Using the Built-in KDC

For Mobile SSO for iOS authentication on VMware Workspace ONE™ UEM managed iOS devices, you can use the built-in KDC. You manually initialize the Key Distribution Center (KDC) in the appliance before you enable the authentication method from the administration console.

Note: When you integrate VMware Identity Manager with Workspace ONE UEM in a Windows environment, use the VMware Identity Manager KDC cloud hosted service, not the built-in KDC. Using KDC in the cloud requires selecting the appropriate realm name in the iOS authentication adapter page from the administration console. See the VMware Identity Manager Administration Guide.

Before you initialize KDC in VMware Identity Manager, determine the realm name for the KDC server; whether subdomains are in your deployment, and whether to use default KDC server certificate or not.

Realm

The realm is the name of an administrative entity that maintains authentication data. Selecting a descriptive name for the Kerberos authentication realm is important. The realm name must be a part of a DNS domain that the enterprise can configure.

The realm name and the fully qualified domain name (FQDN) that is used to access the VMware Identity Manager service are independent. Your enterprise must control the DNS domains for both the realm name and the FQDN. The convention is to make the realm name the same as your domain name, entered in uppercase letters. Sometimes the realm name and domain are different. For example, a realm name is EXAMPLE.NET, and idm.example.com is the VMware Identity Manager FQDN. In this case, you define DNS entries for both example.net and example.com domains.

The realm name is used by a Kerberos client to generate DNS names. For example, when the name is example.com, the Kerberos related name to contact the KDC by TCP is _kerberos._tcp.EXAMPLE.COM.

Using Subdomains

The VMware Identity Manager service installed in an on-premises environment can use the VMware Identity Manager FQDN subdomain. If your VMware Identity Manager site accesses multiple DNS domains, configure the domains as location1.example.com; location2.example.com; location3.example.com. The subdomain value in this case is example.com, typed in lower case. To configure a subdomain in your environment work with your service support team.

Using KDC Server Certificates

When the KDC is initialized, by default a KDC server certificate and a self-signed root certificate are generated. The certificate is used to issue the KDC server certificate. This root certificate is included in the device profile so that the device can trust the KDC.

You can manually generate the KDC server certificate using an enterprise root or intermediate certificate. Contact your service support team for more details about this feature.

Download the KDC server root certificate from the VMware Identity Manager admin console to use in the Workspace ONE UEM configuration of the iOS device management profile.