To support using Kerberos authentication for Mobile SSO for iOS, VMware Identity Manager provides a cloud hosted KDC service.

The KDC service hosted in the cloud must be used when the VMware Identity Manager service is deployed with AirWatch in a Windows environment.

To use the KDC managed in the VMware Identity Manager appliance, see the Preparing to Use Kerberos Authentication on iOS devices in the VMware Identity Manager Installation and Configuration Guide.

When you configure Mobile SSO for iOS authentication, you configure the realm name for the cloud hosted KDC service. The realm is the name of the administrative entity that maintains authentication data. When you click Save, the VMware Identity Manager service is registered with the cloud hosted KDC service. The data that is stored in the KDC service is based on your configuration of the Mobile SSO for iOS authentication method, which includes the CA certificate, the OCSP signing certificate, and the OCSP request configuration details. No other user-specific information is stored in the cloud service.

The logging records are stored in the cloud service. The Personally Identifiable Information (PII) in the logging records include the Kerberos principal name from the user's profile, the subject DN and UPN and EMAIL SAN values, the device ID from the user's certificate, and the FQDN of the IDM service that the user is accessing.

To use the cloud hosted KDC service, VMware Identity Manager must be configured as follows.

  • The FQDN of the VMware Identity Manager service must be reachable from the Internet. The SSL/TLS certificate used by VMware Identity Manager must be publically signed.

  • An outbound request/response port 88 (UDP) and port 443 (HTTPS/TCP) must be accessible from the VMware Identity Manager service.

  • If you enable OCSP, the OCSP responder must be reachable from the Internet.