After you initialize KDC in Workspace ONE Access, you must create public DNS records to allow the Kerberos clients to find the KDC when the built-in Kerberos authentication feature is enabled.

The KDC realm name is used as part of the DNS name for the Workspace ONE Access appliance entries that are used to discover the KDC service. Two DNS records are required for each Workspace ONE Access site and two address entries.

Note: An AAAA record is required for devices running on iOS 9 or are using T-Mobile as the carrier. The AAAA entry value is an IPv6 address that encodes an IPv4 address. If the KDC is not addressable via IPv6 and an IPv4 address is used, the AAAA entry might have to be specified in strict IPv6 notation as ::ffff:175c:e147 on the DNS server. You can use an IPv4 to IPv6 conversion tool, such as one available from Neustar.UltraTools, to convert IPv4 to IPv6 address notation.

DNS Record Entries for KDC

In this example DNS record, the realm is EXAMPLE.COM; the Workspace ONE Access fully qualified domain name is, and the Workspace ONE Access IP address               1800 IN  A                 1800 IN  AAAA         ::ffff:
_kerberos._tcp.idm.EXAMPLE.COM          IN  SRV  10  0   88
_kerberos._udp.idm.EXAMPLE.COM          IN  SRV  10  0   88