Imprivata and the Kerberos Keytab file

When using VMware Horizon, VMware Workspace One Access, TrueSSO and Imprivata you need to enable Kerberos Authentication within Imprivata. For this to work you also need to create a keytab file. In this blog I will explain how to create one and as a bonus.. can we use a custom account for this instead of the default created by the tool?

Imprivata has a built in utility to facilitate this: ISXKerbUtil.exe. Normally you can find this utility in the OneSign Agent install directory (in my case: C:\Program Files (x86)\Imprivata\OneSign Agent)

So what are the steps an what will this utility do?

• Run a command prompt on client with Imprivata OneSign Agent installed as Domain Admin

• First I always check if the SPN is not already used...The utility later on will create an SPN with the following format host/ssohost4kerberos in domain FQDN. As an example: host/ssohost4kerberos.lab.domain.com

The command to test if the SPN exist:

SetSPN -F -Q host/ssohost4kerberos.lab.domain.com

the command should respond: "No such SPN found."

• Go to the installation folder of the OneSign Agent and run ISXKerbUtil.exe

• Connect to domain controller, enter the credentials as full FQDN

• Verify Imprivata server Credentials

• Request password for the keytab file and the user that will be created

• Validate if the required SPN does not already exist host/ssohost4kerberos.lab.domein.com (change to match FQDN of your domain)

• Creating user "ssoKerberos" and set the password and set SPN from step 3 to this account

• Change password of this user to entered password

• Generate Keytab file

• Upload keytab file Imprivata Appliance

thats it!

Check again if the SPN exist, succes!:

And in Active Directory you will find the user:

Update:

Got a question where to enable Kerberos authentication within Imprivata. You can enable this in the Computer Policy. Here an example where to enable this in the Default Computer policy

But wait! There is more!

In a recent project at a very respected customer stated: good stuff but the created "ssoKerberos" user does not comply to their naming convention. Can we use a custom account?

Well ehm good question (again ;-)) ... this is new to me, read somewhere this should be possible. Imprivata trough a support ticket pointed us to the procedure .. Lets validate that one!

Result: it works.. bye!

Joking, the described procedure is a bit cryptic so here are the steps to do this:

1. Create the new user, no spaces allowed! check "Password never expires" and " User cannot change password" unchecked:

Now we need to assign the SPN "ssohost4kerberos.lab.domain.com" (where the last part is your FQDN of course...) to this account

the command is:

SetSPN -U -S host/ssohost4kerberos.lab.domain.com CustomKerberosSSO

Of course... always validate, the command to test if the SPN is created:

 SetSPN -F -Q host/ssohost4kerberos.lab.domain.com

Now run the ISXkerbUtil procedure again (scroll to the beginning of this blog if you already forgot the how to...) you will notice one difference... it will find an existing SPN and will update the attached account.

And thats it!

A couple of remarks:

• Don't use spaces in the account.. you will get a "mixed feelings" error and no keytab file... so fail.

• You can't use an alternate SPN... Only the "host/ssohost4kerberos.%FQDN%" it is what it is.

• I'm not the first one to blog about the first part of this blog, Floris de Widt also created a blog about how to create a keytab file a while ago: DEWIDT.ORG: How to create a keytab file for Imprivata with Kerberos authenticating.

Any question, remarks? Please let me know!