Workspace ONE Content app users are granted access to on-prem SharePoint repositories after the users are authenticated using the PIV-D Derived Credentials. Certificate-based authentication eliminates the requirement of user name and password.

On-prem repositories such as SharePoint can be configured to use the PIV-D Derived Credentials for authentication. Configuring the SharePoint repository to use the PIV-D Derived Credential requires Kerberos configuration in the VMware Content Gateway settings.

The following prerequisites must be considered for setting up the PIV-D Certificate Authentication:
  • Kerberos Constrained Delegation (KCD) server must be set up with proper SPNs (Service Principal Names).

  • Active Directory must be synced with Workspace ONE UEM, with User Principle Name (UPN) as an attribute.

  • Service account must be available to both Workspace ONE UEM and VMware Content Gateway to use as part of the Kerberos authentication workflow.

  • Content Gateway must be provided a trusted certificate from the Certificate Authority (CA) issuing the user certificates. These certificates might be only intermediate certificates or the entire certificate chain depending on validation requirements on the CA.