After the VMware Identity Manager OVA is deployed, you use the Setup wizard to set passwords and select a database. Then you set up the connection to Active Directory.

The VMware Identity Manager virtual appliance is powered on.

If you are using an external database, the external database is configured and the external database connection information is available. See Connecting to the Database for information.

Review Integrating with Active Directory for information about the Active Directory configuration.

You have your Active Directory information.

When multi-forest Active Directory is configured and the Domain Local group contains members from domains in different forests, the Bind DN user used on the VMware Identity Manager Directory page must be added to the Administrators group of the domain in which Domain Local group resides. If this is not done, these members will be missing from the Domain Local group.

You have a list of the Active Directory user attributes you want to use as filters, and a list of the groups you want to add to VMware Identity Manager.

1

Go to the VMware Identity Manager URL that is shown on the blue screen in the Console tab. For example, https://hostname.example.com.

2

Accept the certificate, if prompted.

3

In the Get Started page, click Continue.

4

In the Set Passwords page, set passwords for the following administrator accounts, which are used to manage the appliance, then click Continue.

Account

Appliance Administrator

Set the password for the admin user. This user name cannot be changed. The admin user account is used to manage the appliance settings.

Important

The admin user password must be at least 6 characters in length.

Appliance Root

Set the root user password. The root user has full rights to the appliance.

Remote User

Set the sshuser password, which is used to log in remotely to the appliance with an SSH connection.

5

In the Select Database page, select the database to use.

See Connecting to the Database for more information.

If you are using an external database, select External Database and enter the external database connection information, user name, and password. To verify that VMware Identity Manager can connect to the database, click Test Connection.

After you verify the connection, click Continue.

If you are using the internal database, click Continue.

The connection to the database is configured and the database is initialized. When the process is complete, the Setup is complete page appears.

6

Click the Log in to the administration console link on the Setup is complete page to log in to the administration console to set up the Active Directory connection.

7

Log in to the administration console as the admin user, using the password you set.

You are logged in as a Local Admin. The Directories page appears. Before you add a directory, ensure that you review the Integrating with Active Directory for information about Active Directory environments and requirements.

8

Click the Identity & Access Management tab.

9

Click Setup > User Attributes to select the user attributes to sync to the directory.

Default attributes are listed and you can select the ones that are required. You can also add other attributes.

Important

After a directory is created, you cannot change an attribute to be a required attribute. You must make that selection now.

Important

If you plan to sync XenApp resources to VMware Identity Manager, you must make distinguishedName a required attribute.

10

Click Save.

11

Click the Identity & Access Management tab, and, in the Directories page, click Add Directory.

12

Enter a name for the directory you are creating in VMware Identity Manager and select the type of directory, either Active Directory over LDAP or Active Directory (Integrated Windows Authentication).

13

Configure the connection information.

Option

Description

Active Directory over LDAP

a

In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory.

A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list.

b

In the Authentication field, if you want to use this Active Directory to authenticate users, click Yes.

If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

c

In the Directory Search Attribute field, select the account attribute that contains username.

d

If the Active Directory uses DNS Service Location lookup, make the following selections.

In the Server Location section, select the This Directory supports DNS Service Location checkbox.

A domain_krb.properties file, auto-populated with a list of domain controllers, will be created when the directory is created. See About Domain Controller Selection (domain_krb.properties file) .

If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

Note

If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.

e

If the Active Directory does not use DNS Service Location lookup, make the following selections.

In the Server Location section, verify that the This Directory supports DNS Service Location checkbox is not selected and enter the Active Directory server host name and port number.

To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in Active Directory Environments.

If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

Note

If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory.

f

In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com.

g

In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.

h

After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.

Active Directory (Integrated Windows Authentication)

a

In the Sync Connector field, select the connector you want to use to sync users and groups from Active Directory to the VMware Identity Manager directory.

A connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down list. If you install multiple VMware Identity Manager appliances for high availability, the connector component of each appears in the list.

b

In the Authentication field, if you want to use this Active Directory to authenticate users, click Yes.

If you want to use a third-party identity provider to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

c

In the Directory Search Attribute field, select the account attribute that contains username.

d

If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS checkbox in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

If the directory has multiple domains, add the Root CA certificates for all domains, one at a time.

Note

If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.

e

Enter the name of the Active Directory domain to join. Enter a user name and password that has the rights to join the domain. See Joining a Domain for more information.

f

In the Bind User UPN field, enter the User Principal Name of the user who can authenticate with the domain. For example, username@example.com.

g

Enter the Bind DN User password.

14

Click Save & Next.

The page with the list of domains appears.

15

For Active Directory over LDAP, the domains are listed with a check mark.

For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

Note

If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

Click Next.

16

Verify that the VMware Identity Manager directory attribute names are mapped to the correct Active Directory attributes. If not, select the correct Active Directory attribute from the drop-down list. Click Next.

17

Click + to select the groups you want to sync from Active Directory to the VMware Identity Manager directory.

The Sync nested group users option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will appear as members of the top-level group that you selected for sync.

If this option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

Note

When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

18

Click Next.

19

Click + to add additional users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.

To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

Click Next.

20

Review the page to see how many users and groups will sync to the directory and to view the sync schedule.

To make changes to users and groups, or to the sync frequency, click the Edit links.

21

Click Sync Directory to start the directory sync.

Note

If a networking error occurs and the host name cannot be uniquely resolved using reverse DNS, the configuration process stops. You must fix the networking problems and restart the virtual appliance. Then, you can continue the deployment process. The new network settings are not available until after you restart the virtual appliance.

For information about setting up a load balancer or a high-availability configuration, see Advanced Configuration for the VMware Identity Manager Appliance.

You can customize the catalog of resources for your organization's applications and enable user access to these resources. You can also set up other resources, including View, ThinApp, and Citrix-based applications. See Setting up Resources in VMware Identity Manager.