Monday, February 9, 2015

Workspace Portal, Access Policies, and Kerberos authentication

You've decided it's time to expand your Workspace Portal deployment from internal-only, to also allow external access. You've setup your Load Balancer, gotten your certificates in place, and now you're tasked with configuring internal and external authentication methods.

This post covers the configuration needed for Kerberos on internal connections, while allowing username/password authentication from external connections.

Access Policies

First, let's setup your access policies. Access Policies allow you to specify criteria that users must meet in order to access Workspace Portal. We're going to configure the Default Access Policy Set to include two policies: internal and external

For our internal connections, we're going to utilize Kerberos. Configuring Kerberos isn't covered in this post, so ensure you have it working first. Here are some helpful posts for setting it up:

Configuring Kerberos for Workspace
Kerberos SSO in Workspace 1.8 (basic config flow still applies to Workspace Portal 2.1)

For our external connections, we'll let our users utilize their Active Directory synced username and passwords for authentication. Ensure your Directory Sync rules from the Connector Service Admin page include all desired AD groups and that they're synced regularly.

First: ensure you've created both an internal and an external Network Range:

  1. Log into the Workspace Admin Portal > Settings > Network Ranges

  2. Click + Network Range to add our internal range. Configure this to the appropriate subnets used in your LAN.

  3. We'll use the default ALL RANGES entry for our external connections

Then, from the Policies tab, we'll edit the default_access_policy_set to correspond to these network ranges.

  1. Click + Access Policy and name it internal. Set it to use a Minimum Authentication Score of 1. 

  2. Then select the default 'web policy' which corresponds to our external network range. We'll set this to a Minimum Authentication Score of 2 as seen below:

NOTE: Be sure to re-arrange the policies so that internal is on top, and 'web policy' is on bottom and click Save.

Authentication method

Now, head to Settings > Authentiation Methods and order the options as seen here. Be sure to click each entry to edit the Authentication Score to match the below screenshot. Once again, order is important.

Notice that Kerberos is on top, with an authentication score of 1.

Set Kerberos as the Default Method

Password will be set to an authentication score of 2.

At this point, you should be able to verify that your user portal loads from both internal and external locations, as well as verify that your internal users aren't prompted for their credentials.


Scenario 1:

When launching Workspace Portal externally, the page times out and doesn't load, but internally it launches.

Scenario 2:

When launching Workspace Portal externally, the page loads, but internally, users are prompted for username and password (Kerberos fails to login the user)

   - In either case, verify the order of your Access Policies have Kerberos on top, password on bottom. Also verify that the scores are set appropriately, per the screenshots


Follow by Email