Configure Kerberos for a domain which is different from the vRealize Automation virtual appliance
book
Article ID: 325910
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
Upon joining a vRealize Automation appliance to a domain (which is different from the virtual appliances domain name in FQDN), creating and configuring an Active Directory over Integrated Windows Authentication (AD over IWA), when configuring Kerberos, authentication fails
Logging in user is not automatically logged into portal when accessing tenant portal login page. The user is requested to enter a password.
Similar error messages can be found within /var/log/vmware/horion/connector.log:
Kerberos authentication failed, falling back to NTLM authentication
Connectors may be missing from tenant portal Directories Management > Connectors page
Currently there is no resolution for this issue. This issue can impact all versions of vRealize Automation 7.x with embedded VMware Identity Manager. See the workaround below for further information.
Workaround: When initially creating an AD over IWA directory, the connector is initialized and joined to the corresponding domain. If this is performed before a system name change of the FQDN of the vRA appliance, the connector will now mismatch and generate failures. The FQDN must be changed back to the original hostname.
If Disjointed Namespaces must be used, it is required to deploy External connectors without Disjointed Namespaces (connector hostname will match Active Directory domain realm) to prevent Kerberos failures for logging in users.