Kerberos KDC Proxy is supported for the Proxy component. VMware Tunnel Proxy supports Kerberos authentication in the requesting application. Kerberos KDC proxy (KKDCP) is installed on the endpoint server.

Workspace ONE UEM KKDCP acts as a proxy to your internal KDC server. Workspace ONE UEM-enrolled and compliant devices with a valid Workspace ONE UEM issued identity certificate can be allowed to access your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all the Kerberos requests must be passed through KKDCP. The basic requirement for Kerberos authentication is to make sure that you install the Endpoint with the Kerberos proxy setting enabled during configuration in a network where it can access the KDC server.

Before you begin:

  • For HTTPS sites, VMware Browser for Android supports Kerberos authentication only when the site also has NTLM authentication enabled. This requirement is because the Android WebView, on which the VMware Browser is built, does not support Kerberos authentication natively.
  • HTTP Sites do not require NTLM authentication as the VMware Tunnel can perform Kerberos authentication without NTLM being enabled.
  • Currently, this functionality is only supported with the VMware Browser v2.5 and higher for Android.

Enable Kerberos proxy settings

Complete the following steps to enable Kerberos proxy settings: 

  1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.

  2. If the Realm is not reachable, then you can configure the KDC server IP on the Advanced settings tab in system settings.

    Only add the IP if the Realm is not reachable, as it takes precedence over the Realm value entered in the configuration.

    By default the Kerberos proxy server uses port 2040, which is internal only. Therefore, no firewall changes are required to have external access over this port.

  3. Save the settings and download the installer to install VMware Tunnel Proxy.

    On Windows, once the VMware Tunnel Proxy is installed, you can see that a new Windows service called AirWatch Kerberos Proxy has been added.


  4. Enable Kerberos from the SDK settings in the Workspace ONE UEM console so the requesting application is aware of the KKDCP. Navigate to Groups & Settings > All Settings > Apps > Settings And Policies and select Security Policies. Under Integrated Authentication, select Enable Kerberos. Save the settings.

Configure Kerberos Proxy Settings

Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration and select the Advanced tab to configure the following Kerberos Proxy settings, which display only if you select Use Kerberos Proxy during the VMware Tunnel configuration.

If the realm info you entered during configuration does not work properly, you can enter the KDC IP address here, which overrides the information that you provided during configuration. You must reinstall the VMware Tunnel after changing these settings. A restart does not work.

Complete the following settings to configure Kerberos proxy settings: 

Setting Description
KDC Server IP

Enter your KDC Server IP address.

This text box displays only if you select Use Kerberos Proxy during VMware Tunnel configuration.

Kerberos Proxy Port

Enter the port over which VMware Tunnel can communicate with your Kerberos Proxy.

This text box displays only if you select Use Kerberos Proxy during VMware Tunnel configuration.