VMware Identity Manager

Last Modified: Aug 27, 2016 @ 4:58 pm



System and Network Configuration Requirements at pubs.vmware.com

VMware Blog – Results of VMware Workspace Portal 2.1 Tests Exceed Expectations: a single Workspace appliance can handle 30,000 users. Also see Technical White Paper – VMware Workspace Portal Reference Architecture.


DNS Configuration

If you intend to build multiple appliances and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

  • Appliance 1 = Im01.corp.local
  • Appliance 2 = Im02.corp.local
  • Load Balancing Name = Identity.corp.com. This name is used both internally and externally.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

  1. Create DNS records for the virtual appliances.
  2. Create reverse pointer records too. Reverse pointer records is required.

LDAP Accounts

  1. All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured. This includes the Bind account.
  2. Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work.

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL). Or you can follow Using embedded vPostgres in Production for VMware Workspace Portal VA 2.1 (2094258)

For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at pubs.vmware.com.

  1. In SQL Management Studio, create a New Query.
  2. Paste the SQL commands into the New Query window and click Execute.

Or the following GUI instructions should be equivalent.

  1. Create a new database.
  2. Name it saas. It doesn’t seem to work with any other database name.
  3. On the Options page, change the Collation to Latin1_General_CS_AS.
  4. Set Is Read Committed Snapshot On to True.
  5. Click OK when done.
  6. After creating the database, expand the database name, expand Security, right-click Schemas and click New Schema.
  7. Name the schema saas and click OK.
  8. Add a new SQL Login.
  9. Name it horizon. It doesn’t seem to work with any other username.
  10. Change it to SQL Server authentication and give it a password.
  11. Set the Default database to saas.
  12. On the User Mapping page, map it access to the saas database.
  13. In the saas database line, click the … in the Default Schema column.
  14. Enter the saas schema and click OK twice.
  15. Right-click the saas database and click Properties.
  16. On the Permissions page, highlight the horizon user.
  17. On the bottom, scroll down and grant Backup database and Backup log.
  18. Grant Create databaseCreate defaultCreate function, and Create procedure.
  19. Grant Create rule and Create table.
  20. Grant Create view and click OK. These permissions are equivalent to GRANT ALL as detailed at MSDN.

OVF Deployment

  1. In the vSphere Web Client, right-click a cluster and click Deploy OVF Template.
  2. In the Select source page, browse to the Identity-Manager-2.7.0 .ova file and click Next.
  3. In the Review details page, click Next.
  4. In the Accept License Agreements page, click Accept and click Next.
  5. In the Select name and folder page, give it a name, select a folder and click Next.
  6. In the Select storage page, select Thin Provision, select a datastore, and click Next.
  7. In the Setup networks page, select the network for the appliance. Click Next.
  8. In the Customize template page, select a time zone and make a choice regarding Customer Experience Improvement Program.
  9. Expand Networking Properties enter a hostname for the 1st appliance. If you intend to build multiple appliances and load balance them then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
  10. Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name. According to VMware’s docs, the Domain Name and Domain Search Path fields are not used. Click Next.
  11. In the Ready to complete page, check the box next to Power on after deployment. Or for larger implementations, increase the appliance specs before powering on. Click Finish.
  12. If running Identity Manager 2.4, see VMware 2144090 EUC Identity Manager, Identity Manager Connector and Access Point patch for CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow for a glibc patch.  💡

Setup Wizard

  1. Wait for the appliance to power on and fully boot.
  2. Go to https://im01.corp.local to access the Identity Manager Setup Wizard. Note: you must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
  3. The browser might prevent you from connecting.
  4. To fix this, go to https://IPAddress/horizon_workspace_rootca.pem. You are only using the IP address temporarily.
  5. Copy the root certificate and save it to a file.

  6. Install the root certificate to the Trusted Root Certification Authorities store (either Current User or Local Computer will work).

  7. Close the browser and reopen it. Then connect the browser using the DNS name again. It should work without certificate errors this time.
  8. In the Get Started page, click Continue.
  9. In the Set Passwords page, enter passwords for the three accounts and click Continue.

  10. In the Select Database page, change it to External Database. Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
  11. Enter a JDBC URL similar to the following:
  12. Enter the credentials for the horizon SQL account and click Test Connection. Then click Continue.

  13. In the Setup Review page, click the link.

SSH – Enable Root Access

This is optional. Enabling root access lets you use WinSCP to connect to the appliance using root credentials. Instructions can be found at https://blogs.vmware.com/horizontech/2013/03/how-to-enable-ssh-in-horizon-workspace-virtual-appliances.html.

  1. Putty to the Identity Manager appliance.
  2. Login as sshuser.
  3. Run su and enter the root password.
  4. Run vi /etc/ssh/sshd_config.
  5. Scroll down to line 40 (PermitRootLogin).
  6. Press <i> on the keyboard to change to insert mode.
  7. Go to the end of the line and change no to yes.
  8. Press <ESC> to exit insert mode.
  9. Type :x to save the file and exit.
  10. Run /etc/rc.d/sshd restart.


  1. Login to the webpage as the admin user.
  2. You should be on the Identity & Access Management tab.
  3. On the top right, switch to the Setup view.
  4. On the left, switch to the User Attributes sub-tab.
  5. Scroll down. Check the boxes next to distinguishedName and userPrincipalName. Click Save.
  6. On the top right, switch to the Manage view.
  7. Click Add DirectoryAdd Active Directory over LDAP/IWA.
  8. Change it to Active Directory (integrated Windows Authentication). Note: Domain Controllers are selected at random. You can override this by creating the file domain_krb.properties on the appliance. See About Domain Controller Selection (domain_krb.properties file) at pubs.vmware.com.
  9. Enter the Active Directory domain DNS name. Scroll down.
  10. Enter credentials that can join the appliance to the domain.
  11. Enter the LDAP Bind credentials. Click Save & Next.
  12. Select the domains you want to sync and click Next.
  13. In the Map User Attributes page, click Next.
  14. In the Select the Groups page, click the plus icon to add a DN.
  15. Enter a Base DN in LDAP format and click Find Groups.
  16. Click Select.
  17. Search for your Identity Users group and select it. Don’t select Domain Users. It won’t work.
  18. Click Next.
  19. In the Select the Users page, click Next.
  20. In the Review page, click Edit.
  21. Select a more frequent sync schedule, and click Save.
  22. Click Sync Directory.

  23. You can click the link to view the Sync log.
  24. You can also click the directory name and then click Sync log to view the log.


  1. You can promote individual users (but not groups) to administrators. In the Admin console, on the top left, click the Users & Groups tab.
  2. Switch to the Users sub-tab.
  3. Click a username.
  4. On the top left, click where it says Role(s): User.
  5. Select Promote to Administrator and click Save.


  1. On the Appliance Settings tab, on the left, click License.
  2. On the right, enter the license key and click Save.


  1. Use OpenSSL or similar to create the certificate in PEM format. If you have a .pfx, you can use OpenSSL to convert from pkcs12 to PEM. Also use OpenSSL to convert the private key to RSA format.
  2. On the Appliance Settings tab, click Manage Configuration.
  3. Login as your admin account.
  4. On the left, click Install Certificate.
  5. On the right, delete the certificate and key that are currently displayed.
  6. Paste in the new PEM certificate and RSA private key. Paste every certificate in the chain: server + intermediate + root. Click Save.
  7. Click OK to restart the appliance.
  8. After rebooting, if you close the browser and reopen it, the certificate should be valid and trusted.


  1. On the Appliance Settings tab, on the left click SMTP.
  2. On the right, enter your mail server information and click Save.

Kerberos Authentication

  1. Go to Identity & Access Management > Setup > Connectors.
  2. Click the blue hostname link for the Connector.
  3. Switch to the Auth Adapters tab. You may enable Kerberos or other authentication adapters from this page.
  4. Kerberos lets users Single Sign-on to the Identity Manager web page. It only works for Windows clients. And the Identity Manager FQDN must be in Internet Explorer’s Local Intranet zone.
  5. Enter sAMAccountName as the Directory UID Attribute.
  6. Check the box next to Enable Windows Authentication and click Save.
  7. After enabling the adapter, go to Identity & Access Management > Setup > Network Ranges.
  8. Click Add Network Range.
  9. Give the Network Range a name.
  10. Enter an internal IP Range, and click Save.
  11. Go to Identity & Access Management > Manage > Policies.
  12. Click the default Policy (default_access_policy_set).
  13. Click the plus icon to add a Policy Rule.
  14. Select the Network Range you just created.
  15. For user is trying to access content from, set it to Web Browser.
  16. Select Kerberos as the first authentication method.
  17. Select Password as the second authentication method. Click Save.
  18. Drag the new Policy Rule to move it to the top. Then click Save.

Customize Appearance

  1. If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
  2. If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
  3. If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool or change the Forgot password message.
  4. If you scroll down you can optionally Show detailed message to End User when authentication fails.
  5. Click Catalog and then click Settings.
  6. On the left, click User Portal Branding.
  7. Make changes to Logos, colors, etc.

Load Balancing

TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager 2.6. NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58. NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

If you want to build multiple Identity Manager appliances and load balance them then see http://www.carlstalhood.com/VMware-Identity-Manager-Load-Balancing


View Administrator – Enable SAML Authentication

  1. Login to View Administrator.
  2. On the left, under View Configuration click Servers.
  3. On the right, on the Connection Servers tab, select a Connection Server and click Edit.
  4. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
  5. In the SAML Authenticator click Manage SAML Authenticators.
  6. Click Add.
  7. In the Label field, enter a descriptive label.
  8. In the Metadata URL field, enter the Identity Manager FQDN.
  9. In the Administration URL field, enter the Identity Manager FQDN and click OK.
  10. If you see a certificate error, click View Certificate and then click Accept.
  11. Or click OK if server’s identity was verified.
  12. Click OK to close the Manage SAML Authenticators window.
  13. The Horizon Administrator dashboard shows you the status of the SAML Authenticator.

Identity Manager – Enable View Pools

Separate Horizon View Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Manage Resources Usage in Multiple VMware Identity Manager Data Centers at pubs.vmware.com.

  1. Back in the Identity Manager Admin Portal, go to Catalog > Application Catalog.
  2. Click Manage Desktop Applications, and expand View Application.
  3. Click one of the connectors.
  4. Check the box next to Enable View Pools.
  5. Enter the address of a Horizon Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
  6. Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
  7. Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
  8. Specify the Viewpool sync frequency and click Save.
  9. Near the top of the screen you might see red text. Click Invalid SSL Cert.
  10. In the Certificate Information page, click Accept.
  11. Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time or you can return to this screen and click Sync Now.
  12. If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
  13. Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.
  14. In the Identity Manager Admin console, on the Catalog tab, you can see the View icons. Only the pools in the root Access Group are synced.
  15. Click an icon and make sure entitlements are listed. Only AD groups synced to Identity Manager will be displayed. Domain Users won’t sync to Identity Manager so entitle the pools to some other AD group. If you make changes in Horizon Administrator, then manually resync the connector.
  16. If you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories button near the top right and entering a category name.
  17. If an existing category doesn’t match your needs, enter a new category name and click Add.
  18. Then check the box next to the new category.
  19. The category is then displayed next to the catalog item.

Identity Manager – Horizon URLs

  1. In the Identity Manager administrator interface, go to Identity & Access Management > Setup > Network Ranges.
  2. You can edit the default range or add a new range.
  3. Specify the Horizon URL for the IP range. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon Security Servers.

Identity Manager User Portal

  1. When a user logs in to the Identity Manager web page the pool icons will be displayed.
  2. The first time the user launches an application or desktop the user is asked to choose a method (Horizon client or Browser) for opening the pool.
  3. The default preference can be changed by clicking the user’s name and clicking Preferences.
  4. You can override the default launch behavior by right-clicking the icon, expand Launch and make your selection.
  5. The same right-click menu lets you mark the icon as a Favorite.
  6. Then you can click Favorites to display only icons that are marked as Favorites.
  7. If you enabled categories, use the Categories drop-down to filter the icons. Only the icons in that category are displayed.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

31 thoughts on “VMware Identity Manager”

  1. Hi Carl,

    I have an issue with the Authentication with vIDM and Kerberos, I have RDSH App and i tried to connect from the vIDM but the SSO not worked , it is only worked from the user machine till the vIDM but when i try to access the RDSH App it is asking for authentication:

    My environment is:

    2 vIDM (HA)
    2 Access Point (HA)
    2 Connection Server (HA)
    2 RDS Servers
    load balance for Access Point

        1. Kerberos uses tickets for authentication, not passwords. When vIDM talks to Horizon, it needs to send the user’s password to Connection Server so Connection Server can do SSON to the Horizon Agent. Since there’s no password, it’s not possible to do SSON.

          Alternatively, if there’s no password, Connection Server can create a user certificate (TrueSSO), and use that for authentication to the Horizon Agent. TrueSSO is another server.

  2. Love your blog, it has proved a most helpful tool, hoping you might be able to help with an issue:-) I’m using vIDM 2.7.1 and Access Point 2.7.2 as a reverse proxy for vIDM. When I try and access the URL from the outside and login I get a spinning circle and if you hit refresh it logs in but is pretty much unusable. It seems like the documented proxypatterns and unsecuredpatterns are missing needed information or are missing needed data. Have you come across this issue? Thanks

  3. Great Article!

    With the Access Point, is there anything special needed to get it to work correctly? I deployed it and can get to the login page but then it redirects me back to the internal name of my Identity Manager. I’m guessing it’s because the FQDN isn’t correct but when i try to change it, I get an error that it won’t change it on the manager and idp. Thoughts?

    1. Are you using the special 2.6 version that doesn’t work with Horizon? There are separate instructions for Identity Manager on Access Point.

      1. Hi Carl, I´m using 2.6 version on-premise with Horizon 7 (connection server + Access Point) + AppVolumes 2.9. On View all works fine but with IDM user domain login not is possible.

        Thank you.

  4. Carl Please note that we should not pre-popluate the data base information. We also should not have to give the appliance DB_OWNER role as this has caused issue as well on the database side with the appliance. We should always use the provided script as it builds everything required out the gate and sets the correct permissions. (very common issue is not using this and or wanting to change the database name and or user)

    We do know of the using as you note of the IP address will not allow the configuration to proceed

    Unable to complete the configuration of VMware Identity Manager appliance
    Configuration of Identity Manager fails with error:
    Invalid organization name. Chosen name (null) includes invalid characters.
    This issue occurs when the appliance is accessed with an IP address in the URL instead of FQDN

    We also note that any change to the Certificate and or FQDN will require a re-enable of the WORKSPACE ONE interface. Otherwise we will not be able to login.

    After enabling the Workspace ONE GUI interface, and then changing the FQDN and or Certificate of the appliance, and then attempting to log back in to VMware Identity Manager error message “Request Failed” “Please Contact your IT Administrator” message
    Log into the VMware Identity Manager htps://FQDN , choose the local users option and login as the “admin” account and password. Once logged in then navigate to the Catalog, Settings, New End User Portal UI tab.
    Select the “Enable New Portal UI” option

    Please also note that if you already have a Load balancer and or reverse proxy in place you do not gain anything by using them with your load balancer other than pain suffering and nightmares. With the load balancer already doing SSL termination already there is not direct access back to vIDM. Access Point was thought of for vIDM as an alternative if you did not have a LB or Reverse proxy already in place.

    1. Hi Robert,

      Thanks for your observations. I made some changes to the SQL and Load Balancing FQDN sections. Let me know if you notice anything else that needs to be corrected.

  5. Hi Carl, great writeup, i’m hitting problems with FQDN and a local domain name of.local. We have a wildcard for our external services say example.com and an internal name of example.local. if I deploy the appliance with FQDN of .workspace.example.co.uk I can then assign the wildcard cert but cannot get Kerberos to work even with SPNs added. If I deploy it with workspace.example.com and put an internal CA cert on it then Kerberos works fine but workspace.example.co.uk does not work as it redirects the url back to workspace.example.local which obviously cant be reached externally. we are not using any load balancers just a single appliance.

  6. Hi Carl,May I ask you a question?
    I run into trouble about reuse same FQDN to re-deploy vIDM after replace it self-sign certificate, I got the error about the certificate as below:

    com.vmware.horizon.svadmin.exception.AdminPortalException: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://HZ-IDMV-02.CLOUD.CCDE.CNPC/SAAS/API/1.0/REST/system/bootstrap/initialize”:Host name ‘HZ-IDMV-02.CLOUD.CCDE.CNPC’ does not match the certificate subject provided by the peer (EMAILADDRESS=unknown@vmware.com, CN=HZ-IDMV-02.CLOUD.CCDE.CNPC, OU=Horizon-Workspace, O=VMware, L=Palo Alto, ST=california, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name ‘HZ-IDMV-02.CLOUD.CCDE.CNPC’ does not match the certificate subject provided by the peer (EMAILADDRESS=unknown@vmware.com, CN=HZ-IDMV-02.CLOUD.CCDE.CNPC, OU=Horizon-Workspace, O=VMware, L=Palo Alto, ST=california, C=US) at com.vmware.horizon.svadmin.service.ApplicationSetupService.isFirstOrgAndAdminUserSetup(ApplicationSetupService.java:196) at com.vmware.horizon.svadmin.controller.AdminPortalShortcutsController.doGet(AdminPortalShortcutsController.java:44) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497)

    Could you help me fix the problem?

  7. Hi Carl.. an awesome article.. its my first time exploring vIDM, can you help me the steps on cert PEM creation …
    “1.Use OpenSSL or similar to create the certificate in PEM format. If you have a .pfx, you can use OpenSSL to convert from pkcs12 to PEM. Also use OpenSSL to convert the private key to RSA format.”

  8. Carl

    Thanks for the article, I would like to know your feedback on the product and how it compares to industry leading IDaaS products such as OKTA?



    1. I’m more interested in the Horizon View integration. And AirWatch. For web-app SSON, there are many products that can do that. It’s not my expertise so I can’t say if one is better than another.

  9. So when i’m deploying the OVA file for the first Identity Manager appliance (I will load balance behind a pair of nertscalers) I should make the appliance hostanme FQDN “IM01.domain.local” on the OVA setup, not “identity.corp.com” in the setup?
    (you show “identity.corp.com” not “im01.corp.local” in your screenshot above with the OVA setup)

    – the connector on my im01 (I used identity.domain.com in the ova setup) shows “identity.domain.com” not im01.domain.local)

    – In the netscaler LB write up, you show naming the cloned appliance im02.corp.local

    I guess i’d like to know what is different about setting up the first IM appliance when you will be load balancing, should the fqdn in the first ova setup be an individual name or “identity”?

    1. If you’re not load balancing then the single appliance should be named the same as what users will use to access it. If load balancing then each appliance needs a unique name. I should probably clarify that and update the screenshots accordingly.

    2. Aaron, I updated the screenshots to reflect the load balancing scenario. I also figured out a database issue I was having and updated the instructions accordingly. This also fixed some cloning issues. Let me know if you notice anything else that needs to be fixed. Thanks.

        1. Configuration does not work properly unless you are connected to the appliance using an FQDN instead of IP. However, most browsers won’t allow the connection because of the untrusted cert. It would have been easier if VMware included a self-signed cert instead of a CA-signed cert.

  10. Great article, thank you very much! This was a HUGE help, especially with the netscaler article to go with it!
    One question on the SSL certs, each appliance (IM01.corp.pri and IM02.corp.pri) will have a cert for the “corp.pri” [corp.pri being a msft enterprise ca cert) AND a cert for identity.corp.COM [COM being a public cert]?
    Can i just use a public wild card for the IM01/IM02 and Identity, making them all .com (My internal domain is .pri), so it’s one cert (Not a SAN cert)? – name the fqdn’s “IM01.corp.com” and “IM02.corp.com” and “Identity.corp.com” using the same wildcard cert? (With DNS entries to match)

    How does the Identity manager play with the new Access Point for Horizon?

    1. I think public certs on each appliance should be fine. Each appliance needs a unique hostname so it can join the domain correctly.

      I believe a future release of Access Point will provide remote connectivity to Identity Manager. VMware mentioned they borrowed the auth components from Identity Manager to place on Access Point. Smart Card is a good example of this.

Leave a Reply