Published: 2020-07-15 on the PowerShell Gallery
What it does
Creates a correct KEYTAB file and AD user for the Workspace ONE Access (formerly vIDM) connector that needs to provide Kerberos authentication in a multi-domain or cross-domain scenario.
Where to run
The prerequisites are the same as for the original VMware script:
- complete the Kerberos configuration on the appliance prioir to executing
- run it on the connector machine (from a location of your choice, it will determine the location of the connector installation)
- run it as a user with a. local admin rights and b. permission to create users in the domain where the connector machine is a member
- run it elevated
Logs are fairly verbose and written to your %TEMP%. Use -LogToConsole to get coloured output.
An aside on Load Balancing
My first thought while developing this script was that we would need provide principal names for multiple instances and a load balancing name as well in the KeyTab. But then I learned that Kerberos load balancing works differently in Workspace ONE Access. Just create a principal for each connector instance, the load balancing FQDN is not important in the context of Kerberos.