VMware Identity Manager

Last Modified: Nov 24, 2020 @ 12:07 pm


💡 = Recently Updated

Change Log


Identity Manager is a component of VMware Workspace ONE.

  • For Horizon, Identity Manager enables SAML authentication, and integration of additional apps from Citrix and the web (e.g. SaaS).
  • For full functionality, Identity Manager should be paired with AirWatch (not detailed in this post).

System and Network Configuration Requirements at VMware Docs.

From Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture:

Single data center:

Multiple data centers:

VMware Blog Post What’s New in VMware Identity Manager 19.03


Version 19.03 no longer includes the embedded Connector so you must deploy one or two Windows machines to run the external connector. The embedded Connector can be migrated to the external Windows connector.

You can upgrade from version or 3.3 directly to version To upgrade from a version prior to, you must first upgrade to version

Upgrading can be performed online, or offline. Both are performed from the command line. See About Upgrading to VMware Identity Manager (Linux) at VMware Docs.

Make sure the Identity Manager SQL Service Account is a db_owner on the Identity Manager database. You can remove the permission after the upgrade.

For clusters, remove all nodes except one from the load balancer and upgrade the node that is still connected to the load balancer. Then upgrade the remaining nodes.

If you don’t have an Windows-based Connector and need to migrate from the Embedded Connector, then do the following:

  1. Download the VMware Identity Manager Standalone Connector Installer for Windows. You’ll install this later.
  2. From the same page, download the Cluster Migration Support Tools.
  3. Enable ssh access for the root account if you haven’t already.
  4. WinSCP to the Identity Manager appliance and upload the cluster-support.tgz file to the /root directory. After uploading the file, don’t close WinSCP yet.
  5. SSH (e.g. Putty) to the appliance as root.
  6. Run /usr/local/horizon/update/updatemgr.hzn updateinstaller
  7. You’ll be prompted to enter passwords for the cluster file.

  8. Back in WinSCP, download the .enc file that was created. You might have to refresh WinSCP to see the file.
  9. Then back in SSH, run /usr/local/horizon/update/updatemgr.hzn update
  10. Updating will take several minutes.
  11. Run the check command again to see if there are any other updates available.
  12. Then reboot the appliance.
  13. Build a Windows 2016 server. Windows 2019 is not supported yet. For redundancy, you can build two Windows servers.
  14. Copy the .enc file to the C: drive of the Windows server. It will not work from a UNC path.
  15. On the Windows server, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe to install the Connector.
  16. Click Next through a few obvious screens and then check the box when asked Are you migrating your Connector.
  17. Browse to the local .enc file, enter the password specified earlier, and then click Next.
  18. In the next page, verify the hostname, and then click Next.
  19. In the domain user account page, note that some of the authentication methods require the connector to run as a service account so you might as well set that up now. Click Next.

    • The service account must be a local administrator on the Connector server.
  20. Click Next through the end of the wizard.
  21. Click No when prompted to load the Connector’s admin page because the Connector should already be configured.
  22. If Windows Firewall is enabled, then add a rule to permit inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. In Identity Manager Admin, at Identity & Access Management > Setup > Connectors, you can delete the old embedded connector.
  24. In Identity & Access Management (Manage), click the Identity Providers tab.
  25. Configure the Built-in IdP with the Connectors in Outbound Mode.
  26. Then click the link for the Workspace IdP.
  27. In the IdP Hostname field, edit the URL to point to the external Windows connector. With outbound mode, this URL is only used for Kerberos authentication, if enabled.

After upgrading from 3.0 and older:

  1. In the admin console, go to Catalog > Virtual Apps Collection. This is a new feature in 3.1 and newer.
  2. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  3. If you see an introduction page, then click Get Started.
  4. Select a connector, and then click Migrate Configurations.
  5. You can now manage the Horizon connections from Catalog > Virtual Apps Collection.


DNS Configuration

If you intend to build multiple appliances (3 or more) and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

  • Appliance 1 = im01.corp.local
  • Appliance 2 = im02.corp.local
  • Appliance 3 = im03.corp.local
  • Load Balancing Name = identity.corp.com. This name is used both internally and externally.

Identity Manager DNS names are separate from Horizon DNS names.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

  1. Create DNS records for the virtual appliances.
  2. Create reverse pointer records too. Reverse pointer records are required.

LDAP Accounts

  1. All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured, including the Bind account.
  2. Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work. For Horizon integration, assign this group to your pools instead of assigning Domain Users.

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL).

For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at VMware Docs.

  1. In SQL Management Studio, create a New Query.
  2. Copy the SQL commands from VMware Docs and paste them into the New Query window.
    1. For Windows Authentication, copy the commands from Configure the Microsoft SQL Database with Windows Authentication Mode.
    2. For SQL Authentication, copy the commands from Configure Microsoft SQL Database Using Local SQL Server Authentication Mode.
    3. Change the values in the brackets.
    4. According to Rob Beekmans at Deploying VMware Workspace One 3.x – database setup, mandatory or changeable parameters?, in Identity Manager 3.0 and newer, you can change any of the parameters, except that the database schema (but not database name) must be saas.
  3. Then click Execute.

OVF Deployment

  1. Download the Identity Manager SVA OVA file.
  2. If your vCenter is 6.5 Update 2 or newer, then you can use the newer HTML5 vSphere Client. Otherwise, use the older Flash vSphere Web Client.
  3. In the vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  4. In the Select source page, browse to the identity-manager- file, and click Next.

  5. In the Select name and location page, enter a name for the VM, and click Next.
  6. In the Select a resource page, select a cluster, and click Next.
  7. In the Review details page, click Next.
  8. In the Accept License Agreements page, click Accept, and then click Next.
  9. In the Select storage page, select Thin Provision, select a datastore, and click Next.
  10. In the Select networks page, select the network for the appliance. You can deploy it either internally, or in the DMZ. If in the DMZ, you can later install Identity Manager Connectors in the internal network in outbound only mode. Click Next.
  11. In the Customize template page:
    1. Make a choice regarding Customer Experience Improvement Program.
    2. Select a time zone.
    3. Expand Networking Properties if it’s not already expanded.
    4. The Networking Properties are displayed in a different order depending on which vSphere Web Client you’re using.
    5. Host Name – Enter a hostname for the first appliance.
      • If you intend to build multiple appliances and load balance them, then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
    6. DNS and Gateway – In the Networking Properties section, enter the standard DNS and Gateway information.
    7. According to Install the VMware Identity Manager OVA File at VMware Docs, the Domain Name and Domain Search Path fields are not used.
    8. IP Address – Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name.
  12. Click Next.
  13. In the Ready to complete page, click Finish.

Setup Wizard

  1. Power on the appliance.
  2. Wait for the appliance to power on and fully boot.
  3. Go to https://myIMFQDN to access the Identity Manager Setup Wizard.
    Note: you must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
  4. In the Get Started page, click Continue.
  5. In the Set Passwords page, enter passwords for the three accounts, and click Continue.

  6. In the Select Database page, change it to External Database.
    Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
  7. For SQL authentication, enter a JDBC URL similar to the following, enter the credentials for the Horizon SQL account, and then click Test Connection.

  8. For Windows authentication, enter a JDBC URL similar to the following, enter credentials for the Horizon Windows service account, and then click Test Connection.

  9. The top of the screen should say Connection test successful.
  10. Then click Continue.

  11. In the Setup Review page, click the link to log in to the Admin Console.

SSH – Enable Root Access

This is optional. Enabling root access lets you use root credentials when using WinSCP to connect to the appliance. Instructions can be found at VMware Blog Post Enabling SSH in Horizon Workspace Virtual Appliances.

  1. Putty to the Identity Manager appliance.
  2. Login as sshuser.
  3. Run su – and enter the root password.
  4. Run vi /etc/ssh/sshd_config.
  5. Scroll down to line 49 (PermitRootLogin).
  6. Press <i> on the keyboard to change to insert mode.
  7. Go to the end of the line and change no to yes.
  8. Press <ESC> to exit insert mode.
  9. Type :x to save the file and exit.
  10. Run /etc/rc.d/sshd restart.

Identity Manager Certificate

The Windows Connectors require the Identity Manager certificate to be trusted. Generate a new appliance certificate using a trusted Certificate Authority and install the certificate on the appliance.

  1. Login to the Identity Manager web page as the admin user in the System Domain.
  2. Switch to the tab named Appliance Settings.
  3. Click the Manage Configuration button.
  4. Login using the root password.
  5. On the left, click the page named Install SSL Certificates.
  6. On the right, click Choose File next to Import Certificate File.
  7. Identity Manager 19.03 and newer let you browse to a .pfx file instead of a PEM file.
  8. In the Password field, enter the .pfx password.
  9. Click Save.
  10. It will take several minutes for the certificate to be installed and the appliance to restart.

Load Balancing

Identity Manager can be cloned, clustered, load balanced, and globally load balanced as shown below. Source = Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture

To clone multiple Identity Manager appliances and load balance them, see one of the following:

Note: TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager 2.6.

  • NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58.
  • NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

Windows Connector

Identity Manager 19.03 and newer no longer include an embedded connector. Instead, build one or more Windows connectors.

Note: connectors from VMware Access 20.10 and 20.01 do not support Horizon. Stay with Connector version 19.03 or 19.03.01.

Note: 19.03.01 only works with VMware Access 20.10 service. Do not deploy 19.03.01 on older Identity Manager or older VMware Access. Reference = VMware Communities.

  1. Load balance your Identity Manager appliances so the Connector can connect to the Load Balanced FQDN instead of a single Identity Manager appliance.
  2. Build one or more Windows machines on the internal network that will host the Windows connector. The Windows machines must be joined to the domain.
  3. The Identity Manager certificate must be trusted by the Connector servers.
  4. Login to the Identity Manager administration console through the load balanced FQDN as the admin user in the System Domain.
  5. On the top tabs, switch to Identity & Access Management.
  6. On the sub-menu bar, on the far right, click Setup.
  7. On the sub-menu bar, on the left, click Connectors.
  8. Click the blue Add Connector button.
  9. Give the Connector a name and click Generate Activation Code.
  10. Copy the Activation Code. You’ll need this later.
  11. On the Windows machine, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe.
  12. In the Welcome to the Installation Wizard for VMware Identity Manager Connector page, click Next.
  13. In the License Agreement page, click I accept the terms, and then click Next.
  14. In the Destination Folder page, click Next.
  15. Click Yes when asked to install JRE.
  16. Don’t check Are you migrating your Connector and click Next.
  17. Review the hostname and click Next.
  18. Check the box next to Would you like to run the Connector Service as a domain user account. Enter service account credentials. And then click Next.

    • Some authentication methods require the Connector to run as a domain user account.
    • The service account must be added to the local Administrators group.
  19. In the Ready to Install the Program page, click Install.
  20. In the Installation Wizard Completed page, click Finish
  21. Click Yes when prompted to open the admin console (https://idmc01.corp.local:8443/) for the Connector.
  22. If Windows Firewall is enabled, then add a rule to permit Inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. Try to use Chrome instead of Internet Explorer.
  24. In the Get Started page, click Continue.
  25. In the Set Passwords page, enter passwords, and then click Continue
  26. In the Activate Connector page, paste in the Activation Code you got from the Identity Manager appliance and then click Continue.

    • If you see a message about unable to find a valid certificate, then you might have to paste in the Root CA certificate.


  1. Login to the Identity Manager web page as the admin user in the System Domain.

    • Note: if you mis-configure Access Policies and lock yourself out of the main Identity Manager logon page, then add /SAAS/login/0 to the end of the URL (e.g. https://identity.corp.com/SAAS/login/0) to login directly to the System Domain.
  2. Switch to the Identity & Access Management tab.
  3. On the top right, switch to the Setup view.
  4. On the left, switch to the User Attributes sub-tab.
  5. Scroll down. Check the boxes next to distinguishedName and userPrincipalName. These are needed for Horizon.
  6. In the Add other attributes to use section, click the plus icon.
  7. Enter objectGUID.
  8. Click the green plus and add mS-DS-ConsistencyGuid. These are needed for Office 365 integration.
  9. Then click Save.
  10. On the top right, switch to the Manage view.
  11. On the Directories tab, click Add DirectoryAdd Active Directory over LDAP/IWA.
  12. Enter a Directory Name.
  13. Change it to Active Directory (integrated Windows Authentication).
  14. Select a Sync Connector. You can select more Sync Connectors later.
  15. Scroll down.
  16. Enter the LDAP Bind credentials. Click Save & Next.
  17. Select the domains you want to sync, and click Next.
  18. In the Map User Attributes page, scroll down, select any missing attribute, and click Next.
  19. In the Select the Groups page, click the plus icon to add a DN.
  20. Enter a Base DN in LDAP format, and click Find Groups.
  21. Click Select.
  22. Search for your Identity Users group and select it. Don’t select Domain Users since it won’t work.
  23. Click Next.
  24. In the Select the Users page, click Next.
  25. In the Review page, click Edit.
  26. Select a more frequent sync schedule, and click Save.
  27. Click Sync Directory.

  28. You can click the link to view the Sync log.
  29. You can also click the directory name, and then click Sync log to view the log.

  30. Sync Settings can be changed by clicking the button on the right.

Connector Outbound Mode

To enable Connector outbound mode (outbound ports only):

  1. Go to Identity & Access Management > Manage > Identity Providers.
  2. Click the link for the Built-in Identity Provider.
  3. In the Users section, check the box next to your directory.
  4. In the Network section, select a range.
  5. In the Connector(s) section, select the first connector and click Add Connector.
  6. If you have another connector for the same domain(s), select the second connector and click Add Connector.
  7. In the Connector Authentication Methods section, check the box next to Password (cloud deployment).
  8. Then click Save.
  9. In Identity & Access Management (Manage), click the Policies tab.
  10. Edit the default_access_policy_set.
  11. Click the link for the first rule.
  12. Next to then the user may authenticate using, change it to Password (cloud deployment). Then save the rule.
  13. Repeat for all other rules in the policy.
  14. Click Next and then click Save.

Sync Connector Redundancy

  1. In the Identity Manager console, in the Identity & Access Management page, switch to the Manage view, and click Identity Providers.
  2. Click the link for the Workspace Identity Provider.
  3. Scroll down. Select the second connector. Enter the Bind password. Click Add Connector.
  4. On the left, click the Directories link.
  5. Click the link for your Active Directory domain.
  6. On the right, click the Sync Settings button.
  7. Switch to the Sync Connectors tab.
  8. Select the second connector and click the plus icon.
  9. You can order the connectors in failover order. Click Save.

Sync Group Membership

By default, Identity Manager does not synchronize group members. You can force a sync.

  1. Go to Users & Groups > Groups.
  2. Notice that the groups are Not Synced. Click the link for a group.
  3. Switch to the Users tab. Then click the Sync Users button.

Logon Experience

  1. Go to Identity & Access Management > Setup > Preferences.
  2. On the bottom, Identity Manager 2.9.1 and newer lets you optionally hide the Domain Drop-Down menu. Then select the unique identifier that Identity Manager will use to find the user’s domain (typically UPN). Identity Manager 3.3 and newer can show a Domain Drop-Down if a unique domain cannot be identified.
  3. The user will be prompted to enter the unique identifier.


Identity Manager 3.2 and newer:

  1. Go to the Roles tab.
  2. You can add a Role. See VMware Blog Post Introducing Role-Based Access Control (RBAC) in VMware Identity Manager 3.2.
  3. Select an existing role (e.g. Super Admin), and click Assign.
  4. Search for the user that you want to assign the role to. If the user doesn’t show up, then make sure you are syncing the user, or sync the members of a group that the user is a member of.
  5. Then click Save.

Identity Manager 3.1 and older:

  1. You can promote individual users (but not groups) to administrators. In the Admin console, on the top left, click the Users & Groups tab.
  2. Switch to the Users sub-tab.
  3. Click a username. Note: you might not see users until a group is assigned to a resource (e.g. Horizon Pool).
  4. Scroll down.
  5. In Identity Manager 3.1 and older, you can change the Role drop-down to Administrator. Click Save.


  1. Switch to the tab named Appliance Settings.
  2. On the left, click License.
  3. On the right, enter the license key, and click Save. A Horizon Advanced or Horizon Enterprise license key will work.


  1. On the top, click the Appliance Settings tab,
  2. On the left, click the SMTP node.
  3. On the right, enter your mail server information, and click Save.

Kerberos Authentication

Kerberos lets users Single Sign-on to the Identity Manager web page. Some notes on Kerberos authentication:

  • It only works for Windows clients.
  • The clients connect to the Connectors so firewall must permit the inbound connection on TCP 443. Outbound only does not work with Kerberos.
    • For High Availability, load balance your Connectors.
  • The Connector (or load balancer) must have a valid, trusted certificate.
  • The Connector’s FQDN (or load balancer FQDN) must be in Internet Explorer’s Local Intranet zone.

Connector Certificate

To upload a certificate to the Connector:

  1. Point Chrome to https://myConnectorFQDN:8443/cfg
  2. Click the link for Appliance Configurator.
  3. Login using the Connector’s password.
  4. On the left is Install SSL Certificates.
  5. On the right is the tab named Server Certificate.
  6. Next to Import Certificate File, click Choose File.
  7. Identity Manager 19.03 and newer support .pfx files. If you select a .pfx, there’s no need to select a Private Key file.
  8. In the Password field, enter the password for the .pfx file.
  9. Click Save.
  10. It will take several minutes to install the certificate and restart the Connector service.

TCP 443 Inbound

TCP 443 must be opened inbound to the Connectors. You might have to add TCP 443 to a Windows Firewall rule.

Enable Kerberos authentication on the Connector

  1. Login to the Windows Connector machine.
  2. Go to C:\VMware\VMwareIdentityManager\Connector\usr\local\horizon\scripts.
  3. Right-click setupKerberos.bat and Run as administrator. (source = VMware 2149753 Run Script to Resolve Kerberos Initialization Error in VMware Identity Manager Connector on Windows)
  4. The script will prompt you for credentials that can create a user account in Active Directory.
  5. Login to the Identity Manager administration web page.
  6. On the top, go to the Identity & Access Management tab.
  7. On the right, change to the Setup view.
  8. On the left, click the Connectors sub-tab.
  9. Click the blue hostname link for the Connector.
  10. Switch to the Auth Adapters tab.
  11. You may enable Kerberos or other authentication adapters from this page by clicking the Adapter Name.
  12. Enter sAMAccountName as the Directory UID Attribute.
  13. Check the box next to Enable Windows Authentication.
  14. For High Availability, you can load balance your Connectors, check Enable Redirect, and then enter the load balanced FQDN.
  15. Click Save. The Authentication Adapters page will show it as Enabled.

Configure Policy to use Kerberos

  1. After enabling the Kerberos adapter, in Identity Manager 3.2 and newer, go to Identity & Access Management > Manage > Policies and click Network Ranges.

    • In Identity Manager 3.1 and older, go to Identity & Access Management > Setup > Network Ranges.
  2. Add a Network Range for internal networks if you haven’t already.
  3. Go to Identity & Access Management > Manage > Policies.
  4. In Identity Manager 3.2 and newer, click Edit Default Policy.

    • In Identity Manager 3.1 and older, click the link for default_access_policy_set.
  5. In Identity Manager 3.2 and newer, click Next to go to the Configuration page.
  6. Click Add Policy Rule. Or Click the plus icon to add a Policy Rule.

  7. Select a Network Range.
  8. For user is trying to access content from, set it to Web Browser.
  9. Identity Manager 2.9.1 adds a Edit Groups button to policy rules, which allows different authentication methods for different groups. When enabled, Identity Manager asks the user for username only, and then looks up group membership to determine which authentication methods should be used. See Configuring Access Policy Settings at VMware Docs.
  10. Select Kerberos as the first authentication method.
  11. Select Password as the second authentication method. Click Save or OK.

  12. Drag the new Policy Rule to move it to the top. Then click Next and Save.

Customize Appearance

  1. If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
  2. If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
  3. If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool, or change the Forgot password message.
  4. If you scroll down you can optionally Show detailed message to End User when authentication fails.
  5. Click Catalog, and then click Settings.
  6. On the left, click User Portal Branding.
  7. Make changes to Logos, colors, etc.


Horizon Administrator – Enable SAML Authentication

  1. Login to Horizon Administrator.
  2. On the left, under View Configuration, click Servers.
  3. On the right, switch to the Connection Servers tab.
  4. Select a Connection Server, and click Edit.
  5. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
  6. Click Manage SAML Authenticators.
  7. Click Add.
  8. In the Label field, enter a descriptive label.
  9. In the Metadata URL field, enter the Identity Manager FQDN.
  10. In the Administration URL field, enter the Identity Manager FQDN, and click OK.
  11. If you see a certificate error, click View Certificate, and then click Accept.
  12. Or click OK if server’s identity was verified.
  13. Click OK to close the Manage SAML Authenticators window.
  14. Horizon 7.2 adds a Workspace ONE mode, which forces all Horizon Clients to connect through Identity Manager instead of directly to the Connection Servers. Delegation of authentication must be set to Required before Workspace ONE mode can be enabled.
  15. The Horizon Administrator dashboard shows you the status of the SAML Authenticator under Other components.

Identity Manager – Virtual Apps Collection for Horizon View

If your Identity Manager is version 3.1 through 3.3, skip ahead to the instructions for 3.1 through 3.3.

If your Identity Manager is version 3.0 or older, skip ahead to the instructions for 3.0 and older.

If your Identity Manager is version 19.03 or newer:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps Collection.
  2. If you see Introducing Virtual Apps Collection page, click Get Started.
  3. Click the SELECT link in the Horizon box.
  4. Give the Horizon Connection a name.
  5. Arrange the Sync Connector appliances in priority order. Click Next.
  6. Click Add a Pod.
  7. Enter the FQDN of a Connection Server in the Pod.
  8. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
  9. Click Add.
  10. You can optionally add more pods and then enable the Cloud Pod Architecture option. Click Next when done.
  11. Change the Sync Frequency as desired.
  12. Click Next when done.
  13. Click Save & Configure Network Range. The connection is tested at this time.
  14. The URLs for accessing Horizon are defined in each Network Range. For each URL, create Network Ranges. Or click All Ranges.
  15. Near the bottom, in the Client Access FQDN field, enter the FQDN that users in this Network Range use to login to Horizon. Then click Save. Note: the Horizon FQDN is different than the Identity Manager FQDN.
  16. After the Horizon Virtual Apps Collection is added, select it, and click Sync.

    • Note: whenever you make a change to the pools in Horizon Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync.
  17. In the Calculating Sync Actions page, click Save.
  18. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  19. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.1 through Identity Manager 3.3

Horizon Connection (Virtual Apps Collection) instructions for Identity Manager 3.1 through Identity Manager 3.3:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps.
  2. On the top right, click Virtual App Configuration.
  3. If you see Introducing Virtual Apps Collection page, click Get Started.
  4. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  5. In the Horizon View On-Premises page, configure the following:
    1. Give the Horizon Connection a name.
    2. Choose a Sync Connector appliance.
    3. Enter the FQDN of a Connection Server in the Pod.
    4. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
    5. Scroll down.
    6. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
    7. Check the box next to Perform Directory Sync.
    8. Change the Sync Frequency as desired.
    9. Activation Policy can be Automatic or User-ActivatedUser-Activated means users have to go to the App Center to add the icons to the My Apps portal.
    10. Click Save when done.
  6. After the Horizon connection is added, on the right side of the screen, click Sync.
    • Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  7. In the Calculating Sync Actions page, click Save.
  8. Click the blue Refresh link until the sync is completed.
  9. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  10. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.0 and older

Horizon Connection Instructions for Identity Manager 3.0 and older:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Application Catalog.
  2. Click Manage Desktop Applications, and then click Horizon View On-Premises.
  3. Click one of the connectors.
  4. Check the box next to Enable Horizon View Applications and Desktops.
  5. Enter the address of a Horizon Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
  6. Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
  7. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
  8. Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
  9. Specify the Viewpool sync frequency, and click Save. New pools created in Horizon Administrator don’t show up in Identity Manager until a sync is performed.
  10. Near the top of the screen you might see red text. Click Invalid SSL Cert.
  11. In the Certificate Information page, click Accept.
  12. Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  13. If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
  14. Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.

Horizon Pools Catalog

  1. In the Identity Manager Admin console, at Catalog > Virtual Apps, you can see the Horizon View icons. Only the pools in the root Access Group are synced.
  2. Click an icon and then click View Assignments.
  3. Make sure entitlements are listed. Entitlements are defined in Horizon Administrator, and not in Identity Manager. Identity Manager merely syncs the entitlements from Horizon.
  4. Only AD groups synced to Identity Manager will be displayed. Domain Users won’t sync to Identity Manager, so entitle the Horizon pools to AD groups other than Domain users.
  5. If you make changes in Horizon Administrator, then manually sync the Virtual Apps Collection so the changes are reflected in Identity Manager.
  6. Back in the Virtual Apps list, if you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories menu.
    • You can select or or more existing categories.
    • Or type in a new category name at the top of the list.
  7. The category is then displayed next to the catalog item.
  8. Identity Management 3.1 adds a Recommended category.

  9. In Identity Manager 3.2 and newer, go to Catalog > Settings.
  10. On the left, click User Portal Configuration.
  11. From this screen, you can control tab visibility, and put recommended apps in the Bookmarks tab. Click Save when done.

Separate Horizon View Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Configure Failover Order of Horizon View and Citrix-based Resources at VMware Docs.

Identity Manager – Horizon URLs

The URL used to launch a Horizon icon from Identity Manager can be different for each Network Range. For internal users, the URL should point to the load balanced VIP for the Connection Servers. For external users, the URL should point to load balanced Unified Access Gateways.

In Identity Manager 19.03 and newer:

  1. Go to Catalog > Virtual Apps Collection.
  2. Click the link for a Virtual Apps Collection.
  3. Click Edit Network Range.
  4. Click an existing Network Range, or create a new one.
  5. Near the bottom, in the Client Access FQDN field, enter the FQDN that users on this Network Range should use to access Horizon. Then click Save. Note that the FQDN for Horizon is different than the FQDN for Identity Manager.

In Identity Manager 3.3 and older:

  1. In the Identity Manager administrator interface, go to Identity & Access Management (Manage) > Policies sub-tab > Network Ranges.

    • Before 3.2, this was located under Identity & Access Management > Setup view > Network Ranges.
  2. You can edit the default ALL RANGES, or add a new Network Range.

  3. In Identity Manager 3.1 and older, you can specify the Horizon URL for the IP range from here. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon Security Servers.
  4. In Identity Manager 3.2 and newer, after creating the Network Ranges, go to Catalog > Virtual Apps.
  5. On the top right, click Virtual App Settings.
  6. Click a Network Range.
  7. In the Client Access URL Host field, enter the FQDN that resolves to the internal Connection Server load balancer, or the external Unified Access Gateway load balancer. Then click Finish.

Identity Manager User Portal

The User Portal is the interface that non-administrators see after logging in. Administrators can switch to the User Portal by clicking the username on the top right and clicking User Portal.

Administrators in the User Portal can switch to the Administration Console by clicking the username on the top right.

Some User Portal features:

  1. When a user logs in to the Identity Manager web page the pool icons will be displayed.
  2. When the user clicks an icon, you can use either Horizon client or Browser for opening a pool. To set the default launch method:
    1. On the top right, click your name, and click Settings.
    2. On the left, click Preferences.
    3. Make your choice and click Save.
    4. The Horizon Client option has a link to download and Install the Horizon Client.
  3. Back in the icons list, when the user clicks Open next to an icon, there’s a link to Install the Horizon Client.
  4. To mark an icon as a Bookmark, click the bookmark icon next to each app.
  5. Or click an app icon to open the app’s Description page, and then click Bookmark.
  6. Then you can click Bookmarks tab to display only icons that are marked as Bookmarks.
  7. If you configured Categories, they are listed in the left side of the page. When you click a category, only the icons in that category are displayed.

146 thoughts on “VMware Identity Manager”

  1. In my test Lab, i have deployed vIDM 19.0 with UAG. It’s working fine from internal network but not working from internet as connector node is not published over internet. Is there a way to achieve this configuration. (Although It’s working fine(internal and internet) when integrated with okta and okta is performing the authentication.)

  2. Dear carl

    I already read and do article that you post but I get error when try add directory over ldap/iwa

    “connector communication failed with respons communication channel unavailablefor the connector.idmc.virtusindonesia.com”

    maybe you have any suggestion ?

    1. Dear carl
      I already read and do article that you post but I get error when try add directory over ldap/iwa
      “connector communication failed with respons communication channel unavailablefor the connector.idmc.virtusindonesia.com”
      maybe you have any suggestion ?

  3. Thanks for all of the great write-ups on Horizon products as they’ve helped tremendously! I did run across a problem maybe you have insight into with your Citrix background as well. Our Horizon VDI desktops have the Citrix Receiver installed which is using SSO for the storefront to access an EHR application. This has worked seamlessly up until we put Identity Manager using TrueSSO to access their desktops remotely. The Citrix Receiver is now unable to pass SSO and requests authentication to the backend server. If they do not go through TrueSSO and login directly to their workstation from a terminal or the Horizon Client they don’t have the issue. Any ideas on a way around this for the remote users?

    1. Hello, I don’t understand why it would do that, however, I know that the TrueSSO certificate enrolls you onto the desktop using the users UPN and not the SAMAccountName. Could it be the Citrix Receiver is looking at the logon mechanism and seeing its not the conventional SAMAccountName logging the user on.

      1. That’s what I’m thinking as well since the behavior is that the destination server is not receiving what’s expected and so it challenges the user

    2. Lack of user’s password can be challenging. If you can configure Receiver to automatically login to StoreFront without needing the user’s password, then you can enable Citrix FAS on that StoreFront store to handle the SSON to the VDA.

  4. Hi Carl,

    Thank you for this. I am just installing 19.03 from fresh and manually copy/pasting my config from 3.3. I have 3 vIDM front ends load balanced by F5. Does this in turn mean i will need to build 3x Connectors and set different vIDM hostnames going to each vIDM appliance for it to be resilient or can i put the VIP hostname in that box (point 16 in your above doc) and just install 2 connectors?

    1. I agree with @BC that this is confusing. If we have two connectors and put them on the same Workspace Provider, then what should we make the IDP hostname? Or should we make two different Workspace Providers and put one connector on each, and make the hostname the name of each connector?

      1. Since the connectors are not accessed inbound (directly) by users, I’m guessing it doesn’t matter what you put there.

        1. Thanks Carl! Would that also mean that it is unnecessary to add a certificate to the windows-based connector? With the other identity manager appliances I have put a SAN cert with the load balanced address and all the identity managers included on it. Since the connectors don’t have to be put in the Netscaler, it seems that putting a cert on it is only needed to avoid the warning when logging directly into it.

          1. Since cloning out the vIDM appliances (Node A Clone to Node B, then Node A Clone to Node C. Then powering them up one at a time with 10 mins in between, i have had persistent Elastic Search service issues. I just cant seem to get the service started.

          2. Any particular order? I’ve tried sequential one at a time, all at the same time, and Node A leave for 10 mins then Nodes B&C together.

            Might be a call to Support Monday morning. 🙁

          3. Hey BC,
            I have 3 nodes and had the exact same issue you did. I rebooted the master node, waited for the blue screen to come up. Then I rebooted node 2, waited for it to come up. Then the elastisearch showed green.

            I don’t get it, but that’s what worked.

    2. Hi BC, I am just installing 19.03 vidm and get error
      “connector communication failed with respons communication channel unavailablefor the connector.idmc.virtusindonesia.com”
      did you ever get error like that ?

      1. Hi, I’ve the same issue with windows based connectors. The connectors are enabled in vIDM but when I try to add the AD, the time out message appears.
        I can browse from connectors the LB FQDN without problem. Could you help me?

  5. Hi,

    After updating the SSL certificate in our Identity Manager Tenant,

    i’m unable to login with the “admin” local user.

    if i try to login with this url :


    login is ok, but unable to setup the platform.

    no access on settings .

    Any idea ?

  6. When I try to access virtual app from Identity, It try to open in native app, but a error message is showed.

    “Horizon Server expects to obtain its login credentials from another application..”

    What should I config to can access virtual apps in native app (horizon) from Identity without problems?

  7. Hi

    I am using and Horizon

    In Horizon cliente all apps work fine

    In WorkSpace ONE (App) any app work fine, when I try to access, an error happend: “Error starting the resource”.

    In identity console I can see the error: LAUNCH error (ViewApp)

    The problem seems to be to open via browser

    Any Idea how to fix it?


  8. Dear Carl.
    when integrating IDM with Horizon Desktop. can we add the uag fqdn instead adding connection server fqdn?
    i am trying this but its not working in my lab.i am getting “could no connect to URL” when adding the UAG to IDM

  9. Hi Carl,

    I have issue in integrating windows based IDM connector to tenant based Identity Manager, whereas with Linux based OVA connector I do not have any issues it works fine, but not with windows based connector, error message is “connection refused”.

    Machine where windows connector installed is running on proxy settings with all ports opened, on the same machine Iam able to browse my tenant identity manager without any issues.

    Any suggestion on this.

  10. HI Carl

    i have problem to Add Directory like in CONFIGURATION – ACTIVE DIRECTORY point 13.

    I always get error mesage : FAILED TO QUERY FOR DOMAINS

    I have set DNS ( checked trough SSH etc/resolv.conf)

    i can connect identity manager to Active directory in setup ( already connected sucessfuly)

    Whats your oppinion? thanks

  11. Hello Carl,

    Love your blog, I hope you respond to this question soon…

    I installed the IDM 3.3 appliance on-premise. found the License is missing. I tried to add the License, but it displays “License could not be saved”. It kinda implies that there’s a modify permission issue with IDM even though I’m logged is as “admin”…any ideas?

    By the way, I also experienced the same thing when trying to configure the integration with IDM to UEM 1810 on-premise…”could not save” or similar error message…

    This looks like the same issue that occurred for other users on this blog, but haven’t seen a reply from you yet.


  12. Hi, I have TrueSSO implemented, but when testing it is working as required when testing internally. From external, it is not prompting, but the VDI session is asking for credentials. What am I missing to check. I have enabled the TrueSSO option in vIDM.

      1. I’m curious, would TrueSSO work on non-domain joined workstations? Just create a user certificate and install it on the client machine. One thing Horizon is missing is the ability to save password in a Windows environment where they aren’t joined to the same domain or are in a workgroup.

  13. Hello Carl, I am upgrade IDM from 3.2 to 3.3. found the License is missing. I try to re-add the License, but it show “License could not be saved”.
    The license show valid
    “Product ID: VMware Workspace
    Expiry Date: Permanent
    Quantity: 100”
    But Cannot saved.

    Try New Install, same problems. Please help!!!!

      1. So turns out that this is a known User Interface (UI) issue on the vidm 3.3 version. You can confirm the license key in “GlobalConfigParameters” section on the vidm SQL database. VMware engineering team is already aware of this issue and they asked me to ignore this error message and should be fixed in upcoming releases.

        Not much help but should explain why we all see this.

  14. Hello! Thank you!

    Could you please help me?

    I had this error..

    “You are no entitled to use the system”

    But, directly access on the Horizon Client or the Web Client is works. Through Identity Manager ocours this error.

    Thank you buddy!

    1. I am having this problem as well. I noticed that if I entitle the user directly in the connection server it works. But if I use a group it doesn’t.

  15. Carl
    First off- Thanks for all of your great articles!! I’ve found them very helpful in my journeys

    I’ve manged to get Identity manger configured and working. However, I have a strange issue. When I try to login from outside of the network (DMZ) the Work space one login page looks funny (Missing background, mostly plain test with the company logo) However, after I login one time this is no longer the issue and the web page loads correctly. It will stay this way until the browser cache, cookies, etc. are cleared. Then back to the strange login page until first login.
    We are using a UAG connected to a Horizon Connection server and the reverse proky has been set to Identity manger.
    Have you seen this behavior before? It happens in all web browsers.

      1. Thanks for the reply Richard. I’ve got the “Proxy Pattern” set to (/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)) in the reverse proxy setting for vIDM.
        The proxy patter for the Horizon connection settings is (/view-client(.*)|/portal(.*)|/appblast(.*))
        the “/” was removed from the Connection server proxy to the user is always directed to vIDM.

      2. I forgot to mention. I fixed the issues with logging in. Only issue is the web page loading incorrectly until first log in. after first login it loads fine every time after. Unless the browser cache is cleared.

  16. Hi Carl,

    We have IDM set up in our DMZ along with UAGs. Externally the URL supplied by IDM sends connections to our load balanced UAGs. When our users authenticate to IDM and click the icon to start the Horizon desktop we find that the user is prompted a second time for user credentials by the Horizon client itself.

    So although I have authenticated into IDM this authentication does not seem to pass through to the connection that is initiated through the Blast gateway after clicking the IDM icon.

    We have no problems connecting directly internally, only when trying to connect via UAGs. What have I missed here? Does Workspace ONE mode have to be enabled to get this functionality (it is switched off at present) or is there something else I have missed that needs to be configured e.g. TrueSSO, Kerberos?

    1. What is the IdP for IDM? Is it a separate SAML IdP, like ADFS? If so, then you need True SSO.

      I assume SAML is configured between IDM and the Connection Servers.

      1. hi Carl, I am trying to have SAML integration between IDM and Airwatch – and IDM and Oracle. Appreciate if there is configuration guide for this.

  17. Can someone clarify how Identity Manager in combination with AirWatch supports multi tenacy?

    I have linked our AirWatch environment with Identity Manager. I let users synchronize with AirWatch in Identity Manager. In the Identity manager I have not configured an AD connection; what is not necessary. (Right?)

    ((I can also log in with Active Directory users and authentication to Active Directory through AirWatch.)) So this works well in the test setup.

    Our organization consists of several internal divisions. What are separate ‘Customer’ groups with us in AirWatch. Each division also has its own AD, and another domain.
    We make full use of the multi tenacy possibilities of AirWatch. (multiple AD connectors, APNS, etc.)

    Question is. In what way is Identity Manager multi tenacy? For example, I can only configure settings for identity authentication methods at ‘global’ level in Identity Manager. For example the ‘Password (AirWatch Connector)’. Because I have several ‘Customer’ groups, I would also have to be able to set different configurations here. What are the possibilities for setting this up?

    I find out that I think that many parameters can only be setup at ‘global’. Do I need to install Identity Manager multiple times? And is this possible on the same server?

    Thanks in advance!

  18. Hello Carl, I am running into an issue with my RDSH applications. Some of our applications are wrapped via a CMD. In Horizon the app icon shows as CMD instead of the app itself. Using powershell we are able to re-associate the app icon with the app instead of the CMD icon and I am told this should pass through to vIDM but this is not occuring. Any thoughts on this?

  19. Hi Carl,

    I have VIDM and Horizon deployed and in working condition. Published app is only Desktop pool. I want to publish RDSH apps in vIDM without horiozn. Is it possible to do so? if yes then please do let me know how.

  20. I want access to VIDM from the external network via UAG and reverse proxy configuration.

    In UAG I have the following configuration:

    Instance ID: VIDM
    Proxy destination URL: https://vidm-01.domain.com (local Identity manager address)
    Thumbprint: SSL certificate thumbprint
    Proxy Pattern: (/|/SAAS(.*)|/SAAS/auth/wsfed/active/logon|/hc(.*)|/web(.*)|/catalog-portal(.*))

    The external address that points to UAG is https://idm.domain.com

    When I go to https://idm.domain.com, a Workspace portal opens.

    I have the problem, when user login, UAG redirect me to internal Identity manager url: https://vidm-01.domain.com. The login for System domain works corretly, problem is only for users with Windows domain.

    What needs to be set up to make the user login from external network?

    1. your VIDM workspace url needs to match what the user is connecting to. as your external url is “idm.domain.com” then you need to configure vidm to respond with the same url by going to https://vidm-01.domain.com:8443/cfg/workspaceUrl and setting it to “https://idm.domain.com” and then update the UAG to point to “https://idm.domain.com”.

  21. Hi Carl,
    I am new to Horizon IDM and I have a question; How would I disable external (internet) network admin login access? (local directory)
    I have tried a few variations with creating Access Policies, that eventually locked me out and I had to re-deploy the OVA and reconfigure. Forgive my ignorance, as I stated, new to this device. Thank you for any assistance.

  22. HI Carl,

    Thanks for the helpful details on IDM, Could you please give a guidance on true SSO configuration on IDM 3.0. Which im stuck at the momment.


  23. Hello,

    Your material is very good, but I have a question, I am implementing a solution that has, 3 Identity manager that is balanced by NSX, I have a Connection Server and I have 2 UAG that are balanced by NSX. My question is, to publish this solution you must have a single public IP or two IP, I’m having a problem when opening applications from the internet, I have an error trying to communicate with horizon and I’m only using a single public IP.

    Thank you

    1. If you’re not proxying IDM and Horizon through a single UAG cluster, then that would be two public IPs.

  24. Hi Carl,

    i have a case where I need to make sure that the a user is allowed to access the VDI environment from only a company assigned desktop or a laptop irrespective of the group policies configured from him. is there any component in Horizon which can control this, i have been told that unified access gateway appliance can be integrated with radius or a CA authority and regulate this, can you please guide me further on this

  25. I would like External and Internal users access VDI and RDSH Published apps – All users MUST login via TFA -VMID via VMware Verify.

    UAG replaces the security server with new features and functions.

    VMID – is the portal access with TFA – VMware Verify.

    Is this possible?

    What would the network topology look like?

    1. v1sper, We literally have been struggling with this for about 3 weeks now with IDM Version 3.1, and I finally just re-deployed the IDM from scratch. We deleted the appliance, database, external connector, and was finally able to get it to cluster with the latest version, 3.2 of Identity Manager. We had a case open with VMware Support, and have sent logs, spent hours online with support, tried numerous things, but a re-deploy ended up fixing the issue for us.

  26. Hi Carl

    I plan to deploy vIDM , Horizon and Airwatch in the on premise environment.

    Airwatch need to connect AD by using ACC (new name :VMware Enterprise Systems Connector) ,

    For vIDM, do we need to connect AD directly or need to use VMware Enterprise Systems Connector?

    do you have Airwatch&vIDM integration guide ?

    Appreciate for your help

  27. Hi Carl,
    This is a great to understand the Identity Manager here.
    And I have some question want to ask since there are no much information I can find from VMware doc.
    I deployed vIDM on premises in DMZ and integrated it with airwatch by ACC.

    For configure android sso the document said need inbound TCP 5262 to vIDM ,
    so I do a port forward on my router to vIDM.
    buy I cannot find port 5262 is listening on vIDM , so I cannot perform the android SSO (but i am success on iOS)
    will you have any idea?

  28. Hi Carl, great article!
    We are trying to implement the following:
    We have iGel Thin Clients with Windows installed and Internet Explorer/Chrome.
    Users need to authenticate with their AD account on the Thin Client, in the Thin Client the user goes to the vIDM Portal and needs to sign in again there.
    What we like to have is that the user logs onto the Thin Client and after that, using SSO to log into the Portal. We hear from VMware that that is not possible….
    Reading through your document I think it is possible or am I reading it wrong? We have setup Kerberos Authentication…


    1. What’s not working?

      Since iDM doesn’t receive the user’s password, I suspect you’ll need to implement Horizon True SSO.

      1. When a users log’s into the thin client / vdi (for test) / fat client, the user wants to (in the internal network), SSO to the IDM Portal, logging into the thin client / vdi / fat client requires to authenticate with AD username/password, and for the portal again, so the user needs to login twice. What we want is that the user logs into the thin client, and when going to the IDM portal, already being logged in.

      2. Hi Carl, I have setup my lab environment, there it is running fine…. I think it has to do with the certificate or something…

        1. Hi Carl, how are you?
          We have it almost working, but we are facing a specific “thing”, we have multiple domains in 1 connector, what we want is SSO, but that does not work, it keeps asking for the User Principal Name, after that it logs on with the password. What we want it logs entirely with sso to the portal.
          My idea is to create a connector per domain. Or is there maybe an other way, like registry setting or something (to remeber/push the setting, remember my setting on the login page) setting that option (remember my setting) then it keeps working as we want…

  29. Hi Carl !!
    Thanks for your dedication when doing this tutorials !!
    Do you know if I can use Azure AD integrated with Identity Manager ?

  30. Hi Carl, and thanks for this excellent post! I have some questions about the Directory setup:

    I’m trying to set up my Directory with Active Directory with Integrated Windows Authentication (IWA), but I get an error where on the appliance webpage it says “Request timed out”, whilst the connector.log logfile outputs something similar to “Cannot promote user to Administrator” followed by “User not found”. I think it’s the Bind User that’s the problem, but I can’t find any good documentation on which permissions this user needs in AD. Note that Active Directory over LDAP works just fine, it’s just IWA I can’t get working.

    Any tips? Thanks!

  31. Figured I’d give this a shot before opening a case. In the process of standing up an On-Prem AirWatch 9.1.3, IdM 2.9.1 environment. So far got everything deployed and got the integration between IdM and View (7.0.3 I believe). It appears most of my entitlements synced up, however I’m seeing something weird. Hopefully, you (or someone) has seen it and can save me the headache of support…

    All the pools sync, there is one particular pool (possibly more, but this one affects me so I noticed it), that in the View Admin console has 8 users entitled to it. When it syncs with IdM, it now has 5 users entitled to it. in the IdM Catalog One of the users is a generic user and is missing a required attribute, and they won’t be accessing IdM anyway, so that one I don’t care about. However the other two missing users are my domain account and my co-worker’s domain account. These are just typical domain accounts, that have been successfully synced to the IdM user directory (via AirWatch). The one thing that I notice is that the two of us have accounts in our parent domain (also synced, the user accounts appear in IdM with their respecive domain attribute) with the same “username”.

    So for example, I’ve got domainA\userY and domainB\userY

    My View pool has domainB\userY entitled to it. IdM contains users for userY in domainA_FQDN and domainB_FQDN.in it’s User repository. Am I missing something to “help” IdM associate the correct “userY” with my View Pool?

    Be happy to explain more if needed. I’m stumped.

    Thanks for any help you, or anyone else, can provide.


  32. Hi Carl,

    Maybe you or some other reader also encountered the following;

    We have a case in which have a new separated Horizon Pod for Win10, and an ‘old’ pod for Win7.

    The pod for Win10 is just upgraded to 7.2, and this pod works as expected, desktops are running through client and browser (blast). but when using this desktops through Identity Manager (2.9.2) the desktop is only to be opened through the client, when opening it from IM in the browser it shows a ‘page can’t be found.

    the pod for win7 with horizon 6.2 though is able to be used from the connection servers, client and browser and through the same identity manager without a problem.

    might there be an issue with IDM2.9.2 Horizon7.2? Or is there a setting i missed?
    we had a working situation with IDM 2.9.1 Horizon 7.1.

    SAML authentication is set to allowed and is enabled.

    Thanks in advance for thinking with me, regards

      1. yes, also the horizon7.2 pod is using UAG(2.9.0). with the external url to this gateway, using without IM it is working perfectly, with client and through browser.

        the IM is not connected through UAG, but don’t expect this should give issues like this?

    1. Hey Carl. My name is Carl as well but anyway, any chance you can do a guide on how to configure IDM with UAG.


  33. Hi Carl,
    Could you help me with configuration vIDM?
    I try to configure SSO for Mobile Devices and Laptops and integrate this with AirWatch.
    Main idea it’s Kerberos authentification through Workspace Portal on laptops when it in intranet also through managed Workspace ONE app with AirWatch Profile at other Native and Web apps on iOS, Android and Windows Phone platforms from Internet.
    I done step-by-step yours instalation guide, thank you for your great job, but I have some problem. When I change Identity manager FQDN to load-balancer name Kerberos stopted worked, but I can authentificate with my domain credential trougth login form. If I change IdP Hostname in Identity and Access Managment -> Identity Providers -> WorkspaceIDP_​_​1 from public (load-balanced) name to local domain name, Kerberos start working again but I can’t authentithicate from internet.

  34. hi carl,
    i want to download vmware identity manager 2.4.1 . pls help me..i could not download from vmware. and i dont find any other download link from any resource.

  35. Hi Carl, great article. to start with. I am trying vidm in lab followed this doc.
    connection server url – https://consrv-01.domain.local, vidm fqdn – https://sso.domain.local

    what i am seeing is user acess https://sso.domain.local and login. When try to launch any view application (html access) it redirects me to connection server url to launch the application.

    Is this the way its supposed to work or i am missing something. if user connects from internet how should the connection server be exposed in internet.

    1. Identity Manager is nothing more than a portal that authenticates users and displays your icons.

      When connecting remotely, the PCoIP or Blast connection needs to be proxied through another machine. Identity Manager does not perform this proxy function. Instead, you need Security Server or Access Point to handle those connections.

      1. Hi carl,
        Thanks for the replay, Say I have a access point configured for my connection server at url access.domain.local.
        while configuring VIDM where should I mention the accesspoint URL so that applications are launched through access point URL instead of connection server.

        1. Network Range. After you integrate View with Identity Manager, go to Identity & Access Management > Setup > Network Ranges, add/edit, and there’s a Client Access URL Host.

          1. I noticed that the “client access url” cannot be within the same public domain as the idm. So, if the idm is identity.domain.com, it’s not possible to use uag.domain.com as url. The save-button is simply greyed out. Can anyone confirm?

  36. Hi Carl,
    Excellent article. vIDM 2.8 in my installation is not stable – CPU spikes up to 100% and crashes after few minutes. Have you seen CPU spiking issue in your installation? Any idea how to fix it

    1. Everyone experiencing this issue using SQL? I’m still utilizing the internal Postgres DB replicated across 3 nodes and haven’t seen this issue.

      1. Chad, using the internal Postgres DB here and having the issue. It seems to not occur until after setting the load balancer FQDN, but that’s pure speculation.

  37. Hi Carl,
    to install the second vIDM node, did you just clone the first one ? Is there anything else needed from SQL side, or the second vIDM appliance will point to the same SQL database and get same configuration ?

    I´m planning to install a couple of vIDM appliances and I have that doubt, if just a simple external SQL database is enough or has to be Always on technology or something like that.

    Thank you.

    1. You generally want HA for SQL too. But yes, simply clone and it connects to same SQL. Note, VMware wants you to have three appliances for HA. And IDM 2.8 is available now.

  38. Hi Carl,

    I have an issue with the Authentication with vIDM and Kerberos, I have RDSH App and i tried to connect from the vIDM but the SSO not worked , it is only worked from the user machine till the vIDM but when i try to access the RDSH App it is asking for authentication:

    My environment is:

    2 vIDM (HA)
    2 Access Point (HA)
    2 Connection Server (HA)
    2 RDS Servers
    load balance for Access Point

        1. Kerberos uses tickets for authentication, not passwords. When vIDM talks to Horizon, it needs to send the user’s password to Connection Server so Connection Server can do SSON to the Horizon Agent. Since there’s no password, it’s not possible to do SSON.

          Alternatively, if there’s no password, Connection Server can create a user certificate (TrueSSO), and use that for authentication to the Horizon Agent. TrueSSO is another server.

          1. Correct. If you want SSO all the way, then you want Kerberos on vIDM, and TrueSSO on Horizon.

      1. Hi Carl, could you please how can i use CS LB in the vIDM and how can the user not distributive when one of the CS go down.

    1. Hi,

      I Have a problem with connect UAG and VIDM?

      Do you have solution for this, how to connect UAG and VIDM?

  39. Love your blog, it has proved a most helpful tool, hoping you might be able to help with an issue:-) I’m using vIDM 2.7.1 and Access Point 2.7.2 as a reverse proxy for vIDM. When I try and access the URL from the outside and login I get a spinning circle and if you hit refresh it logs in but is pretty much unusable. It seems like the documented proxypatterns and unsecuredpatterns are missing needed information or are missing needed data. Have you come across this issue? Thanks

  40. Great Article!

    With the Access Point, is there anything special needed to get it to work correctly? I deployed it and can get to the login page but then it redirects me back to the internal name of my Identity Manager. I’m guessing it’s because the FQDN isn’t correct but when i try to change it, I get an error that it won’t change it on the manager and idp. Thoughts?

    1. Are you using the special 2.6 version that doesn’t work with Horizon? There are separate instructions for Identity Manager on Access Point.

      1. Hi Carl, I´m using 2.6 version on-premise with Horizon 7 (connection server + Access Point) + AppVolumes 2.9. On View all works fine but with IDM user domain login not is possible.

        Thank you.

  41. Carl Please note that we should not pre-popluate the data base information. We also should not have to give the appliance DB_OWNER role as this has caused issue as well on the database side with the appliance. We should always use the provided script as it builds everything required out the gate and sets the correct permissions. (very common issue is not using this and or wanting to change the database name and or user)

    We do know of the using as you note of the IP address will not allow the configuration to proceed

    Unable to complete the configuration of VMware Identity Manager appliance
    Configuration of Identity Manager fails with error:
    Invalid organization name. Chosen name (null) includes invalid characters.
    This issue occurs when the appliance is accessed with an IP address in the URL instead of FQDN

    We also note that any change to the Certificate and or FQDN will require a re-enable of the WORKSPACE ONE interface. Otherwise we will not be able to login.

    After enabling the Workspace ONE GUI interface, and then changing the FQDN and or Certificate of the appliance, and then attempting to log back in to VMware Identity Manager error message “Request Failed” “Please Contact your IT Administrator” message
    Log into the VMware Identity Manager htps://FQDN , choose the local users option and login as the “admin” account and password. Once logged in then navigate to the Catalog, Settings, New End User Portal UI tab.
    Select the “Enable New Portal UI” option

    Please also note that if you already have a Load balancer and or reverse proxy in place you do not gain anything by using them with your load balancer other than pain suffering and nightmares. With the load balancer already doing SSL termination already there is not direct access back to vIDM. Access Point was thought of for vIDM as an alternative if you did not have a LB or Reverse proxy already in place.

    1. Hi Robert,

      Thanks for your observations. I made some changes to the SQL and Load Balancing FQDN sections. Let me know if you notice anything else that needs to be corrected.

  42. Hi Carl, great writeup, i’m hitting problems with FQDN and a local domain name of.local. We have a wildcard for our external services say example.com and an internal name of example.local. if I deploy the appliance with FQDN of .workspace.example.co.uk I can then assign the wildcard cert but cannot get Kerberos to work even with SPNs added. If I deploy it with workspace.example.com and put an internal CA cert on it then Kerberos works fine but workspace.example.co.uk does not work as it redirects the url back to workspace.example.local which obviously cant be reached externally. we are not using any load balancers just a single appliance.

  43. Hi Carl,May I ask you a question?
    I run into trouble about reuse same FQDN to re-deploy vIDM after replace it self-sign certificate, I got the error about the certificate as below:

    com.vmware.horizon.svadmin.exception.AdminPortalException: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://HZ-IDMV-02.CLOUD.CCDE.CNPC/SAAS/API/1.0/REST/system/bootstrap/initialize”:Host name ‘HZ-IDMV-02.CLOUD.CCDE.CNPC’ does not match the certificate subject provided by the peer (EMAILADDRESS=unknown@vmware.com, CN=HZ-IDMV-02.CLOUD.CCDE.CNPC, OU=Horizon-Workspace, O=VMware, L=Palo Alto, ST=california, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name ‘HZ-IDMV-02.CLOUD.CCDE.CNPC’ does not match the certificate subject provided by the peer (EMAILADDRESS=unknown@vmware.com, CN=HZ-IDMV-02.CLOUD.CCDE.CNPC, OU=Horizon-Workspace, O=VMware, L=Palo Alto, ST=california, C=US) at com.vmware.horizon.svadmin.service.ApplicationSetupService.isFirstOrgAndAdminUserSetup(ApplicationSetupService.java:196) at com.vmware.horizon.svadmin.controller.AdminPortalShortcutsController.doGet(AdminPortalShortcutsController.java:44) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497)

    Could you help me fix the problem?

  44. Hi Carl.. an awesome article.. its my first time exploring vIDM, can you help me the steps on cert PEM creation …
    “1.Use OpenSSL or similar to create the certificate in PEM format. If you have a .pfx, you can use OpenSSL to convert from pkcs12 to PEM. Also use OpenSSL to convert the private key to RSA format.”

  45. Carl

    Thanks for the article, I would like to know your feedback on the product and how it compares to industry leading IDaaS products such as OKTA?



    1. I’m more interested in the Horizon View integration. And AirWatch. For web-app SSON, there are many products that can do that. It’s not my expertise so I can’t say if one is better than another.

  46. So when i’m deploying the OVA file for the first Identity Manager appliance (I will load balance behind a pair of nertscalers) I should make the appliance hostanme FQDN “IM01.domain.local” on the OVA setup, not “identity.corp.com” in the setup?
    (you show “identity.corp.com” not “im01.corp.local” in your screenshot above with the OVA setup)

    – the connector on my im01 (I used identity.domain.com in the ova setup) shows “identity.domain.com” not im01.domain.local)

    – In the netscaler LB write up, you show naming the cloned appliance im02.corp.local

    I guess i’d like to know what is different about setting up the first IM appliance when you will be load balancing, should the fqdn in the first ova setup be an individual name or “identity”?

    1. If you’re not load balancing then the single appliance should be named the same as what users will use to access it. If load balancing then each appliance needs a unique name. I should probably clarify that and update the screenshots accordingly.

    2. Aaron, I updated the screenshots to reflect the load balancing scenario. I also figured out a database issue I was having and updated the instructions accordingly. This also fixed some cloning issues. Let me know if you notice anything else that needs to be fixed. Thanks.

        1. Configuration does not work properly unless you are connected to the appliance using an FQDN instead of IP. However, most browsers won’t allow the connection because of the untrusted cert. It would have been easier if VMware included a self-signed cert instead of a CA-signed cert.

  47. Great article, thank you very much! This was a HUGE help, especially with the netscaler article to go with it!
    One question on the SSL certs, each appliance (IM01.corp.pri and IM02.corp.pri) will have a cert for the “corp.pri” [corp.pri being a msft enterprise ca cert) AND a cert for identity.corp.COM [COM being a public cert]?
    Can i just use a public wild card for the IM01/IM02 and Identity, making them all .com (My internal domain is .pri), so it’s one cert (Not a SAN cert)? – name the fqdn’s “IM01.corp.com” and “IM02.corp.com” and “Identity.corp.com” using the same wildcard cert? (With DNS entries to match)

    How does the Identity manager play with the new Access Point for Horizon?

    1. I think public certs on each appliance should be fine. Each appliance needs a unique hostname so it can join the domain correctly.

      I believe a future release of Access Point will provide remote connectivity to Identity Manager. VMware mentioned they borrowed the auth components from Identity Manager to place on Access Point. Smart Card is a good example of this.

Leave a Reply