When you configure Kerberos for Horizon Workspace, you must consider many different components. Configuring Kerberos for the Connector involves installation, and possibly configuration tasks.

Kerberos authentication provides another layer of security for your Horizon Workspace deployment.

You do not need to directly configure Active Directory to make Kerberos function with your Horizon Workspace deployment.

After you install the Connector, you use the Connector Web interface to enable the Connector to use Kerberos authentication. To enable the Connector, you must first join the domain on the Join Domain page and then enable Windows Authentication on the Windows Authentication page.

You can configure the join domain functionality in the Connector on the Join Domain tab. You must enable join domain functionality to provide single sign-on to the Web interface using Windows authentication (Kerberos).

The Active Directory information that you provide for the Join Domain page is for the user who has permission to join machines to the Active Directory domain.

Active Directory Information

Option

Description

AD FQDN

The text box for the fully qualified domain name of an Active Directory instance. The domain name you enter must be the same Windows domain where the Connector resides.

AD Username

The text box for the username associated with the user account that has permission to join machines to the Active Directory domain.

AD Password

The text box for the password associated with the user account that has permission to join machines to the Active Directory domain.

Join Domain/Leave Domain

The button to join and leave the domain. The wording on the button changes to and from Join Domain and Leave Domain depending on whether you last joined or left the domain.

You can enable Windows authentication (Kerberos) in the Connector on the Windows Auth tab. You must enable Windows authentication to allow the Kerberos protocol to secure interactions between users' browsers and Horizon Workspace.

Prior to enabling Windows authentication on this page, you must join the Connector to the Active Directory domain on the Join Domain page.

Windows Authentication Information

Option

Description

Enable Windows Authentication

The check box to extend authentication interactions between users' browsers and Horizon Workspace.

Currently, interactions between a user's browser and Horizon Workspace are authenticated by Kerberos on the Windows operating systems only. Accessing Horizon Workspace from other operating systems does not take advantage of Kerberos authentication.

The following browsers can support Horizon Workspace, on Windows only, during Kerberos authentication: Firefox, Internet Explorer, and Chrome. All the browsers require additional configuration.

You must configure the Internet Explorer browser if Kerberos is configured for your Horizon Workspace deployment and if you want to grant users access to the Web interface using Internet Explorer.

You must configure the Firefox browser if Kerberos is configured for your Horizon Workspace deployment and if you want to grant users access to the Web interface using Firefox.

You must configure the Chrome browser if Kerberos is configured for your Horizon Workspace deployment and if you want to grant users access to the Web interface using the Chrome browser.