VMware Identity Manager 19.03 – The Connector

Let’s assume you have a freshly installed on-premise installation of VMware Identity Manager or you have a newly created tenant in vIDM Workspace ONE Access SaaS infrastructure. There is not much this poor appliance can do at this point, right?

You will need to integrate it with some parts of your infrastructure to make it do useful things like Unified Catalog, SSO, Conditional Access, MFA, etc. In this series, I will show you all sorts of integrations and how you should configure them step by step.

The first integration you literally have to do, when you have SaaS vIDM Workspace ONE Access or you deployed your appliances in DMZ is to install a Connector and pair it with your vIDM Workspace ONE Access.

So what is a Connector (to be specific we are talking about the “VMware Identity Manager Connector”)?

VMware Identity Manager Connector provides organizations with the ability to integrate VMware Identity Manager Workspace ONE Access with their back-end enterprise systems.

Pretty obvious, huh? And those backend systems can be Active Directory, VMware Horizon, Citrix XenApp… But let’s start slowly. Let’s get the connector up and running.

This is how you install it. I’ve described the pre-requisites in my other post, go check it out.

First, find a suitable Windows server (which is joined to the domain) and download Connector’s binaries on to it. Once you’ve done that go ahead and kick off the installation. Run it as admin.

You will be presented with a couple of boring screens, just hit next for a couple of times. Oh, and be sure you read the whole EULA, it’s important.

I recommend you installing everything to the default location, it’s easier to troubleshoot it later (e.g. find the log files).

Java JRE is a requirement, but the wizard will install it for you if you’d like to. If you are worried about the Oracle Java licensing, please read the following VMware’s official blog response.

We are not migrating from the built-in connector so leave this box unchecked. This is relevant only if you are doing upgrade from an older version of Workspace ONE Access.

Confirm the hostname and port, it should be all pre-filled for you.

You will be asked to run the service with a domain account. I highly recommend it, otherwise IWA (Integrated Windows Authentication) and Kerberos authentication will not work.

JUST FYI: If you don’t specify domain account you will see the “Kerberos initialization failed” error when you later try to enable Kerberos adapter. This can be fixed later on by running a setupkerberos.bat, which is located in InstallDir\VMware Identity Manager\Connector\usr\local\horizon\scripts

You are almost there, just hit install.

Assuming everything went well you should see the finish screen.

When you click on finish, you will be asked to actually configure the connector. Click “Yes”.

A webpage with connector’s setup with open in your browser. Click on “Continue”.

Choose your password, this password is needed when you need to administer the connector itself e.g. when you want to change the certificate (in order for the Kerberos to work correctly). So do remember it.

The next step will require an activation token, which you will need to generate in your Workspace ONE Access console.

Open your Workspace ONE Access console and navigate to “Identity & Access Management” tab. You will have to switch to “Setup” mode in order to add a new connector. Navigate to “Connectors” sub-tab. So go ahead and click “Add Connector”

Pick a connector ID, I typically put there the FQDN of the machine.

Click on “Generate Activation Code” to generate the code.

Copy the code to clipboard and click on “OK”.

You can see the your connector is not yet activated. A little fun fact about the activation string. It’s a BASE64 encoded JSON, which looks like this:

{
	"ota":"7eff58ef-28ec-391f-b59f-e66d0e571c3f:w3cDmE9VrQEzHj1hQWe9ZDMX2h563R09",
	"url":"https://td-minarik.vidmpreview.com/",
	"tid":"td-minarik"
}

One-time authorization, URL of your Identity Manager Workspace ONE Access and tenant ID. But let’s move on we are almost done, go back to the setup wizard. Paste in your activation code into the connector setup.

You can now verify that the vIDM windows service (VMwareIDMService) is running. And the connector administration should be available on HTTPS port 8443 (e.g. https://<connector-FQDN>:8443) password into this console was set during the setup wizard.

Lastly, the Workspace ONE Access console should report the connector details. Try refreshing the page if you still see it as not activated.

This is it for this part. We will configure Active Directory integration in the next post.