Configuring SAML to Kerberos Option for Identity Bridging

VMware Workspace ONE UEM 9.5 and later VMware Unified Access Gateway 3.3 and later

Configuring SAML to Kerberos Option for Identity Bridging

Introduction

Unified Access Gateway in identity bridging mode (SAML to Kerberos) acts as the service provider that passes user authentication to the configured legacy applications. VMware Identity Manager acts as an identity provider and provides SSO into SAML applications. When users access legacy applications that require KCD or header-based authentication, VMware Identity Manager authenticates the user. A SAML assertion with the user's information is sent to the Unified Access Gateway. Unified Access Gateway uses this authentication to allow users to access the application.

This section helps you to configure the SAML to Kerberos option in identity bridging by providing SSO to legacy web applications using KCD.

This set of exercises covers a Unified Access Gateway 3.3 deployment with VMware Identity Manager 3.2.1 in vSphere 6.5 U1.

Procedures include:

  • Deploying a Unified Access Gateway appliance with two NICs, one facing the internet and the second one dedicated to management and back end access
  • Configuring identity bridging on Unified Access Gateway
  • Configuring Web application (SAML) on VMware Identity Manager
  • Testing external access to an internal web application (SAML) using SSO through identity bridging (Kerberos)

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

1. Authentication Flow

The following diagram describe the authentication flow that you will configure in this section.

  1. Client navigates to application URL(https://uag.airwlab.com/itbudget).
  2. Client is redirected to the IdP (Workspace One) for authentication (https://vidm.airwlab.com). The IdP issues a SAML assertion upon authentication.
  3. Client passes the SAML assertion to Unified Access Gateway (http://uag.airwlab.com). Unified Access Gateway validates that the SAML assertion is from a trusted IdP.
  4. Unified Access Gateway extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  5. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Obtain a Unified Access Gateway virtual appliance image OVA file, such as .euc-access-point-3.3.X.X-XXXXXXXXXXX.ova (see VMware Product Interoperability Matrixes to determine which version to download)
  • Unified Access Gateway PowerShell script, such as uagdeploy-VERSION.ZIP (download from my.vmware.com, and extract the files into a folder on your Windows machine)
  • Network access from the Unified Access Gateway back end services NIC to the internal website used on the reverse proxy.

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Preparing Web Reverse Proxy INI Settings for Deployment

You can deploy and configure Unified Access Gateway using a PowerShell script.

This section helps you to configure the required INI settings for a Web Reverse Proxy instance during the Unified Access Gateway appliance deployment.

1. Configuring the General Deployment Settings

A INI file containing all the configuration settings is required to deploy the Unified Access Gateway appliance.

In this exercise, you use the uag-ReverseProxy.ini file to provide the respective parameters for your deployment.

You deploy a new Unified Access Gateway appliance called UAG-2NIC, which has two NICs. NIC one is Internet-facing and NIC two is for back end and management.

1.1. Edit the UAG-ReverseProxy.ini File

Editing UAG-2NIC.ini

Navigate to uag-ReverseProxy.ini. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon on the task bar.
  2. Select Desktop.
  3. Select UAG Resources.
  4. Right-click the uag-ReverseProxy.ini file.
  5. Click Edit with Notepad++.

1.2. Configure General Settings (1/2)

General Settings 1/2

In the General section, configure the following parameters. Your values will differ.

  1. For name, enter UAG-2NIC.
  2. For source, enter the path and name of the OVA File. For example, the OVA file is located in C:\Users\Administrator\Desktop\UAG Resources\UAG Files.
  3. For target, enter vi://administrator@vsphere.local:VMware1!@vc.corp.local/Nested_Datacenter/host/Host_Cluster.
    Note: You can replace the password with 'PASSWORD' and the script prompts for the password during the PowerShell execution.
  4. For diskmode, enter thin.
  5. For ds, enter datastore2_ESXi01 (ds refers to data store).
  6. For deploymentOption, enter twonic.

 

1.3. Configure General Settings (2/2)

General Settings 2/2

Continue with the General section configuration, configure the following parameters in the INI file.

  1. For ipMode, enter STATICV4.
  2. For defaultGateway, enter 192.168.110.1 .
  3. For dns, enter 192.168.110.10.
  4. For ip0, enter 192.168.110.20.
    Note: ip0 is the Internet-facing NIC.
  5. For ip1, enter 172.16.0.20.
    Note: ip1 is the internally facing NIC.
  6. For netmask0 and netmask1, enter 255.255.255.0.
  7. For netInternet, enter DMZ_VM_DPortGroup.
  8. For netManagementNetwork and netBackendNetwork, enter Internal_VM_DPortGroup.

1.4. Configure TLS/SSL Certificates for Unified Access Gateway Appliance

Select Name and Location

SSLCert and SSLCertAdmin contain SSL certificate information for the administration and Internet interfaces.

  1. For pfxCerts under SSLCert, enter C:\AW Tools\airwlab.com.pfx (this certificate is for the Internet interface).
  2. For pfxCerts under SSLCertAdmin, enter C:\AW Tools\airwlab.com.pfx  (this certificate is for the administration interface).

The certificate password is requested during the deployment.

2. Configure Web Reverse Proxy instance

In addition to the regular settings responsible for the appliance configuration, you add an additional section named WebReverseProxy1. The following steps help you to configure a Web reverse proxy instance named itbudget.

  1. For proxyDestinationUrl, enter an internal URL. For example, https://it.corp.local.
  2. For instanceId, enter a name such as, itbudget.
  3. For proxyDestinationUrlThumbprints, enter sha1=b2 56 a1 cf 8b 21 95 22 45 c2 c0 30 91 7c 1b 75 ce 51 74 e5.
  4. For landingPagePath, enter /.
  5. For proxyHostPattern, enter uag.airwlab.com.
  6. For proxyPattern, enter (|/itbudget(.*)|).

 You can configure this WebReverseProxy instance in the Unified Access Gateway administration console, however, this exercise shows you how to automate that configuration. The following list describes the required parameters.

  • proxyDestinationUrl — The internal address of the Web application, which is usually the back end URL.
  • instanceId — The unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
  • proxyDestinationUrlThumbprints — A list of acceptable SSL server certificate thumbprints for the proxyDestination URL.
  • landingPage — The page the user is redirected to when accessing the website.
  • proxyHostPattern — External host name used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances.
  • proxyPattern — the matching URI paths that forward to the destination URL.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the uagdeploy.ps1 PowerShell script passing the INI as a parameter.

1. Open PowerShell window

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway Using PowerShell

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter .\uagdeploy.ps1 .\<uag-tunnel>.ini <password1> <password2> false false no then press Enter.
    Replace <uag-tunnel> with your INI file name.
    Replace <password1> with the root password for the UAG appliance.Replace <password2> with the administrator password for  REST API management access.
    The first false is to not skip the validation of signature and certificate.
    The second false is to not skip SSL verification for the vSphere connection.
    The no is to not join the VMware CEIP program.
  3. Enter the password for the certificated that will be used on the following fields SSLcert and SSLcertAdmin.
  4. Enter the password for the apiuser previously defined on the INI file, which allows Unified Access Gateway to obtain the VMware Tunnel settings from Workspace ONE UEM.

To avoid a password request for the certificate, remove the pfxCert values and provide a PEM certificate in the INI file. Set the pemCerts and pemPrivKey for the SSLCert and SSLCertAdmin sections in the INI file.

The deployment starts and you can follow the progress in the same window or on your vSphere Web Client.

3. Confirm the PowerShell Script Deployment Completes

  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.

After a successful deployment, the script automatically powers on the VM UAG-2NIC.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Validating UAG Appliance status
  1. Click VM and Templates.
  2. Click UAG-2NIC.
  3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

5. Log In to Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

6. Validate Configuration Settings

Select Configuration Settings

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

7. Confirm the Web Reverse Proxy Instance is Running

General Settings

Follow the next steps to confirm that a web reverse proxy instance named itbudget has been automatically configured. 

  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the arrow next to Reverse Proxy Settings.
  3. Confirm that itbudget exists.

Obtaining IdP metadata from VMware Identity Manager

This section helps you to retrieve the IdP metadata file from VMware Identity Manager.

1. Log In to the VMware Identity Manager Administration Console

Return to Google Chrome.

  1. Click the New tab button.
  2. Enter the  VMware Identity Manager administration console URL, for example, https://vidm.airwlab.com and press Enter.
  3. Select System Domain.
  4. Deselect the Remember this setting check box.
  5. Click Next.

1.1. Enter the Administrator Credentials

vIDM Credentials
  1. Enter the Username, for example, admin.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign in.

1.2. Navigate to Catalog

Click Catalog.

1.3. Access Catalog Settings

Access Settings

Click Settings.

1.4. Download the Identity Provider Metadata

  1. Click SAML Metadata.
  2. Right-click Identity Provider (IdP) metadata.
  3. Click Save link as...

You need this file during the identity bridging configuration.

1.5. Save the Identity Provider Metadata

Save the IdP file
  1. Verify the Downloads folder is selected.
  2. Check the file name for the metadata is set to idp.xml.
  3. Click Save.

1.6. Close the Catalog Settings

Click the Close button to close the Catalog Settings screen.

Configuring Identity Bridging on Unified Access Gateway

You have deployed the Unified Access Gateway appliance and confirmed that the itbudget web reverse proxy was configured. The next steps are performed in the Unified Access Gateway administration console.

1. Configure Identity Provider

Scroll down to Identity Bridging Settings and click the gear icon next to Upload Identity Provider Metadata.

2. Upload the Identity Provider Metadata

Set iDP Metadata

Navigate to the idp.xml file. In this example, idp.xml is located in the Downloads folder.

  1. Click Select.
  2. Select Downloads.
  3. Select idp.xml.
  4. Click Open.
  5. Click Save.

After you click Save, you should see the message Configuration saved successfully.

Note: The Entity ID is retrieved from the IDP metadata XML, so there is no need to manually enter the value.

3. Configure Keytab

Under Identity Bridging Settings, click the gear icon next to Upload Keytab Settings.

4. Update the Keytab Settings

Set Keytab
  1. Enter the Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  2. Click Select.
  3. Select Local Disk (C:) folder.
  4. Select the it.keytab file.
  5. Click Open.
  6. Click Save.

After you click Save, you should see the message Keytab upload is successful.

Note: If you do not enter a Principal Name value, then the first Principal Name found in the keytab file will be used. If your keytab contains multiple Principal Names, you should manually enter Principal Name in Keytab Settings.

5. Configure Realm

Under Identity Bridging Settings, click the gear icon next to Realm Settings.

6. Add a Realm Setting

Add Relm Settings

Click Add.

7. Configure the Realm Settings

Realm Settings
  1. Enter the Name of the realm, for example, CORP.LOCAL.
    Note: This entry must use capital letters.
  2. Enter the Key Distribution Centers, for example, corp.local.
  3. Enter 3 for KCD Timeout (in seconds).
  4. Click Save.

After you click Save, you should see the message Configuration saved successful.

8. Close the Realm Settings

Realm configured

You have configured the Realm settings.

Click Close.

9. Configure Identity Bridging

Access Reverse Proxy settings
  1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings.
  2. Select the gear icon for Reverse Proxy Settings.

10. Open the itbudget Reverse Proxy Settings

Setup itbudget instance

Select the gear icon for the itbudget reverse proxy Instance.

11. Update the itbudget Reverse Proxy Settings

Config identity bridging
  1. Click NO to show the Enable Identity Bridging, it changes YES after you click NO.
  2. Select SAML for Authentication Types.
  3. Select your Identity Provider, for example, https://vidm.airwlab.com.
  4. Select the Keytab, for example, HTTP/it.corp.local@CORP.LOCAL.
  5. Enter the Target Service Principal Name, for example, HTTP/it.corp.local@CORP.LOCAL.
  6. Enter / for Service Landing Page.
  7. Click Download SAML service provider metadata. This will open a dialog box.

Important: Do not click Save at this point. Continue to the next step.

12. Download the SAML Service Provider Metadata

Download SAML SP metadata
  1. Enter the External Host Name, for example, uag.airwlab.com.
  2. Click Download.

An XML file is downloaded to the Downloads folder. This file will be used during the Web App setup in VMware Identity Manager.

13. Save the Reverse Proxy Settings

Config identity bridging

Click Save.

14. Confirm the Reverse Proxy Settings Saved

Confirm the Configuration is saved successfully message is displayed.

Configuring a Web Application in VMware Identity Manager

This section helps you to configure a web application named IT Budget in VMware Identity Manager.

1. Add New Web App

In the VMware Identity Manager administration console:

  1. Click the drop-down arrow next to Catalog.
  2. Click Web Apps.
  3. Click New.

2. Configure Web App

  1. Enter a Name, for example, IT Budget.
  2. Enter the Description, for example, Internal website for IT Budget planning.
  3. Click Next.

2.1. Upload SAML Service Provider Metadata

Open xml file

In this step, you navigate to the SAML XML file downloaded in Download the SAML Service Provider Metadata.

  1. Click the File Explorer icon from the taskbar.
  2. Select the Downloads folder.
  3. Right-click the xml file, for example, uag.airwlab.com.xml.
  4. Select Edit with Notepad++.

2.2. Copy the SAML XML

  1. Right-click on the content and click Select All.
  2. Right-click on the content and click Copy.
  3. Click X to close Notepad++.

2.3. Paste the SAML XML

Configuring SSO for WebApp

Return to the VMware Identity Manager Console.

  1. Right-click in the URL/XML text box.
  2. Click Paste, and confirm that the copied text is entered.
  3. Click Next.

2.4. Define Access Policies

Click Next.

You will use the default access policy already defined in VMware Identity Manager.

2.5. Save Web App Configuration

Click Save & Assign.

3. Assign Web App to an Active Directory Group

  1. Enter ALL USERS in the Users / User Groups text box.
  2. Select ALL USERS.

3.1. Update the Deployment Type and Save

  1. Select Automatic in the drop-down menu for Deployment Type.
  2. Click Save.

Testing Access to Web Application using SSO through Identity Bridging

You now have the IT Budget web application configured and added to the catalog.

  1. In Google Chrome, click the three dots menu on the upper-right corner.
  2. Select New incognito window.

1. Access the Intranet Site

Access internal website via UAG
  1. Enter your intranet address, for example, https://uag.airwlab.com/itbudget and press Enter.

2. Select the Domain

Select domain

You are redirected to VMware Identity Manager for authentication on your domain, for example, corp.local.

Click Next.

3. Enter Domain User Credentials

Enter credentials
  1. Enter your username, for example, imauser.
  2. Enter your password, for example, VMware1!.
  3. Click Sign in.

4. Confirm Access after Successful Authentication

You should see the internal website after a successful authentication.

 

5. Validate Kerberos Authentication

Launch Event Viewer

Return to your intranet machine and open Event Viewer.

6. View Logon Logs

  1. Expand the Windows Logs node.
  2. Select Security.
  3. Select one Logon Category event
  4. Select the Details tab.
  5. Click the XML View toggle.
  6. The log details show an authentication on behalf of the user imauser using Kerberos.

 

Conclusion

In this set of exercises, you have learned how to:

  • Deploy the VMware Unified Access Gateway on two NICs and configure a Web reverse proxy instance using a PowerShell script
  • Configure Internet Information Server (IIS) to support Kerberos authentication
  • Set up Kerberos delegation on the service account
  • Configure a Web application (SAML) on VMware Identity Manager
  • Configure identity bridging for a Web reverse proxy instance on Unified Access Gateway to provide single sign-on (SSO) to legacy Web applications

For more information, see the VMware Unified Access Gateway documentation.