5. Click Edit with Notepad++.

3. General and Network Settings

In this example, the settings are already filled out. The General section includes details such as deployment location and network configuration for the Unified Access Gateway appliance.

The SSLCert and SSLCertAdmin sections contain SSL certificate location for the administrator and Internet interfaces.

4. Configuring VMware Tunnel Settings

AirWatch settings

The AirWatch section contains the required parameters to enable the VMware Tunnel edge service on your Unified Access Gateway appliance.

  1. Enter the apiServerUsername, for example,  apiuser.
  2. Enter your  Group ID for the Organization Group.
  3. Enter the apiServerUrl, for example, https://v9.airwlab.com
  4. Enter the airwatchServerHostname, for example,  https://pool##.airwlab.com.

During the Unified Access Gateway deployment, the PowerShell script prompts you for the apiServerUsername password.

5. Validate Web Reverse Proxy Configuration

WRP

A web reverse proxy instance called ITBUDGET has been added to this INI file. You use this instance to enable identity bridging and perform certificate to Kerberos authentication in a later exercise.

In this exercise, proxyDestinationUrl is set to https://it.corp.local. For your environment, set proxyDestinationUrl to an intranet address.

6. Save INI File

Click the Save icon to save your changes.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter.

1. Open PowerShell window

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway using PowerShell

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
  3. Replace <uag-tunnel> with your INI file name.
  4. Replace <password1> with the root password for the UAG appliance.Replace <password2> with the administrator password for  REST API management access.
  5. The first false is to not skip the validation of signature and certificate.
  6. The second false is to not skip SSL verification for the vSphere connection.
  7. The no is to not join the VMware CEIP program.
  8. Enter the password for the certificated that will be used on the following fields SSLcert and SSLcertAdmin.
  9. Enter the password for the apiuser previously defined on the INI file, which allows Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.
  3. After a successful deployment, the script automatically powers on the VM UAG-CERT.
  4. The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Return to the vSphere Web Client tab in Google Chrome.

  1. If you do not see the UAG-CERT VM under Nested_Datacenter, you may need to click Refresh.
  2. Click UAG-CERT.
  3. Click the Summary tab.
  4. Click View all 2 IP addresses.
  5. In this example, the IP addresses are:
    192.168.110.20
    172.16.0.20

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Validate Configuration Settings

Select Configuration Settings

A successful login redirects you to the following screen.

Click Select to configure settings manually.

7. Confirm the Web Reverse Proxy Instance is Running

General Settings

Follow the next steps to confirm that a web reverse proxy instance named itbudget has been automatically configured. 

  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the arrow next to Reverse Proxy Settings.
  3. Confirm that itbudget exists.

Keep the administration console open as the next step is to enable the identity bridging feature for itbudget.

8. Test Tunnel Proxy Connection

Open All Settings

Return to the Workspace ONE UEM Console to perform a test connection between Tunnel Proxy and Workspace ONE UEM API, AWCM, and device service.

  1. Select Groups & Settings.
  2. Select All Settings.

 

8.1. Perform Test Connection for Tunnel Proxy

  1. Select System.
  2. Select Enterprise Integration.
  3. Select VMware Tunnel.
  4. Select Configuration.
  5. Click Test Connection.

8.2. Verify Test Connection Results

If all test connection results are green, your environment is setup correctly and you can proceed to the next steps. Click Cancel or the X button to close the screen.

Configuring Identity Bridging on Unified Access Gateway

You have deployed the Unified Access Gateway appliance, confirmed that the itbudget web reverse proxy was configured, and tested the Tunnel Proxy connection settings. The next steps are performed in the Unified Access Gateway administration console.

1. Return to the Unified Access Gateway Administration Console

Return to the Unified Access Gateway administration console.

2. Configure Certificate Authentication Settings

Enable Certificate
  1. Click Show for the Authentication Settings.
  2. Click the gear icon next to X.509 Certificate.

2.1. Upload Certificate to Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate. After you click NO, the toggle changes to YES and you will see additional options.
  2. Click Select to upload the Root and Intermediate CA Certificates.
  3. Navigate to your certificate location, for example, C:\AW Tools and press Enter.
  4. Click the combo box and select All Files.
  5. Select your root certificate, for example, root-corplocal.pem.
  6. Click Open.

2.2. Enable Certificate Revocation

Cert Revocation

Point to the information icon to read a tip on each of the following steps.

Unified Access Gateway can perform a certificate revocation check in two ways; through CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol). In this step, you configure Unified Access Gateway to use OCSP and in case it fails, to use the CRL.

  1. Click Yes to Enable Cert Revocation.
  2. Select the Use CRL from Certificate check box.
  3. Enter the CRL Location, for example, http://controlcenter.corp.local/CertEnroll/corp-CONTROLCENTER-CA.crl.
  4. Select the Enable OCSP Revocation check box.
  5. Click Yes for Use CRL in case of OCSP Failure.
  6. Enter the OCSP URL, for example, http://controlcenter.corp.local/ocsp.
  7. Select the Use OCSP URL from certificate check box.
  8. Click Save.

3. Configure Keytab

Click the gear icon for Upload Keytab Settings under Identity Bridging Settings.

3.1. Update the Keytab Settings

Set Keytab
  1. Enter the Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  2. Click Select.
  3. Select Local Disk (C:) folder.
  4. Select the it.keytab file.
  5. Click Open.
  6. Click Save.
  7. After you click Save, you should see the message Keytab upload is successful.
  8. Note: If you do not enter a Principal Name value, then the first Principal Name found in the keytab file will be used. If your keytab contains multiple Principal Names, you should manually enter Principal Name in Keytab Settings.

4. Configure Realm

Click the gear icon for Realm Settings under Advanced Settings.

4.1. Add a Realm Setting

Add Relm Settings

Click Add.

4.2. Configure the Realm Settings

Realm Settings
  1. Enter the Name of the realm, for example, CORP.LOCAL.
  2. Note: This entry must use capital letters.
  3. Enter the Key Distribution Centers, for example, corp.local.
  4. Enter 3 for KCD Timeout (in seconds).
  5. Click Save.
  6. After you click Save, you should see the message Configuration saved successful.

4.3. Close the Realm Settings

Realm configured

You have configured the Realm settings.

Click Close.

5. Configure OCSP Settings

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Unified Access Gateway sends the OCSP request to the specified URL and receives a response that contains information indicating whether or not the certificate is revoked. To allow that communication, the OCSP Signing Certificate must be uploaded to the Unified Access Gateway appliance.

 

In Identity Bridging Settings, click the gear icon next to OCSP Settings.

5.1. How to Obtain the OCSP Signing Certificate

You can view and export the OCSP signing certificate in the Online Responder Management Console. You can install and configure the Online Responder Management Console from Windows Features. During the configuration, you are requested to create the OCSP signing certificate on the CA. Therefore, in a production scenario, you have two options to obtain the signing certificate.

In this example, the certificate has already been exported to C:\AW Tools, named ocsp.crt.

5.2. Add OCSP Setting

Add

Click Add.

5.3. Select OCSP Signing Certificate

Select OCSP Certificate
  1. Click Select.
  2. Navigate to C:\AW Tools.
  3. Change the filter to All Files.
  4. Select the ocsp.crt certificate — This is the certificate used to sign your OCSP Responder.
  5. Click Open.
  6. Click Save.

5.4. Confirm OCSP Settings

Confirm

After you click Save, confirm that you see the OCSP signing certificate information.

Click Close.

6. Configure Identity Bridging for Web Reverse Proxy Instance

Next, configure identity bridging for the Web reverse proxy instance; itbudget.

6.1. Open the ITBUDGET Reverse Proxy Settings

Access Reverse Proxy settings
  1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings.
  2. Select the gear icon for Reverse Proxy Settings.

6.2. Select ITBUDGET Reverse Proxy Instance

Setup itbudget instance

Select the gear icon for the itbudget reverse proxy instance.

6.3. Update the ITBUDGET Identity Bridging Settings

Config identity bridging
  1. Click NO to show the Enable Identity Bridging settings. After you click No, it changes to YES.
  2. Select CERTIFICATE for Authentication Types.
  3. Select the Keytab, for example, HTTP/it.corp.local@CORP.LOCAL.
  4. Enter the Target Service Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL. 
  5. Click Save.

6.4. Confirm the Identity Bridging Settings Saved

Confirm the Configuration is saved successfully message is displayed.

Enrolling an iOS Device

In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent).

1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first. 

3. Enter the Server URL

  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Find Your Group ID From the Workspace ONE UEM Console

Finding your Group ID

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Note: The Group ID is required when enrolling your device in the following steps.

5. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

6. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

7. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

8. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.

NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

9. Install the Workspace ONE MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

10. Install and Verify the Workspace ONE MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted on the Install Profile dialog.

11. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

12. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

13. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

14. Workspace ONE UEM Enrollment Success

AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

15. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.

16. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.

17. Accept the App Installation (IF NEEDED)

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

18. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.

19. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.

20. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

Testing Access to Workspace ONE Web using SSO through Identity Bridging

Now that you have enabled identity bridging and configured the certificate to Kerberos option, you are ready to test access to Workspace ONE Web on your iOS device.

1. Launch Workspace ONE Web

Confirm that Workspace ONE Web is already installed on your device. Tap Browser to open the application.

2. Confirm Access to Intranet Site

Intranet Home Page

In a previous exercise (Configure Browser Mode), you set an intranet address as the home page for Workspace ONE Web, for example, http://intranet.corp.local. This intranet page should now be showing.

In this example, Workspace ONE Web uses the Tunnel Proxy component of the VMware Tunnel service to provide access to this internal website. However, you cannot access the intranet URL from any other external network.

3. Access ITBDUGET Website from Workspace ONE Web

Test access

Navigate to https://uag.airwlab.com/itbudget.

You should see the webpage without any prompt to provide any credentials.

4. Validate Kerberos Authentication

This section helps you to validate Kerberos authentication.

4.1. Launch Event Viewer

Launch Event Viewer

Open Event Viewer.

4.2. Connect to Event Viewer From Another Computer

  1. Right-click Event Viewer (Local).
  2. Select Connect to Another Computer.

4.3. Connect to INTRANET Server Event Viewer

Select Computer
  1. Enter a name for Another Computer, for example, INTRANET.
  2. Click OK.

4.4. View Logon Logs

  1. Expand the Windows Logs node.
  2. Select Security.
  3. Select one Logon Category event.
  4. Select the Details tab.
  5. Click the XML View toggle.
  6. The log details show an authentication on behalf of the user PSILVER using Kerberos.

 

5. Validate Certificate requested by Workspace ONE Web

This section helps you to confirm that Workspace ONE Web requested a certificate for authentication.

5.1. Launch Certificate Authority

Launch CA

Click the Certificate Authority icon.

5.2. Open Most Recently Issued Certificate

  1. Click Issued Certificates.
  2. Select the last issued certificate.
  3. Right-click and select Open.

5.3. Confirm the Certificate Was Issued to Correct User

Confirm the most recently issued certificate was issued to psilver@corp.local.

Conclusion

In this set of exercises, you have learned how to:

  • Deploy an Unified Access Gateway appliance with two NICs, one NIC is internet-facing and the second NIC is dedicated to management and back end access. The Web reverse proxy configuration to access the intranet is automatically configured during deployment.
  • Configure Internet Information Server (IIS) to support Kerberos authentication
  • Set up Kerberos delegation on the service account
  • Configure identity bridging on Unified Access Gateway
  • Configure VMware Enterprise System Connector to integrate Microsoft AD with Workspace ONE UEM
  • Integrate CA with Workspace ONE UEM
  • Configure Workspace ONE Web to use certificate for authentication
  • Access an internal website through Unified Access Gateway, performing certificate to Kerberos authentication through Workspace ONE Web

For more information, see the VMware Unified Access Gateway documentation.