To support using Kerberos authentication for mobile SSO for iOS, Workspace ONE Access provides a cloud hosted KDC service.

To use the KDC managed in the Workspace ONE Access appliance, see the Preparing to Use Kerberos Authentication on iOS devices in the Workspace ONE Access Installation and Configuration Guide.

When you configure Mobile SSO for iOS authentication, you configure the realm name for the cloud hosted KDC service. The realm is the name of the administrative entity that maintains authentication data. When you click Save, the Workspace ONE Access service is registered with the cloud hosted KDC service. The data that is stored in the KDC service is based on your configuration of the Mobile SSO for iOS authentication method. The data that is stored includes the CA certificate, the OCSP signing certificate, and the OCSP request configuration details.

The logging records are stored in the cloud service. The Personally Identifiable Information (PII) in the logging records include the Kerberos principal name from the user's profile, the subject DN, UPN and email SAN values, the device ID from the user's certificate, and the FQDN of the IDM service that the user is accessing.

To use the cloud hosted KDC service, Workspace ONE Access must be configured as follows.

  • The FQDN of the Workspace ONE Access service must be reachable from the Internet. The SSL/TLS certificate used by Workspace ONE Access must be publicly signed.
  • An outbound request/response port 88 (UDP) and port 443 (HTTPS/TCP) must be accessible from the Workspace ONE Access service.
  • If you enable OCSP, the OCSP responder must be reachable from the Internet.
  • Verify that you added the correct whitelist IP addresses to your external firewall. See Adding Whitelist IP Addresses to Your External Firewall.