Deploying On-Premises VMware Identity Manager: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace™ ONE™ environment. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. As an IT professional, you can use Workspace ONE to deploy, manage, and secure applications. At the same time, you can offer a flexible, bring-your-own-device (BYOD) initiative to your end users from a central location.

Purpose

This operational tutorial provides you with exercises and discussions to help with your existing VMware Workspace ONE™ production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE™ Unified Endpoint Management (UEM, formerly VMware AirWatch), is also helpful.

Deploying On-Premises VMware Identity Manager

Introduction

This tutorial helps you to install, configure, and manage some common tasks and authentication methods for VMware Identity Manager, such as:

  • Setting up and installing the vIDM Connector
  • Configuring and managing Directories and Users
  • Configuring Identity Providers (IdP) and Authentication Methods for Kerberos and Radius
  • Configuring and entitling Applications

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured:

  • Workspace ONE UEM tenant 9.3 or later with admin credentials
  • On-premises VMware Identity Manager tenant
  • Windows Server machine to access Workspace ONE from a web browser
  • Windows Server machine to install VMware Enterprise Systems Connector
  • Windows Server machine to install the RADIUS server and client
  • On-premises Active Directory with users available to add to the VMware Identity Manager tenant.
  • AD domain user account credentials
  • Windows 10 Device
  • To follow these instructions, download and save a google.png file to your Documents folder.
  • Certificate for Connector Server
  • Workspace ONE App

     

Downloading the VMware Identity Manager Connector

This section helps you download the VMware Identity Manager Connector installer file.

In the Workspace ONE UEM Console:

  1. Select Groups & Settings.
  2. Select All Settings.

1. Setup the VMware Enterprise Systems Connector

  1. Select VMware Enterprise Systems Connector.
  2. Select Override for Current Setting.
  3. Select the Enable VMware Enterprise Systems Connector check box.

2. Save the VMware Enterprise Systems Connector Configuration

  1. You may need to scroll down to find the Save button.
  2. Click Save.
  3. Click OK when the prompt confirms the save was successful.

3. Download the VMware Enterprise Systems Connector

Click the Download VMware Enterprise Systems Connector Install link.

4. Set Up Password for the VMware Enterprise Systems Connector Certificate

  1. Enter VMware1! for Password.
  2. Enter  VMware1! for  Confirm Password.
  3. Click Download.

Installing and Configuring the VMware Identity Manager Connector Service

This section helps you to configure the VMware Identity Manager Connector within VMware Identity Manager and to install the VMware Enterprise Systems Connector.

Ensure you are logged in to the machine where you will install the VMware Enterprise Systems Connector.

1. Run the Installer

Click the VMware Enterprise Systems Connector Installer.exe from the download bar after it completes.

2. Confirm Security Warning and Run

Click Run.

3. Start the VMware Enterprise Systems Connector Installer

Click Next.

4. Accept the License Agreement Terms

  1. Select I accept the terms in the license agreement.
  2. Click Next.

5. Disable the AirWatch Cloud Connector Feature

  1. Click the drop-down menu by the Airwatch Cloud Connector component.
  2. Select This feature will not be available.

6. Enable the VMware Identity Manager Connector Feature

  1. Click the drop-down menu by the VMware Identity Manager Connector component.
  2. Click This feature will be installed on local hard drive..

7. Accept the Default Destination Folder

Click Next to accept the default destination folder.

8. Configure the SSL Certificate

  1. Select the Would you like to use your own SSL Certificate? check box.
  2. Click Browse...

8.1. Browse to the Connector SSL Certificate

Navigate to your connector certificate. In this example, the certificate is located in the Documents folder.

  1. Select Documents.
  2. Select HOL.
  3. Select the server certificate.
  4. Click Open.

8.2. Enter SSL Certificate Password

  1. Enter the Certificate Password, for example, VMware1!
  2. Click Next

9. Continue without Activating the Connector

  1. Select No for Would you like to activate the Connector now.
  2. Click Next.

In this exercise, you install only the VMware Identity Manager Connector. You activate the Connector after the Connector is setup in the VMware Identity Manager Admin Console and you have access to the Activation Code. As stated by the installer, this can be updated later by accessing the Connector settings at https://{hostname}:8443.

10. Set Up the Service Account Configuration

  1. Ensure the Would you like to run the Connector service as a domain user account option is selected.
  2. Enter the User name, for example, corp\administrator.
  3. Enter the Password, for example, VMware1!.
  4. Click Next.

11. Start the Install Process

Click Install.

12. Close the VMware Enterprise Systems Connector Wizard

Click Finish.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Logging In to the VMware Identity Manager Console

To log in to the VMware Identity Manager Console, you need your VMware Identity Manager tenant details. You can retrieve these details from the email you received when you set up the tenant, or you can check the VMware Workspace ONE UEM Console.

1. Accessing Your Tenant Details in the Workspace ONE UEM Console

Follow the next steps to locate your VMware Identity Manager details within the Workspace ONE UEM Console.

1.1. Download the Text File From Workspace ONE UEM Content

In the Workspace ONE UEM Console:

  1. Select Content.
  2. Expand Content Locker.
  3. Select List View.
  4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

1.2. Open the Downloaded Text File

After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.

1.3. Copy the Tenant URL

  1. Select the Tenant URL text and right-click.
  2. Select Copy.

You can navigate to this Tenant URL in the next step to log in to your VMware Identity Manager tenant.

2. Log In to Your VMware Identity Manager Tenant

You can now log in to your VMware Identity Manager tenant.

2.1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2.2. Open a New Browser Tab

Click the Tab space to open a new tab.

2.4. Login to Your VMware Identity Manager Tenant

  1. Enter the Username, for example, Administrator.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign In.

Configuring Your VMware Identity Manager Tenant for AD Users

Before configuring the Directory Services and the VMware Identity Manager settings in the Workspace ONE UEM Console, you need to make some configurations on your VMware Identity Manager tenant to ensure that Active Directory users are imported and mapped properly.

2. Save User Attribute Changes

  1. Scroll down to the bottom of the page.
  2. Click Save.

Creating and Configuring the VMware Identity Manager Connector

In the VMware Identity Manager Administrator Console:

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click Add Connector.

1. Generate the Connector Activation Code

  1. Enter the Connector ID Name, for example, Lab.
  2. Click Generate Activation Code.

1.1. Copy the Connector Activation Code

  1. Double-click the Connector Activation Code text box to select the code.
  2. Right-click and click Copy.
  3. Click OK.

2. Activate the Connector

To activate the VMware Identity Manager Connector, navigate to the connector hostname over port 8443. For this exercise, it is https://vescsrv-01a.corp.local:8443.

  1. Click the Options icon.
  2. Click New Tab.
  3. Enter your connector hostname, for example, https://vescsrv-corp.local:8443 and press Enter.

2.1. Create the Administrator Account Credentials

Configure the Appliance Administrator Account for future logins. In this example, it is admin.

  1. Enter the Password, for example, VMware1!.
  2. Re-enter the password to confirm.
  3. Click Continue.

2.2. Paste the Activation Code

  1. Right-click inside the Activation Code text box and click Paste to paste the Activation Code copied from the previous step when creating the Connector.
  2. Click Continue

Note: While the page loads and refreshes, do you close or manually refresh the page until you see the Setup is complete screen shown in the next step.

2.3. Confirm the Setup Completed

When the configuration has saved successfully, you should see the Setup is complete page. Continue to the next step when this screen is displayed.

3. Verify the Connector Activated

Back in the VMware Identity Manager Console:

  1. Click the Refresh button in the browser.
  2. Select Identity & Access Management.
  3. Click Setup.
  4. Click Connectors.
  5. Confirm that the Connector now shows the Host Name, for example, vescsrv-01a.corp.local and the Worker named Lab.

This confirms that you have successfully set up and installed the VMware Identity Manager Windows Connector.

 

Syncing Directory Users to VMware Identity Manager

This section helps you to add a new Directory in VMware Identity Manager and then sync users from Active Directory into your VMware Identity Manager tenant.

1. Add an Active Directory over LDAP

In the VMware Identity Manager Administrator Console:

  1. Click Identity & Access Management.
  2. Click Directories.
  3. Click Add Directory.
  4. Click Add Active Directory over LDAP/IWA.

1.1. Configure the Directory Details

  1. Enter the Directory Name, for example, corp.local.
  2. Select Active Directory (Integrated Windows Authentication).

1.2. Configure the Directory Sync and Authentication Settings

  1. Scroll down to find the Directory Sync and Authentication section.
  2. Select your connector as the Sync Connector, for example, vescsrv-01a.corp.local.
  3. Select Yes to allow this Connector to perform authentication.
  4. Select sAMAccountName for the Directory Search Attribute.

1.3. Configure the Bind User Details

  1. Scroll down to find the Bind User Details section.
  2. Enter the Bind User UPN, for example, administrator@corp.local.
  3. Enter the Bind DN Password, for example, VMware1! .
  4. Click Save & Next.

1.4. Select the Domains

  1. Ensure your domain is selected.
  2. Click Next.

1.5. Review the User Attribute Mappings

Review the User Attribute Mappings. Changes are not needed for this exercise. Click Next.

1.6. Find Groups to Sync

  1. Click the Green Plus (+) icon to add a new Group DN.
  2. Enter the group DN, for example, dc=corp,dc=local.
  3. Click Find Groups.

1.7. Select the Groups to Sync

  1. Click Select All to select all groups.
  2. Click Next.

1.8. Select the Users to Sync

  1. Click the Green Plus (+) icon to add a new User DN.
  2. Enter the user DN, for example, cn=users,dc=corp,dc=local.
  3. Click Next.

1.9. Review and Initiate Sync

After the Review page loads and shows the number of Users and Groups being added, click Sync Directory.

1.10. Confirm Sync Started and Refresh to Check Status

  1. Click the X to close the message confirming that the Sync has started.
  2. Click Refresh Page to check the Sync status.  

Note: The sync may take several seconds to complete. Click Refresh Page until the sync shows as completed with a green check mark.

1.11. Confirm the Sync Completes Successfully

Confirm that the your directory shows synced groups, synced users, and that the Refresh Page notification is gone and replaced by a green check mark to indicate the sync has completed.

2. Confirm the Synced Users Exist

  1. Click Users & Groups.
  2. Confirm the directory users have synced and are displayed here.

This confirms that you have successfully added a directory to your VMware Identity Manager tenant and were able to use your previously installed Connector to sync Active Directory users to the directory.

Setting Up an Identity Provider to use Password Cloud Deployment

This section helps you to configure the built-in identity provider (IdP) to allow your domain users to sign in to the VMware Identity Manager tenant using their AD credentials.

1. Configure the Built-In Identity Provider

  1. Click Identity & Access  Management.
  2. Click Identity Providers.
  3. Click Built-In.

1.1. Configure the Identity Provider

  1. Scroll down to find the Users, Network and Authentication Methods sections.
  2. Select the check box to enable your domain users.
  3. Select the ALL RANGES network range check box.

1.2. Associate Connector with Identity Provider

  1. Scroll down to find the Connector(s) section.
  2. Select your connector from the list, for example, conn-01a.corp.local.
  3. Click Add Connector.

Note: If you do not see a list of available connectors, you may need to wait a few moments until the connectors are queried.

1.3. Associate Connector Authentication Methods

  1. Scroll down to the bottom.
  2. Select the check box next to Password (cloud deployment) for the Connector Authentication Methods to associate this authentication method with the Identity Provider.
  3. Click Save.

1.4. Confirm the Identity Provider Was Created

The list of Identity Providers should now show your Built-In Identity Provider as having the Password (cloud deployment) authentication method for your directory and connector.

2. Configure the Access Policy

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click Edit Default Policy.

2.1. Add New Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the network range.
  2. Select All Device Types for the device type.
  3. Enter the user group, for example, Domain Users@corp.local.
  4. Select the user group.

2.3. Configure the Authentication Method

  1. Scroll down to the bottom.
  2. Select Authenticate using... for the action.
  3. Select Password (cloud deployment) for the authentication method.
  4. Click Save.

2.4. Re-Order the Access Policy Rules

  1. Click and drag the created policy rule, which has Any configured for the Device Type, to the top of the list.
  2. Click Next.

2.5. Review and Save

Review the configuration and click Save.

Your Policies and Identity Providers are now configured to authenticate your Domain Users group using Password (cloud deployment) through your connector. Your tenant local users will continue to be authenticated with their default methods (Password and Password (Local Directory)) as we did not modify those policies.

3. Verify that corp.local Users Can Log In

  1. Click the Options icon.
  2. Click New incognito window.
  3. Enter https://{yourtenant}.vidmpreview.com to navigate back to the login screen of your VMware Identity Manager tenant.
    Note: Replace {yourtenant} with your tenant name.

3.1. Log In as AD User

  1. Enter an AD username, for example, aduser.
  2. Deselect Remember this setting.
  3. Click Next.

3.2. Enter the Domain User Password

  1. Enter the domain user password, for example, VMware1!.
  2. Verify that the domain name displayed is correct. This should be the domain associated with your AD user.
  3. Click Sign in.

3.3. Open the Settings Page

  1. Select the user drop-down menu.
  2. Select Settings.

3.4. Confirm the User Details

  1. Click the Account tab.
  2. Confirm the Profile for the user shows you have signed in as your AD user.
  3. Click Sign Out.

This confirms that you have successfully allowed the Identity Provider to use the Connector we installed and configured earlier to use the Password (cloud deployment) authentication method to authenticate your Active Directory users.

Follow the next steps to log back in as your local administrator account.

3.5. Close the Incognito Session

Click the Close button in the top-right corner of the Incognito session to return to the VMware Identity Manager Administration Console.

Setting Up a Web Link Application and Entitling Users

This section helps you to create a Web Link application and entitle your synced users to access the application.  

3. Log In as the Tenant Administrator

  1. Enter the username, for example, administrator.
  2. Deselect Remember this setting.
  3. Click Next.

3.1. Enter the Administrator Password

  1. Enter the password, for example, VMware1!.
  2. In this example, the System Domain is displayed because our Administrator account belongs to the local System Domain.
  3. Click Sign In.

Setting Up Kerberos Authentication Adapter

This section helps you to configure Kerberos authentication through the VMware Identity Manager Connector to enable Windows single sign-on.

1. Enable the Kerberos Authentication Adapter on the Connector

In the VMware Identity Manager Administration Console:

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click your Connector Worker name, for example, Lab.

1.2. Configure Kerberos Authentication Adapter

  1. Enter a name for the Directory UID Attribute, for example, sAMAccountName.
  2. Select Enable Windows Authentication.
  3. Click Save.

1.2.1. Run the Kerberos Initialization Script (If Needed)

If the adapter configuration fails to set, run the Kerberos Initialization script detailed in the following Knowledge Base article: Run Script to Resolve Kerberos Initialization Error in VMware Identity Manager Connector on Windows.

Otherwise, continue to the Confirm the KerberosIdpAdapter is Enabled.

1.2.2. Run the setupKerberos.bat file (If Needed)

Log in to the connector server and follow the next steps. The setupKerberos.bat file that needs to be run is on the server where the VMware Identity Manager Connector service was installed.

  1. Click the File Explorer icon from the task bar.
  2. Select Local Disk (C:).
  3. Select VMware.
  4. Select IDMConnector.
  5. Select usr.
  6. Select local.
  7. Select horizon.
  8. Select scripts.
  9. Right-click the setupKerberos.bat file.
  10. Click Run as Administrator.

1.2.3. Enter the User Credentials (If Needed)

  1. Enter the Username, for example, corp\administrator.
  2. Enter the Password, for example, VMware1!.
  3. After the PowerShell window closes and the process finishes, press any key to continue.

1.2.4. Save the Authentication Adapter after running setupKerberos.bat (If Needed)

Return to the VMware Identity Manager Console. Click Save. The Kerberos Authentication Adapter should now save and enable as expected.

1.3. Confirm the KerberosIdpAdapter is Enabled

  1. The KerberosIdpAdapter should now show as Enabled.
  2. Click Admin Console to return.

2. Update the Policy Rules

  1. Click Identity & Access Management.
  2. Click Manage.
  3. Click Policies.
  4. Click Edit Default Policy.

2.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

2.2. Configure Policy Rule Details

  1. Select ALL RANGES for the Network Range.
  2. Select Windows 10 for the Device Type.

2.3. Configure Policy Rule Authentication

  1. Scroll down to the bottom.
  2. Select Authenticate using... for the action.
  3. Select Kerberos for the authentication action.
  4. Select Password (cloud deployment) for the fallback authentication action.
  5. Click Save.

2.4. Update the Policy Rule Order

  1. Click and drag the created Windows 10 policy rule to the top of the list.
  2. Click Next.

2.5. Review and Save the Policy Rule Changes

Review the configuration and click Save.

You have now configured your Policies to authenticate all Windows 10 Devices using Kerberos and failover to Password (cloud deployment) if Kerberos is not applicable or fails.

3. Authenticate with Kerberos using the Workspace ONE App

  1. Click the Workspace ONE App from the task bar.
  2. Enter https://{yourtenant}.vidmpreview.com for the URL.
    Note: Replace {yourtenant} with your tenant name.
  3. Click Continue.

3.1. Select the Domain

  1. Select your domain, for example, corp.local.
  2. Click Next.

3.2. Enter Workspace

Click Enter after the workspace finishes building.

3.3. Confirm User Details

  1. Click the user icon.
  2. Click the Account tab.
  3. Confirm that the User details match the user you logged in as.

This confirms that you successfully enabled Kerberos authentication for the Connector, configured Policy Rules to authenticate Windows 10 users using Kerberos, and then authenticated using Windows Authentication using Kerberos from a Windows 10 device by leveraging the Workspace ONE application.

Setting Up RADIUS Authentication

This section helps you to install and configure a RADIUS server and client for Windows, and integrate RADIUS with VMware Identity Manager by enabling the RADIUS Cloud Deployment authentication method.

Ensure you are logged in to the Windows server where you will install the RADIUS server and client.

1. Install and Configure a RADIUS Server for Windows

  1. Click Server Manager from the task bar.
  2. Click Manage.
  3. Click Add Roles and Features.

1.1. Enable Network Policy and Access Services

  1. Click Server Selection.
  2. Click Server Roles.
  3. You may need to scroll down to find Network Policy and Access Services.
  4. Select the check box to enable Network Policy and Access Services.

1.1.1. Add Features for Network Policy and Access Services

Click Add Features.

1.1.2. Install the New Roles and Features

  1. Click Confirmation.
  2. Click Install.

Wait for the installation to complete. This can take several minutes to complete.

1.1.3. Close the Installation Window

  1. Ensure the Feature Installation shows the Installation succeeded.
  2. Click Close.

1.2. Configure Network Policy Server

In Server Manager:

  1. Click Tools.
  2. Click Network Policy Server.

1.2.1. Register Network Policy Server in Active Directory

  1. Click Action.
  2. Click Register server in Active Directory.

1.2.2. Authorize to Read User Dial-In Properties

  1. Click OK to authorize this computer to read the user dial-in properties.
  2. Click OK to confirm that the computer is not authorized.

1.3. Add a New RADIUS Client

  1. Expand RADIUS Clients and Servers.
  2. Right-click RADIUS Clients.
  3. Select New.

1.3.1. Configure the RADIUS Client

  1. Enter the Friendly Name, for example, conn-01a.corp.local.
  2. Enter the Address (IP or DNS), for example, conn-01a.corp.local.
  3. Enter the Shared secret, for example, VMware1!.
  4. Enter the Confirm shared secret, for example, VMware1!.
  5. Click OK.

1.3.2. Add a New Network Policy

  1. Expand Policies.
  2. Right-click Network Policies.
  3. Select New.

1.3.3. Configure Policy Name and Connection Type

  1. Enter a Policy name, for example, IDM Authentication.
  2. Select Unspecified for the Type of Network access server.
  3. Click Next.

1.3.4. Add Conditions

Click Add.

1.3.5. Add a User Groups Condition

  1. Click User Groups.
  2. Click Add.

1.3.6. Add Groups

Click Add Groups.

1.3.7. Select the Domain Users Group

  1. Enter Domain Users into the search field.
  2. Click Check Names. Ensure the Domain Users group is found.
  3. Click OK.

1.3.8. Confirm User Groups

Click OK.

1.3.9. Continue after specifying User Groups Condition

Click Next.

1.3.10. Specify Access Granted Permission

  1. Select Access Granted.
  2. Click Next.

1.3.11. Configure Authentication Methods

  1. Under the Less secure authentication methods, ensure that ALL of the options are selected EXCEPT for Perform machine health check only.
  2. Click Next.

1.3.12. Close Help Pop Up Windows

Click No.

1.3.13. Accept the Default Constraints

Click Next to accept the default Constraints.

1.3.14. Accept the Default Settings

Click Next to accept the default Settings.

1.3.15. Complete the New Network Policy

Click Finish.

You can now return to your main server and log in to the VMware Identity Manager Administration console.

2. Configure the RADIUS Authentication Method for VMware Identity Manager

In the VMware Identity Manager Administration Console:

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click Connectors.
  4. Click your Worker name, for example, Lab.

2.1. Select the RADIUSAuthAdapter

  1. Click the Auth Adapters tab.
  2. You may need to scroll down.
  3. Click the RADIUSAuthAdapter link.

2.2. Configure the RADIUSAuthAdapter Details

  1. Select the check box to enable the Enable RADIUS Adapter.
  2. Enter 5 for the Number of attempts to RADIUS server.
  3. Enter 20 for the Server timeout in seconds.
  4. Enter the RADIUS server hostname/address, for example, conn-01a.corp.local.
  5. Select MSCHAPv2 for the Authentication type.
  6. Enter your Shared secret, for example, VMware1!.

2.3. Save the RADIUSAuthAdapter

  1. Scroll down to the bottom.
  2. Click Save.

2.4. Confirm the Adapter is Enabled

  1. Confirm the RADIUSAuthAdapter shows as Enabled.
  2. Click Admin Console.

3. Configure the Identity Providers

  1. Click Identity & Access Management.
  2. Click Identity Providers.
  3. Click Built-In.

3.1. Associate the RADIUS Authentication Method

  1. Scroll down to the bottom.
  2. Select the check box to enable the RADIUS (cloud deployment) authentication method for this Identity Provider.
  3. Click Save.

4. Configure the Policy Rules

  1. Click Identity & Access Management.
  2. Click Policies.
  3. Click Edit Default Policy.

4.1. Add Policy Rule

  1. Click Configuration.
  2. Click Add Policy Rule.

4.2. Configure Policy Rule

  1. Select ALL RANGES for the Network Range.
  2. Select Web Browser for the Device type.
  3. Select Authenticate using... for the action.
  4. Select RADIUS (cloud deployment) for the authentication type.
  5. Select Password (cloud deployment) for the fallback authentication type.

4.3. Save the Policy Rule

  1. Scroll down to the bottom.
  2. Click Save.

4.4. Move the Policy Rule to the Top

  1. Move the Policy Rule for the RADIUS (cloud deployment) authentication to the top.
  2. Click Next.

4.5. Review and Save

Review the configuration and click Save.

5. Test RADIUS Authentication from a Web Browser

  1. Click the Options icon.
  2. Click New incognito window.
  3. Enter https://{yourtenant}.vidmpreview.com to navigate back to the login screen of your VMware Identity Manager tenant.
    Note: Replace {yourtenant} with your tenant name.

5.2. Authenticate using RADIUS

  1. Notice the prompt to authenticate with a RADIUS passcode.
  2. Enter the username, for example, aduser.
  3. Enter the RADIUS Passcode, for example, VMware1!.
  4. Click Sign In.

5.4. Confirm RADIUS Authentication was Successful

  1. Confirm the User Profile shows as your logged in user, for example, aduser@corp.local.
  2. Click the X to close the incognito browsing session and return to the VMware Identity Manager Administration Console.

This confirms that you successfully installed and configured a RADIUS Server on the Windows server, and then enabled and configured the RADIUS authentication method and Policy Rules to allow users to authenticate using their RADIUS passcode when accessing the tenant from a web browser.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to:

  • Install and Configure the VMware Identity Manager Connector
  • Sync Users and Groups to VMware Identity Manager using the VMware Identity Manager Connector
  • Configure various Authentication Methods for the VMware Identity Manager Connector for user authentication, including Active Directory Password, Kerberos, and RADIUS.

This introduction to installing, configuring, and managing VMware Identity Manager showcases the flexibility and customization you have for creating access policies based on the needs of your enterprise. Your identity providers and access policies can be setup to allow your users to authenticate in ways they are familiar with, without spending time re-building these authentication policies from the ground up.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors

This tutorial was written by:

  • Chris Halstead, Staff Architect, End-User-Computing Technical Marketing, VMware
  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Shardul Navare, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware
  • Justin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.