- Upgrade 💡
- OVF 2.9.1 Deployment 💡
- Load Balancing
💡 = Recently Updated
System and Network Configuration Requirements at VMware Pubs.
VMware Tech Paper VMware Identity Manager in a Multiple-Data-Center Configuration: active/standby in two datacenters, three nodes in each datacenter, SQL AlwaysOn Availability Group Listener. 💡
Upgrading can be performed online, or offline. Both are performed from the command line. See Upgrading to VMware Identity Manager 2.9.1 at VMware Pubs for details. And see EUC CST Tech Notes – Upgrading VMware Identity Manager On-Premises Virtual Appliances – UPDATED! at VMware Communities.
If you intend to build multiple appliances (3 or more) and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:
- Appliance 1 = im01.corp.local
- Appliance 2 = im02.corp.local
- Appliance 3 = im03.corp.local
- Load Balancing Name = identity.corp.com. This name is used both internally and externally.
You’ll need SSL certificates that match these names.
Each of these DNS names must have a corresponding reverse DNS pointer record.
- Create DNS records for the virtual appliances.
- Create reverse pointer records too. Reverse pointer records are required.
- All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured. This includes the Bind account.
- Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work.
If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL). Or you can follow Using embedded vPostgres in Production for VMware Workspace Portal VA 2.1 (2094258)
For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at VMware Pubs.
- The SQL Server requires SQL Server and Windows Authentication mode.
- In SQL Management Studio, create a New Query.
- Paste the SQL commands into the New Query window, and click Execute.
- In the vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
- In the Select source page, browse to the identity-manager-126.96.36.199-….ova file, and click Next. 💡
- In the Review details page, click Next.
- In the Accept License Agreements page, click Accept, and click Next.
- In the Select name and folder page, give it a name, select a folder, and click Next.
- In the Select storage page, select Thin Provision, select a datastore, and click Next.
- In the Setup networks page, select the network for the appliance. Click Next.
- In the Customize template page, select a time zone, and make a choice regarding Customer Experience Improvement Program.
- Expand Networking Properties.
- DNS and Gateway – In the Networking Properties section, enter the standard DNS and Gateway information.
- According to Install the VMware Identity Manager OVA File at VMware Pubs, the Domain Name and Domain Search Path fields are not used.
- Host Name – Enter a hostname for the first appliance. If you intend to build multiple appliances and load balance them, then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
- IP Address – Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name. Click Next.
- In the Ready to complete page. Click Finish.
- Power on the appliance.
- Wait for the appliance to power on and fully boot.
- Go to https://im01.corp.local to access the Identity Manager Setup Wizard. Note: you must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
- The browser might prevent you from connecting.
- To fix this, go to https://IPAddress/horizon_workspace_rootca.pem. You are only using the IP address temporarily.
- Copy the root certificate and save it to a file.
- Install the root certificate to the Trusted Root Certification Authorities store (either Current User or Local Computer will work).
- Close the browser and reopen it. Then connect the browser using the DNS name again. It should work without certificate errors this time.
- In the Get Started page, click Continue.
- In the Set Passwords page, enter passwords for the three accounts, and click Continue.
- In the Select Database page, change it to External Database. Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
- Enter a JDBC URL similar to the following:
- Enter the credentials for the horizon SQL account and click Test Connection. Then click Continue.
- In the Setup Review page, click the link.
SSH – Enable Root Access
This is optional. Enabling root access lets you use WinSCP to connect to the appliance using root credentials. Instructions can be found at https://blogs.vmware.com/horizontech/2013/03/how-to-enable-ssh-in-horizon-workspace-virtual-appliances.html.
- Putty to the Identity Manager appliance.
- Login as sshuser.
- Run su and enter the root password.
- Scroll down to line 40 (PermitRootLogin).
- Press <i> on the keyboard to change to insert mode.
- Go to the end of the line and change no to yes.
- Press <ESC> to exit insert mode.
:xto save the file and exit.
- Login to the webpage as the admin user.
- You should be on the Identity & Access Management tab.
- On the top right, switch to the Setup view.
- On the left, switch to the User Attributes sub-tab.
- Scroll down. Check the boxes next to distinguishedName and userPrincipalName. Click Save.
- On the top right, switch to the Manage view.
- Click Add Directory > Add Active Directory over LDAP/IWA.
- Change it to Active Directory (integrated Windows Authentication). Note: Domain Controllers are selected at random. You can override this by creating the file domain_krb.properties on the appliance. See About Domain Controller Selection (domain_krb.properties file) at VMware Pubs.
- Enter the Active Directory domain DNS name. Scroll down.
- Enter credentials that can join the appliance to the domain.
- Enter the LDAP Bind credentials. Click Save & Next.
- Select the domains you want to sync, and click Next.
- In the Map User Attributes page, click Next.
- In the Select the Groups page, click the plus icon to add a DN.
- Enter a Base DN in LDAP format, and click Find Groups.
- Click Select.
- Search for your Identity Users group and select it. Don’t select Domain Users. It won’t work.
- Click Next.
- In the Select the Users page, click Next.
- In the Review page, click Edit.
- Select a more frequent sync schedule, and click Save.
- Click Sync Directory.
- You can click the link to view the Sync log.
- You can also click the directory name, and then click Sync log to view the log.
- Sync Settings can be changed by clicking the button on the right.
- Go to Identity & Access Management > Setup > Preferences.
- On the bottom, Identity Manager 2.9.1 lets you optionally hide the Domain Drop-Down menu. Then select the unique identifier that Identity Manager will use to find the user’s domain (typically UPN).
- The user will be prompted to enter the unique identifier.
- You can promote individual users (but not groups) to administrators. In the Admin console, on the top left, click the Users & Groups tab.
- Switch to the Users sub-tab.
- Click a username.
- Scroll down. Change the Role drop-down to Administrator. Click Save.
- On the Appliance Settings tab, on the left, click License.
- On the right, enter the license key, and click Save. A Horizon Advanced or Horizon Enterprise license key will work.
- Use OpenSSL or similar to create the certificate in PEM format. If you have a .pfx, you can use OpenSSL to convert from pkcs12 to PEM. Also use OpenSSL to convert the private key to RSA format.
- On the top, click the Appliance Settings tab,
- On the left, click the VA Configuration node.
- On the right, click Manage Configuration.
- Login as your admin account.
- On the left, click Install Certificate.
- On the right, delete the certificate and key that are currently displayed.
- Paste in the new PEM certificate and RSA private key. Paste every certificate in the chain: server + intermediate + root. Click Save.
- Click OK to restart the appliance.
- After rebooting, if you close the browser and reopen it, the certificate should be valid and trusted.
- On the top, click the Appliance Settings tab
- On the left, click the SMTP node.
- On the right, enter your mail server information, and click Save.
- On the top, go to the Identity & Access Management tab.
- On the right, change to the Setup view.
- On the left, click the Connectors sub-tab.
- Click the blue hostname link for the Connector.
- Switch to the Auth Adapters tab. You may enable Kerberos or other authentication adapters from this page by clicking the Adapter Name.
- Kerberos lets users Single Sign-on to the Identity Manager web page. It only works for Windows clients. And the Identity Manager FQDN must be in Internet Explorer’s Local Intranet zone.
- Enter sAMAccountName as the Directory UID Attribute.
- Check the box next to Enable Windows Authentication and click Save.
- After enabling the adapter, go to Identity & Access Management > Setup > Network Ranges.
- Click Add Network Range.
- Give the Network Range a name.
- Enter an internal IP Range, and click Save.
- Go to Identity & Access Management > Manage > Policies.
- Click the default Policy (default_access_policy_set).
- Click the plus icon to add a Policy Rule.
- Select the Network Range you just created.
- For user is trying to access content from, set it to Web Browser.
- Identity Manager 2.9.1 adds a Edit Groups button to policy rules. This allows different authentication methods for different groups. When enabled, Identity Manager asks the user for username only, and then looks up group membership to determine which authentication methods should be used. See Configuring Access Policy Settings at VMware Pubs.
- Select Kerberos as the first authentication method.
- Select Password as the second authentication method. Click OK.
- Drag the new Policy Rule to move it to the top. Then click Save.
- If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
- If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
- If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool or change the Forgot password message.
- If you scroll down you can optionally Show detailed message to End User when authentication fails.
- Click Catalog, and then click Settings.
- On the left, click User Portal Branding.
- Make changes to Logos, colors, etc.
TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager 2.6. NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58. NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.
If you want to build multiple Identity Manager appliances and load balance them using NetScaler, then see http://www.carlstalhood.com/VMware-Identity-Manager-Load-Balancing
For F5 load balancing, see EUC CST Tech Notes – IDM Steps by steps 3 node cluster – v4.pdf at VMware Communities
View Administrator – Enable SAML Authentication
- Login to View Administrator.
- On the left, under View Configuration, click Servers.
- On the right, switch to the Connection Servers tab.
- Select a Connection Server, and click Edit.
- On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
- Click Manage SAML Authenticators.
- Click Add.
- In the Label field, enter a descriptive label.
- In the Metadata URL field, enter the Identity Manager FQDN.
- In the Administration URL field, enter the Identity Manager FQDN, and click OK.
- If you see a certificate error, click View Certificate, and then click Accept.
- Or click OK if server’s identity was verified.
- Click OK to close the Manage SAML Authenticators window.
- Horizon 7.2 adds a Workspace ONE mode, which forces all Horizon Clients to connect through Identity Manager instead of directly to the Connection Servers. Delegation must be set to Required before Workspace ONE mode can be enabled.
- The Horizon Administrator dashboard shows you the status of the SAML Authenticator.
Identity Manager – Enable View Pools
Separate Horizon View Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Configure Failover Order of Horizon View and Citrix-based Resources at VMware Pubs.
- Back in the Identity Manager Admin Portal, go to Catalog > Application Catalog.
- Click Manage Desktop Applications, and click Horizon View On-Premises.
- Click one of the connectors.
- Check the box next to Enable Horizon View Applications and Desktops.
- Enter the address of a Horizon Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
- Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
- Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
- Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
- Specify the Viewpool sync frequency, and click Save. New pools created in Horizon Administrator don’t show up in Identity Manager until a sync is performed.
- Near the top of the screen you might see red text. Click Invalid SSL Cert.
- In the Certificate Information page, click Accept.
- Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
- If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
- Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.
- In the Identity Manager Admin console, on the Catalog tab, you can see the View icons. Only the pools in the root Access Group are synced.
- Click an icon and make sure entitlements are listed. Only AD groups synced to Identity Manager will be displayed. Domain Users won’t sync to Identity Manager, so entitle the pools to some other AD group. If you make changes in Horizon Administrator, then manually resync the connector.
- If you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories button near the top right and entering a category name.
- If an existing category doesn’t match your needs, enter a new category name and click Add.
- Then check the box next to the new category.
- The category is then displayed next to the catalog item.
Identity Manager – Horizon URLs
- In the Identity Manager administrator interface, go to Identity & Access Management > Setup > Network Ranges.
- You can edit the default range or add a new range.
- Specify the Horizon URL for the IP range. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon Security Servers.
Identity Manager User Portal
- When a user logs in to the Identity Manager web page the pool icons will be displayed.
- You can use either Horizon client or Browser for opening a pool. On the top right, click your name, and click Settings.
- On the left, click Preferences.
- Make your choice and click Save.
- To mark an icon as a Bookmark, click the bookmark icon next to each app.
- Or click an app icon to open the app’s Description page, and then click Bookmark.
- Then you can click Bookmarks tab to display only icons that are marked as Bookmarks.
- If you enabled categories, they are listed in the left side of the page. Only the icons in that category are displayed.