To support using Kerberos authentication for Mobile SSO for iOS, Workspace ONE Access provides a cloud hosted KDC service.

Important:

End of Availability (EoA) of Workspace ONE Access Cloud-Hosted KDC Service for hybrid deployment

VMware is announcing the End of Availability (EoA) for Workspace ONE Access Cloud-Hosted KDC service (also known as Hybrid KDC Service) for hybrid deployments. The EoA will be effective on December 15, 2023, for all Workspace ONE Access customers.

All Workspace ONE Access on-premises customers using Cloud-Hosted KDC service should plan to migrate to Workspace ONE Access in the Cloud or deploy the built-in KDC Service for their on-premises Workspace ONE Access deployments. See Using the Built-in KDC for Workspace ONE Access.

Now through December 15, 2023, the Workspace ONE Access Cloud-Hosted KDC service remains available and supported.

The Support period ends on December 15, 2023, and the Cloud-Hosted KDC service will reach the End of Availability and End of Support Life. Following this date, users will be unable to authenticate against the Cloud-Hosted KDC service.

See KB article End of Availability (EOA) of Workspace ONE Access Cloud-Hosted KDC Service for Hybrid Deployments.

The KDC service hosted in the cloud can be used in Workspace ONE Access cloud-hosted deployment.

When you configure Mobile SSO for iOS authentication, you configure the realm name for the cloud hosted KDC service. The realm is the name of the administrative entity that maintains authentication data. When you click Save, the Workspace ONE Access service is registered with the cloud hosted KDC service. The data that is stored in the KDC service is based on your configuration of the Mobile SSO for iOS authentication method. The data includes the CA certificate, the OCSP signing certificate, and the OCSP request configuration details.

The logging records are stored in the cloud service. The Personally Identifiable Information (PII) in the logging records includes the following.
  • The Kerberos principal name from the user's profile
  • The subject DN, UPN, and email SAN values
  • The device ID from the user's certificate
  • The FQDN of the IDM service that the user is accessing

To use the cloud hosted KDC service, Workspace ONE Access must be configured as follows.

  • The FQDN of the Workspace ONE Access service must be reachable from the Internet. The SSL/TLS certificate used by Workspace ONE Access must be publicly signed.

    If you configure Workspace ONE Access with an external firewall, create an allow list with the appropriate IP addresses or URLs. See Adding Allowlist IP Addresses to Your External Firewall for Workspace ONE Access Services.

  • An outbound request/response port 88 (UDP) and port 443 (HTTPS/TCP) must be accessible from the service.
  • If you enable OCSP, the OCSP responder must be reachable from the Internet.