Kerberos KDC Proxy is supported for the VMware Tunnel Proxy that supports Kerberos authentication in the requesting application. Kerberos KDC proxy (KKDCP) is installed on the endpoint server.

Workspace ONE UEM KKDCP acts as a proxy to your internal KDC server. Workspace ONE UEM-enrolled and compliant devices with a valid Workspace ONE UEM issued identity certificate can be allowed to access your internal KDC. For a client application to authenticate to Kerberos- enabled resources, all the Kerberos requests must be passed through KKDCP.

The basic requirement for Kerberos authentication is to make sure that you install the Endpoint with the Kerberos proxy setting enabled during configuration in a network where it can access the KDC server.


  • For HTTPS sites, Workspace ONE Web for Android supports Kerberos authentication only when the site also has NTLM authentication enabled. This requirement is because the Android WebView, on which the Workspace ONE Web is built, does not support Kerberos authentication natively.
  • HTTP Sites do not require NTLM authentication as the VMware Tunnel can perform Kerberos authentication without NTLM being enabled.
  • Currently, this functionality is only supported with the Workspace ONE Web v2.5 and higher for Android.


  1. During the configuration, check the box Use Kerberos proxy and enter the Realm of the KDC server.
  2. If the Realm is not reachable, then you can configure the KDC server IP on the Advanced settings tab in system settings.

    Only add the IP if the Realm is not reachable, as it takes precedence over the Realm value entered in the configuration.

    By default the Kerberos proxy server uses port 2040, which is internal only. Therefore, no firewall changes are required to have external access over this port.

  3. Save the settings and download the installer to install VMware Tunnel Proxy.

    On Windows, once the VMware Tunnel Proxy is installed, you can see that a new Windows service called AirWatch Kerberos Proxy has been added.

  4. Enable Kerberos from the SDK settings in the Workspace ONE UEM console so the requesting application is aware of the KKDCP.
    1. Navigate to Groups & Settings > All Settings > Apps > Settings And Policies and select Security Policies.
    2. Under Integrated Authentication, select Enable Kerberos.
    3. Save the settings.