The Flow: Microsoft 365 federated with VMware Access when using the Kerberos Connector

On a recent project a customer is moving it’s on-premises Exchange to Exchange Online.

We decided VMware Access is the IDP for Microsoft 365.

Well federated the Microsoft tenant with VMware Access and to get single sign on from the Horizon Instant Clones we are going to use the VMware Kerberos connector. So created and installed the necessary components configured the Conditional Access policies... and we have single sign on!

Awesome!

While explaining the flow to some people at the coffee machine I received faces like this:

Maybe it I did not choose the right words… maybe I talked to fast... Let’s draw a quick picture with the steps to help explain!

So, what happens when the user is opening like Microsoft Outlook and is not yet authenticated to Microsoft 365?

Outlook will start a connection to Exchange Online

1. The configured user domain is federated to VMware Access so the responds is to go to VMware Access for the authentication ticket. Please come back when you have one!

2. A session is started to VMware Access. In the conditional Access Policies in VMware Access is defined that the clients coming from a defined IP address needs to authenticate with Kerberos at the defined Kerberos Connector.

3. So, the response from VMware Access: please go to the Kerberos Connector at this defined address (Example: Connector.internaldomain.net)

4. The defined address is a load balanced VIP.

5. This VIP will direct to one of the VMware Access Connectors where the Kerberos Connector services are configured.

6. The Connector will respond with its direct FQDN.

7. (Just going from VIP to client)

8. Now the client will go DIRECTLY to the Kerberos Connector (so not over the VIP, this because we enabled Redirect in the Kerberos connector configuration in Access, a requirement when using multiple connectors and yes you do want high availability)

9. The connector will authenticate the user to Active Directory

10. When authentication succeeds.

11. Login to VMware access granted!

12. Authentication ticket generated.

13. Presented to Exchange Online

And the user is logged in!

I hope this will explain the flow a little better! I know this looks like a lot of steps, but the user hardly sees anything. In the used example of Outlook just a little popup box with some redirects for a couple of seconds. Real awesomeness never shows. For the end user it just needs to work!

Don’t hesitate to contact me if I need to clarify something or if you might have any questions!