Using the Built-in KDC for Workspace ONE Access

For Mobile SSO for iOS authentication on VMware Workspace ONE™ UEM-managed iOS devices, you can use the built-in KDC. You manually initialize the Key Distribution Center (KDC) in the appliance before you enable the authentication method from the administration console.

Before you initialize KDC in Workspace ONE Access, determine the realm name for the KDC server, whether subdomains are in your deployment, and whether to use the default KDC server certificate or not.

Realm

The realm is the name of an administrative entity that maintains authentication data. Selecting a descriptive name for the Kerberos authentication realm is important. The realm name must be a part of a DNS domain that the enterprise can configure.

The realm name and the fully qualified domain name (FQDN) that is used to access the Workspace ONE Access service are independent. Your enterprise must control the DNS domains for both the realm name and the FQDN. The convention is to make the realm name the same as your Workspace ONE Access DNS domain name, entered in uppercase letters. Sometimes the realm name and domain are different. For example, a realm name is EXAMPLE.NET, and idm.example.com is the Workspace ONE Access FQDN. In this case, you define DNS entries for both example.net and example.com domains.

The realm name is used by a Kerberos client to generate DNS names. For example, when the name is EXAMPLE.COM, the Kerberos related name to contact the KDC by TCP is _kerberos._tcp.EXAMPLE.COM.

Using Subdomains

The Workspace ONE Access service installed in an on-premises environment can use the Workspace ONE Access FQDN subdomain. If your Workspace ONE Access site accesses multiple DNS domains, configure the domains as location1.example.com; location2.example.com; location3.example.com. The subdomain value in this case is example.com, typed in lowercase. To configure a subdomain in your environment work with your service support team.

Using KDC Server Certificates

When the KDC is initialized, by default a KDC server certificate and a self-signed root certificate are generated. The certificate is used to issue the KDC server certificate. This root certificate is included in the device profile so that the device can trust the KDC.

You can manually generate the KDC server certificate using an enterprise root or intermediate certificate. Contact your service support team for more details about this feature.

Download the KDC server root certificate from the Workspace ONE Access admin console to use in the Workspace ONE UEM configuration of the iOS device management profile.