WS1 Kerberos Principal

Script: New-WSOneKerberosPrincipal.ps1

Published: 2020-07-15 on the PowerShell Gallery

More on my blog:

What it does

Creates a correct KEYTAB file and AD user for the Workspace ONE Access (formerly vIDM) connector that needs to provide Kerberos authentication in a multi-domain or cross-domain scenario.

Where to run

The prerequisites are the same as for the original VMware script:

  • complete the Kerberos configuration on the appliance prioir to executing
  • run it on the connector machine (from a location of your choice, it will determine the location of the connector installation)
  • run it as a user with a. local admin rights and b. permission to create users in the domain where the connector machine is a member
  • run it elevated

Logs are fairly verbose and written to your  %TEMP%. Use -LogToConsole to get coloured output.

An aside on Load Balancing

My first thought while developing this script was that we would need provide principal names for multiple instances and a load balancing name as well in the KeyTab. But then I learned that Kerberos load balancing works differently in Workspace ONE Access. Just create a principal for each connector instance, the load balancing FQDN is not important in the context of Kerberos.