Enable Kerberos KDC Proxy Support during your initial VMware Tunnel configuration. AirWatch KKDCP acts as a proxy to your internal KDC server.

To enable Kerberos proxy settings: 

  1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.


  2. If the Realm is not reachable, then you can configure the KDC server IP on the Advanced settings tab in system settings.


    Only add the IP if the Realm is not reachable, as it takes precedence over the Realm value entered in the configuration.

    By default the Kerberos proxy server uses port 2040, which is internal only. Therefore, no firewall changes are required to have external access over this port.

  3. Save the settings and download the installer to install VMware Tunnel Proxy.

    On Windows, once the VMware Tunnel Proxy is installed, you can see that a new Windows service called AirWatch Kerberos Proxy has been added.


  4. Enable Kerberos from the SDK settings in the AirWatch Console so the requesting application is aware of the KKDCP. Navigate to Groups & Settings > All Settings > Apps > Settings And Policies and select Security Policies. Under Integrated Authentication, select Enable Kerberos. Save the settings.


Accessing Logs

The path for KKDCP logs for VMware Tunnel for Linux is:  /var/log/airwatch/proxy/proxy.log.

The path for KKDCP logs for VMware Tunnel Proxy for Windows is:  \AirWatch\Logs\MobileAccessGateway

To make sure the AirWatch KKDCP server is up and running, access the following URL in your browser from the server where KKDCP is installed: http://localhost:2040/kerberosproxy/status

If the proxy server is working as expected then the browser returns the following response: